MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0
SHA3-384 hash: 8746df5e62101a48a8cefa7cc624d9f915b2326b86f2db3432565b480fd74ec467036bca785e5dbff152381d8728084a
SHA1 hash: 12dab64dd13e2f6c02c9639e6d88deeadcedcccd
MD5 hash: ea0126d07ca352687cd80de06cbcb6f7
humanhash: paris-autumn-early-friend
File name:Request For Quotation.scr
Download: download sample
Signature NetWire
Create hunting rule
File size:1'274'041 bytes
First seen:2021-08-05 15:07:52 UTC
Last seen:2021-08-07 01:48:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:AAOcZwdf+OD0+Oxbuk8E33NtEFd9imt3fO+veij:efOxbuhs4zj
Threatray 745 similar samples on MalwareBazaar
TLSH T12745E043E341C4B6D07A0730C5975BF07EB6AD30DB62961B9BA07E2DBD723906E21B91
dhash icon 0303c30b33313163 (3 x NetWire, 1 x NanoCore)
Reporter malwarelabnet
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
538
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request For Quotation.scr
Verdict:
Malicious activity
Analysis date:
2021-08-05 15:10:50 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/260d779e-a38f-45e7-a5ba-ff9659db10a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176689/
Detection(s):
Win.Dropper.Tpyn-9800377-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Adding an access-denied ACE
Launching a process
Connection attempt to an infection source
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f01c94c-a968-4dc2-9e8a-32fe7eaa7833
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827567
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Drops PE files with a suspicious file extension
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 12:55:38 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcbwhlbd25nb4js7nou5yzht7yrh5q3b7dv7uioqho7npiwipdaa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
01d06f60795cc63acabaa25c87909e436a7160a172e59c22f341ebad725998b2
NetWire
261ffb59e6589589525b96e900bf69a30ae9bce1ce1ce6cc6542c32a1eeebf08
NetWire
362ae494bfed3fd5e8137a652139777f3a986bf63fbcd17e74bb9c1f0e2cd500
NetWire
37e7b7329552ca9f6ab3233ebe1d8ab96c4385b941b31a21ea43c4c2b85fca61
NetWire
785b415f9df4411c2af809c0982f54a073281e2781db7c4ab26d69208e68a384
NetWire
86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26
NetWire
d4288c3aa0a21e8b20e37255358a04546708892d1cba5a93707a3c3586c6eae5
NetWire
dc8b1aa91228f69edb8b71fafd9231f6d6d55d50ea17e3a845a3014e419cdb60
NetWire
ef54c64675efe225373ef855f19283a950e4be09769a6cfeffb4ff4987ee2179
NetWire
fc1fbab23528029108a690e17c533f4c5de405b84159d95ef976bbae3fbead7e
NetWire
+ 735 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:netwire botnet keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210805-l7r94nj6w6/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
harold.ns01.info:3606
Unpacked files
SH256 hash:
688258486b8e46cec7c603a540cce28584658f80c4881a0fdcd22dd3b04a0851
MD5 hash:
60997a5edb7a9473f154bd05549c9e25
SHA1 hash:
3f82513db6231684538e2e5c08c15997b8df3ba6
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/81c788a2-73af-47ca-b035-7072f8228388/
SH256 hash:
50f0730517fcc5ae40cdeac80e003eb37853da8305e3777fdfcf28c818c275eb
MD5 hash:
70699ade97950af87fb12a8951c611ac
SHA1 hash:
5fea141a1119a7911f04a9a4436b65d8478ad707
Link:
https://www.unpac.me/results/81c788a2-73af-47ca-b035-7072f8228388/
SH256 hash:
508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0
MD5 hash:
ea0126d07ca352687cd80de06cbcb6f7
SHA1 hash:
12dab64dd13e2f6c02c9639e6d88deeadcedcccd
Link:
https://www.unpac.me/results/81c788a2-73af-47ca-b035-7072f8228388/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/508363ac23d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176689/

Comments