MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53e50cd638abfb79fd2e29d0b2c39305c937852b1c314b06358b37d73bd31e98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53e50cd638abfb79fd2e29d0b2c39305c937852b1c314b06358b37d73bd31e98
SHA3-384 hash: d7de5ec09cabb6a54cdf2a0500dfb8eb4edbf15fe218ec9a33400ece1cc99e3e2fae4600928e5c7b5eeb5520bb8b99ed
SHA1 hash: ffd772ea71bc69582c57f03cebc32b1fc4d39083
MD5 hash: 60324306cb83ad2ab8192344f1b15e44
humanhash: louisiana-sodium-december-december
File name:60324306cb83ad2ab8192344f1b15e44.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:747'008 bytes
First seen:2021-12-30 23:15:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 99937d85363a3c33a12be9c7a06b26e4 (1 x NetWire)
ssdeep 12288:7oXNijZcTb++heFqzrCJib8HOLOkqFGix5FDhUcyr:7oX8mvbeFqyJBHcRiNy
Threatray 628 similar samples on MalwareBazaar
TLSH T173F46D16B29048F7C47316789C1B9A949DAABD3039389C422FE41E487FBF2913D3DA57
File icon (PE):PE icon
dhash icon b464ccd0f0e8dcc0 (1 x NetWire, 1 x RemcosRAT, 1 x Formbook)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
185.140.53.138:3360

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.138:3360 https://threatfox.abuse.ch/ioc/290121/

Intelligence

File Origin
# of uploads :
1
# of downloads :
462
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60324306cb83ad2ab8192344f1b15e44.exe
Verdict:
Malicious activity
Analysis date:
2021-12-30 23:20:03 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/7c086a66-482a-458a-8029-9dd4a941a781

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216880/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3531/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit greyware keylogger wirenet zusy
Link:
https://www.filescan.io/uploads/61ce3db98991ba72b3a10488/reports/8974249f-759f-43a3-b6e2-d1a22a3b7e51/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73378714-3243-4cb4-ae84-a5da5e1fb330
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914170
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546648 Sample: L4Gsbh6915.exe Startdate: 31/12/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 6 L4Gsbh6915.exe 1 16 2->6         started        11 Fuzwsmiria.exe 13 2->11         started        13 Fuzwsmiria.exe 14 2->13         started        process3 dnsIp4 26 onedrive.live.com 6->26 28 kgp8ba.am.files.1drv.com 6->28 30 am-files.fe.1drv.com 6->30 22 C:\Users\user\Contacts\Fuzwsmiria.exe, PE32 6->22 dropped 24 C:\Users\...\Fuzwsmiria.exe:Zone.Identifier, ASCII 6->24 dropped 52 Contains functionality to steal Chrome passwords or cookies 6->52 54 Injects a PE file into a foreign processes 6->54 56 Contains functionality to detect sleep reduction / modifications 6->56 15 L4Gsbh6915.exe 2 6->15         started        32 onedrive.live.com 11->32 36 2 other IPs or domains 11->36 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 18 Fuzwsmiria.exe 11->18         started        34 onedrive.live.com 13->34 38 2 other IPs or domains 13->38 20 Fuzwsmiria.exe 13->20         started        file5 signatures6 process7 dnsIp8 40 saturdaylivecheckthisout.duckdns.org 185.140.53.138, 3360, 49755, 49762 DAVID_CRAIGGG Sweden 15->40 42 192.168.2.1 unknown unknown 20->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53e50cd638abfb79fd2e29d0b2c39305c937852b1c314b06358b37d73bd31e98/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-12-29 23:29:10 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kpsqzvryvp5xt7jofhilfq4taxetpbjldqyuwbrvrm35oo6td2ma._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
090c4ff20568f647c80d5ae386bf5aedd9d8b066066a465b5300f8bd42ff1282
NetWire
0c34d4763fc968ccbe9f33dec2ae9e3e132a61b40ffc93cc22f337a0758c0279
NetWire
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
NetWire
573f11821c72786131d82bcdb3744b83d01615c25489f4cf2c46181ae6143226
NetWire
934609a4e6bbf6eda68c1a09fbd0d5e331229f974148c21aa99add9f94171ec1
NetWire
b0a98ae8b1dadc3b181f6252abef59940ceeb5019cd4ae2f0feadb0a520063cd
NetWire
b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5
NetWire
c1ffaaa3fad1741534ca46e6eb19dbafebc46932eecccef600f69a615d8e57ea
NetWire
df2688f6f88ea0e66b46d856e514adf25f8456cb4e45c849233799e17b1171e3
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
+ 618 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/211230-286jxsgch9/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
saturdaylivecheckthisout.duckdns.org:3360
Unpacked files
SH256 hash:
53e50cd638abfb79fd2e29d0b2c39305c937852b1c314b06358b37d73bd31e98
MD5 hash:
60324306cb83ad2ab8192344f1b15e44
SHA1 hash:
ffd772ea71bc69582c57f03cebc32b1fc4d39083
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/0af4b2e9-3c8f-4c25-b20d-5fe004e0178e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53e50cd638abfb79fd2e29d0b2c39305c937852b1c314b06358b37d73bd31e98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216880/

Comments