MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c9ca0c4c5eb0311f24580bebc70d9332644c0fa063f76f0c0bc76c61509c989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c9ca0c4c5eb0311f24580bebc70d9332644c0fa063f76f0c0bc76c61509c989
SHA3-384 hash: ac72a6a9a65274cb11efb5ab06b738f45f3e93fed58928f8f28c91f8991833481c490bdee22908a4770b4d111a849184
SHA1 hash: 917d936547ccd021044323799d60675bc9ecc87b
MD5 hash: 77925a3c7ce75a1af4825abb3c8e79b9
humanhash: mexico-pip-uniform-mockingbird
File name:77925a3c7ce75a1af4825abb3c8e79b9.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:929'280 bytes
First seen:2022-11-27 12:35:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e4f4986e13f6caa92e648bff9c67e88 (2 x ModiLoader, 1 x AveMariaRAT, 1 x NetWire)
ssdeep 12288:qV2cbnbazcd5JluSVVvkYhrN+kviTqTdTB2O4rwSMpxwhxStU:q4cnOcd53uSVVJRskvQq5oOqLM2xSS
TLSH T14D156C23AE90E537E776147F780B86A549157E202CE7AC3636DEFE2C5D3BB01351A122
TrID 40.4% (.EXE) InstallShield setup (43053/19/16)
13.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
12.3% (.SCR) Windows screen saver (13097/50/3)
9.8% (.EXE) Win64 Executable (generic) (10523/12/4)
9.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon 74f4e4ccc2c2c4d4 (2 x DBatLoader, 1 x Hive, 1 x ModiLoader)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
151.80.223.229:64218

