MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fbb41eefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fbb41eefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774
SHA3-384 hash: acaec2d415dcf1b1b97eda2f1b48b4745bb5376cda6e9c3c94868364041b30f52e496fe4f10c6443793b9e6fb6b2d5cf
SHA1 hash: cb32791a07820b55ea19bc2f8fefc0d02ae9cacf
MD5 hash: da516bd5d75c0989ab8ce07d43d35c83
humanhash: rugby-neptune-steak-butter
File name:4fbb41eefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774
Download: download sample
Signature NetWire
Create hunting rule
File size:27'783'168 bytes
First seen:2021-01-31 12:59:38 UTC
Last seen:2021-01-31 14:28:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5becb8457cb69c375aa61c584223f1f7 (3 x NetWire)
ssdeep 6144:PeECaFOEnHRMH4bTkgyzIbESU/i55JXVtfym6MpI0WfuqbWLevKBri9WOj+YUPkS:POmHRMHaMO55J3fCMptARmujecGnCEL
Threatray 90 similar samples on MalwareBazaar
TLSH 2657F031FDD2C8B2F2232E300670637596B5FB336F31979B97602A9DDB65144893A362
Reporter adulau
Tags:NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4fbb41eefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774
Verdict:
Suspicious activity
Analysis date:
2021-01-31 13:01:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cdefad17-f751-43c8-8b1c-11d6c54b43a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Result
Threat name:
Netwire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594784
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to steal Internet Explorer form passwords
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Writes to foreign memory regions
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4fbb41eefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2019-03-22 04:21:36 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
261f13f9e6d08869b41dca972016f177e1cefada9155d806a18f590c3f487a5f
NetWire
4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
NetWire
94fa3ff2ef14ae0fcd461c89f90deae5ed6417a238ec5131ef6cb80400de0586
NetWire
982d5516b54a9ca64fa7cf03833f79f4b963504652997cba751cee2b3ff96979
NetWire
9a8b855058e1d8a31a302dfa49caa68baec7940553466f303a65c5eb032fb4e3
NetWire
a5e7773e86e1f8feacc75ced3053ac3d44af73d5b2ec72005c7ba2cd465f1ef3
NetWire
ac0ca89c2e434d4128516896f5563003a1179583181d0d1fd06754f06ab4deed
NetWire
b8fd90ea39eaa1c4f5cd065194403d851eda875f49f1de95d1f506039dc1a7ff
NetWire
c41615161da87837531dc1af5636303677156e3393109d835cbc8d1994e33218
NetWire
fcafbd4579ef27eeeea5b955b4c04f4bb74a64516e3cfd55e280bd7dd9d79750
NetWire
+ 80 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware upx
Link:
https://tria.ge/reports/210131-qvg35dapqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetWiredRC
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fbb41eefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/114937/

Comments