MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51d5a73c72f75f984194346b8a9e77fad48059295de86f339c9a092b0d51c9ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51d5a73c72f75f984194346b8a9e77fad48059295de86f339c9a092b0d51c9ab
SHA3-384 hash: d35af2c6da38553258cd6664cd651ac8518a03581dfbbb165ae8be46ca48f70323ceef66491ea9c3b6922c38539ea7e0
SHA1 hash: 4e52d5d3f90588c948947ca6f52923df78b08e03
MD5 hash: dbe65375184221d89d3983a4502e02e7
humanhash: high-beer-sodium-bravo
File name:dbe65375184221d89d3983a4502e02e7.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'477'408 bytes
First seen:2022-09-13 07:02:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:OAOcZyFjJrDqL1P9PO/2QXDKt19YhvrpxAD4b4kImp/AwL:0Dr+LjFQTKFkbADWjAM
Threatray 2'539 similar samples on MalwareBazaar
TLSH T19965E061FB50E87EE822A035D421E4F42AB37C30D954D61F6A9C3D5EB672342212DB6F
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e886290d69638fed (2 x AgentTesla, 2 x NetWire, 1 x Loki)
Reporter abuse_ch
Tags:exe NetWire RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309651/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Adding an access-denied ACE
Launching a process
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37529/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63202c01a90642bcbb0abdf8/reports/1a7f34e0-86e9-4a5c-8235-cdfc228b7bc2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9d2bd614-0061-4e51-836d-ab836947577e
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069288
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/51d5a73c72f75f984194346b8a9e77fad48059295de86f339c9a092b0d51c9ab/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-09-10 18:23:08 UTC
File Type:
PE (Exe)
Extracted files:
133
AV detection:
26 of 40 (65.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=khk2opds65pzqqmugrvyvhtx7lkiawjjlxug6m44tieswdkrzgvq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0758171eb92e029d38cef3237e2cdd899827cdeeb3386761933254981b707809
NetWire
1d8d1ed93e2bb02931e7184988ad25b149d75beaaf5c4604144aef7981352109
NetWire
508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0
NetWire
6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f
NetWire
7d099dcd6d912e29120d1eca72f100724fa776e8a1f80b22fbb52e6de905d324
NetWire
7d5b8247af6bdab3596d584004f713d9b8d4cfaa9b3235d76770cbcb60156a9a
NetWire
a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183
NetWire
aa005608adb8e7e3c775383f20f2608164056713bcbb92d0ec5c99994d8af750
NetWire
f44204e826a1b7fc6ce46ba2bc2eff5f77c0d525f87f40dcc2fe363c8491ab2f
NetWire
+ 2'529 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/220913-hvd3zafaa6/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
212.193.30.230:3363
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/af0cbe30-b5e2-4294-a3d5-02d41e4c4d88
Unpacked files
SH256 hash:
86000159d2b79876904441ddf210528f1d4644c94e929bcd10a33edfe1ea3f09
MD5 hash:
2d0f9ee4c1096f728000e5c17e40233e
SHA1 hash:
a03dee37714e98571153a3279ca00b0e3124f869
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/37db416b-4d01-434c-a853-a809f3fa046d/
SH256 hash:
f32beea398c02e2c9d94a63a9f510a42683b031a4f1d88938716be07125bceeb
MD5 hash:
6947ab11357d716295c1a79829008599
SHA1 hash:
c14319800b4ca0e36b66a4c93c13b016c331d70e
Link:
https://www.unpac.me/results/37db416b-4d01-434c-a853-a809f3fa046d/
SH256 hash:
51d5a73c72f75f984194346b8a9e77fad48059295de86f339c9a092b0d51c9ab
MD5 hash:
dbe65375184221d89d3983a4502e02e7
SHA1 hash:
4e52d5d3f90588c948947ca6f52923df78b08e03
Link:
https://www.unpac.me/results/37db416b-4d01-434c-a853-a809f3fa046d/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51d5a73c72f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51d5a73c72f75f984194346b8a9e77fad48059295de86f339c9a092b0d51c9ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:malware_netwire_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:netwire
Create hunting rule
Author:jeFF0Falltrades
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 51d5a73c72f75f984194346b8a9e77fad48059295de86f339c9a092b0d51c9ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2229744/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/309651/

Comments