Intelligence

File Origin
# of uploads :
1
# of downloads :
374
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
77925a3c7ce75a1af4825abb3c8e79b9.exe
Verdict:
Malicious activity
Analysis date:
2022-11-27 12:36:35 UTC
Tags:
installer trojan rat netwire
Link:
https://app.any.run/tasks/4d6ea3e8-1d5f-4c79-ac10-dabd8e5b86f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339027/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.16980.24943.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
DNS request
Launching cmd.exe command interpreter
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
50%
Tags:
evasive keylogger shell32.dll
Link:
https://www.filescan.io/uploads/638359b400c584752ee218fd/reports/36359196-f031-4f8a-8ea3-f1f457d522ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dca01789-fff7-4bc2-b52d-98f09e788ab2
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121907
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754624 Sample: X1Irpwl2n0.exe Startdate: 27/11/2022 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 8 other signatures 2->98 10 X1Irpwl2n0.exe 1 11 2->10         started        14 Grisnzaq.exe 2->14         started        process3 file4 60 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->60 dropped 62 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->62 dropped 64 C:\Users\Public\Librariesbehaviorgraphrisnzaq.exe, PE32 10->64 dropped 66 2 other malicious files 10->66 dropped 104 Writes to foreign memory regions 10->104 106 Allocates memory in foreign processes 10->106 108 Creates a thread in another existing process (thread injection) 10->108 110 Injects a PE file into a foreign processes 10->110 16 cmd.exe 3 10->16         started        19 cmd.exe 1 10->19         started        21 colorcpl.exe 10->21         started        112 Multi AV Scanner detection for dropped file 14->112 114 Machine Learning detection for dropped file 14->114 25 colorcpl.exe 14->25         started        signatures5 process6 dnsIp7 80 Uses ping.exe to sleep 16->80 82 Drops executables to the windows directory (C:\Windows) and starts them 16->82 27 easinvoker.exe 16->27         started        29 PING.EXE 1 16->29         started        32 xcopy.exe 2 16->32         started        39 6 other processes 16->39 84 Suspicious powershell command line found 19->84 86 Bypasses PowerShell execution policy 19->86 88 Uses ping.exe to check the status of other devices and networks 19->88 35 powershell.exe 15 16 19->35         started        37 conhost.exe 19->37         started        68 pentester0.accesscam.org 151.80.223.229, 49701, 64218 OVHFR Italy 21->68 58 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 21->58 dropped 90 DLL side loading technique detected 21->90 file8 signatures9 process10 dnsIp11 41 cmd.exe 1 27->41         started        72 127.0.0.1 unknown unknown 29->72 52 C:\Windows \System32\easinvoker.exe, PE32+ 32->52 dropped 74 googlehosted.l.googleusercontent.com 172.217.168.1, 443, 49699 GOOGLEUS United States 35->74 76 drive.google.com 172.217.168.46, 443, 49698 GOOGLEUS United States 35->76 78 doc-0k-9k-docs.googleusercontent.com 35->78 54 C:\Users\Public\Libraries\png, data 35->54 dropped 56 C:\Windows \System32\netutils.dll, PE32+ 39->56 dropped file12 process13 signatures14 100 Suspicious powershell command line found 41->100 102 Adds a directory exclusion to Windows Defender 41->102 44 powershell.exe 21 41->44         started        48 conhost.exe 41->48         started        process15 dnsIp16 70 192.168.2.1 unknown unknown 44->70 116 DLL side loading technique detected 44->116 50 conhost.exe 44->50         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c9ca0c4c5eb0311f24580bebc70d9332644c0fa063f76f0c0bc76c61509c989/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 09:21:23 UTC
File Type:
PE (Exe)
Extracted files:
137
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsokbrgf5mbrd4sfqc7ly4gzgmtejqh2ay7xn4gaxr3mmfijzgeq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence rat stealer trojan
Link:
https://tria.ge/reports/221127-psw94agf74/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
pentester0.accesscam.org:64218
pentester01.duckdns.org:61869
Dropper Extraction:
https://drive.google.com/uc?export=download&id=1PksM23A8aU7qPKq3X9w8p0J_pEGTnfxf
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8e5f47ce-3839-49de-a461-43861d20f01d
Unpacked files
SH256 hash:
2a6f9a095ecd97783727b0097e33961315ff90fd49b21404c4312e549b2fa821
MD5 hash:
76bf3e46049e4821d8352c89ffa55a06
SHA1 hash:
d0cea01177b743d8fe8241ea2afe256ce415a9cd
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/795b60d9-c5ad-46de-ab9f-5964e1d987e9/
Parent samples :
d11933411093e586653221106dbd02ee574044b4ca7f1bf9d91c6c558b00acdd
3ed398f02316edd3a2fd9afad8b4748f4b056ab659a8f22a8f4bbec361e9d19c
0d6eb762b7de41274a26d00d166f1798525cc0d7d54180e251cbc2449a5f9391
63816bb5d6e665cefcfaeef55c8978de75d972e2e710830d23b809f7ccc81cb1
430af6efaf235407de033571f6b459e9f3af6d9ea67a0febe1829c86af5dceb0
4c3341068aef37525b30ce34fe17e6e28b77237c248fc5ac3953d8e5bd521493
c410af32a481222f15dd9babe626182317e7d76d603d2eb001cccd213a258873
83935adb12e30326b0a1e7c5e835032e0d6814704f199ba2cc486b21d64d21d2
85465b3e86e0e4a460fcf28729773f52de6777db71890ead00e4bee867a3e3ec
23473106e8e2e1add3756ee0e4101095710b9663791f57e026e08f99218077ff
4c9ca0c4c5eb0311f24580bebc70d9332644c0fa063f76f0c0bc76c61509c989
4b6cc04ec52357c0483d142018e4bd0535581912d5cb2b12e34dd71ed3f43dd0
SH256 hash:
4c9ca0c4c5eb0311f24580bebc70d9332644c0fa063f76f0c0bc76c61509c989
MD5 hash:
77925a3c7ce75a1af4825abb3c8e79b9
SHA1 hash:
917d936547ccd021044323799d60675bc9ecc87b
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/795b60d9-c5ad-46de-ab9f-5964e1d987e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c9ca0c4c5eb0311f24580bebc70d9332644c0fa063f76f0c0bc76c61509c989

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/339027/

Comments