MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50050a189f878a24b57acedf046acfe5011dae30f50a21054a75fcda2947ff5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50050a189f878a24b57acedf046acfe5011dae30f50a21054a75fcda2947ff5b
SHA3-384 hash: b674140e0a4b66fcc4f1c988e2a68e9c246cf2b7a08f5e0c42762b24e88c6007e31f5363ee89711180a720b1c5916237
SHA1 hash: f69ae112b86cb0c3689a912d1812aa0413046f7f
MD5 hash: c6ab29668433ac0e7358b07d4d662cb8
humanhash: washington-nevada-happy-stairway
File name:RE- Confirmation slip.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'171'968 bytes
First seen:2022-10-31 18:05:32 UTC
Last seen:2022-10-31 20:13:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:xoVsm8OIL7VpfHZtwVHtGToWVXkw3NYkulBynmE/mZu6n0oHLU/UhMIDDovTXbgd:xoYL7zHPJV0w91ulBymEOWEY/U6WM
TLSH T16F45AE543B40E10ED5476D329C91CAF0ABE09C619E1EF2436AE67F1FB57EDA7CA101A0
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
85.209.134.105:3360

Intelligence

File Origin
# of uploads :
2
# of downloads :
475
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
RE- Confirmation slip.exe
Verdict:
Malicious activity
Analysis date:
2022-10-31 18:08:49 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/37093e63-3731-41e3-93eb-aa84de898994

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326530/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.20126.1925.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63600e8da5db8d309cbc106b/reports/f36dcd9f-c7cf-44b5-b569-da838b4d6492/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/831adb5e-5ecb-4e16-97bd-8676c2a93544
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101944
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 734607 Sample: RE- Confirmation slip.exe Startdate: 31/10/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 16 other signatures 2->65 7 RE- Confirmation slip.exe 7 2->7         started        11 zCcTNriul.exe 5 2->11         started        13 RE- Confirmation slip.exe 2->13         started        16 RE- Confirmation slip.exe 4 2->16         started        process3 dnsIp4 47 C:\Users\user\AppData\Roaming\zCcTNriul.exe, PE32 7->47 dropped 49 C:\Users\...\zCcTNriul.exe:Zone.Identifier, ASCII 7->49 dropped 51 C:\Users\user\AppData\Local\...\tmp9263.tmp, XML 7->51 dropped 53 C:\Users\...\RE- Confirmation slip.exe.log, ASCII 7->53 dropped 67 Adds a directory exclusion to Windows Defender 7->67 69 Injects a PE file into a foreign processes 7->69 18 RE- Confirmation slip.exe 3 7->18         started        21 powershell.exe 21 7->21         started        23 schtasks.exe 1 7->23         started        71 Antivirus detection for dropped file 11->71 73 Multi AV Scanner detection for dropped file 11->73 75 Machine Learning detection for dropped file 11->75 25 zCcTNriul.exe 11->25         started        31 3 other processes 11->31 57 192.168.2.1 unknown unknown 13->57 27 RE- Confirmation slip.exe 13->27         started        33 3 other processes 13->33 29 RE- Confirmation slip.exe 16->29         started        35 3 other processes 16->35 file5 signatures6 process7 dnsIp8 55 zonedx.ddns.net 85.209.134.105, 3360, 49684, 49685 CMCSUS Germany 18->55 37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50050a189f878a24b57acedf046acfe5011dae30f50a21054a75fcda2947ff5b/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-10-31 14:33:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kacquge7q6fcjnl2z3pqi2wp4uar3lrq6ufccbkkox6nukkh75nq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/221031-wpq28sbfe8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
zonedx.ddns.net:3360
85.209.134.105:3360
Unpacked files
SH256 hash:
5c2b68483d65500837cf5b2dace58cd7f0d05aea67d9449ce8815acd410dc860
MD5 hash:
7d9a68932dede9c4f855c64320f12a94
SHA1 hash:
8fcb9438bff24770ec074a166cd77c19074636cc
Detections:
Netwire
Create hunting rule
win_netwire_auto
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/2d6e9f5a-209d-4376-818c-15ba1c2dc305/
SH256 hash:
ae4d0de512779623a16ca3ac422b08ce00c0aa26cab5ff98dcf02580e5cf1b7f
MD5 hash:
01fd12f47c0882f5efa34bb7186faa8e
SHA1 hash:
6fc320c494fa4f8c2a3320205d096c137472d02a
Link:
https://www.unpac.me/results/2d6e9f5a-209d-4376-818c-15ba1c2dc305/
SH256 hash:
7fa3720c44b7b46ea0f1d0e9aa6b164e196ee0f8d7c79bcd282f5b86cd41c7bd
MD5 hash:
210cf57aa172b201b77e52b991801662
SHA1 hash:
4556fe5ddde7b9706ae33ad40c56fe0f269c8b77
Link:
https://www.unpac.me/results/2d6e9f5a-209d-4376-818c-15ba1c2dc305/
SH256 hash:
744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f
MD5 hash:
91fed5db1afcdf48e0cd6d4058a013ba
SHA1 hash:
3717b3346e25d3f66f00626ad1a771d8655f485f
Link:
https://www.unpac.me/results/2d6e9f5a-209d-4376-818c-15ba1c2dc305/
SH256 hash:
334d8655d1d0c4c027e92c4ca64f1c86e0bb0e8d44ba7c973602bed75a8ed8c6
MD5 hash:
2bcff32b2aafd90fc03f9ce2f7abc1a6
SHA1 hash:
16223a9c8d159a2a17fbcaa78a78d3f9b41df13b
Link:
https://www.unpac.me/results/2d6e9f5a-209d-4376-818c-15ba1c2dc305/
SH256 hash:
50050a189f878a24b57acedf046acfe5011dae30f50a21054a75fcda2947ff5b
MD5 hash:
c6ab29668433ac0e7358b07d4d662cb8
SHA1 hash:
f69ae112b86cb0c3689a912d1812aa0413046f7f
Link:
https://www.unpac.me/results/2d6e9f5a-209d-4376-818c-15ba1c2dc305/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50050a189f87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50050a189f878a24b57acedf046acfe5011dae30f50a21054a75fcda2947ff5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326530/

Comments