MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50731cb586a4c601689830828025729a5b8663e0adb09ef6b07ff50b8ce936d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50731cb586a4c601689830828025729a5b8663e0adb09ef6b07ff50b8ce936d9
SHA3-384 hash: 5ac0f546da45543abd6c962ba3ce04e341cb7cd39fa1341305d2cf5f1a8a7cdc86a00ecbdd140055e5c337210d6a608b
SHA1 hash: 9ee34ba386cf131e7783f98bb5843fe5b7eb3e8b
MD5 hash: 0cc6bc95a31c7de29cbd6dd7d35e9671
humanhash: kansas-avocado-comet-robin
File name:SecuriteInfo.com.Artemis0CC6BC95A31C.27284
Download: download sample
Signature NetWire
Create hunting rule
File size:29'184 bytes
First seen:2020-05-04 15:42:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:m5z9oJ9uzDwAqMuGgfeb1ssgb470qUqlpgmt37csjVFQIxAGa:mZi9uHwAqMusbCe4aPLQIxk
Threatray 59 similar samples on MalwareBazaar
TLSH A6D2FB1722DEBEE5D4780A703B7B53C1C32DDE051623EA2E59D87169E93E1437A823D8
Reporter SecuriteInfoCom
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2775/
Detection(s):
SecuriteInfo.com.Artemis0CC6BC95A31C.27284.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Netwiredrc
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 08:23:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbzrznmgutdac2eygcbiajlstjnymy7avwyj55vqp72qxdhjg3mq._file
Verdict:
malicious
Similar samples:
00a0100d050d944a9ffcec6964dd2b4f04e19a7e86ef5e03444824db2ca602b2
NetWire
145ad1b69242e6c7bbf57563206310d0a51aea37e996cdbd6cf26d4c93cf3c20
NetWire
16b351886f4ac80f6d1335efed1921c9887bfaf042c09fe895438d759d80084c
NetWire
1872a9eaa84a2a54125c3d8e5196f998808f808942c69192340e731a58ff971f
NetWire
19ca70210efcd08d6a96909cebb3e8cdfc941456e07893122730e5c5b344b294
NetWire
3739f1ed8aea0841da101e01354b6a80719edce7a982ff5ef86c6e291d503b9b
NetWire
5144b5507d1382c06a75118dfc3f2899701e5e1e7b5abe93734fa9a99efd3768
NetWire
77b2ce43a1a7363d6c90b9b11fc05220511a868f4f8ca72cd6cbe3219f79fbdd
NetWire
80f5cd1ba2db21fc245afe8d6e17c1db669516cf3ae5cd104733841b459e3d4f
NetWire
ae6f078b6a993e8bd82b0ac786409354d9695661b55822d04d31ef8277749e72
NetWire
+ 49 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-sycf6flb9s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 50731cb586a4c601689830828025729a5b8663e0adb09ef6b07ff50b8ce936d9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/356921/
  
URLhaus
https://urlhaus.abuse.ch/url/357024/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/2775/

Comments