MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5456779d0c758825ed118932f851b341ea9fd2e64bac720de93232e8c648b412. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	5456779d0c758825ed118932f851b341ea9fd2e64bac720de93232e8c648b412
SHA3-384 hash:	0bd3cc00b2a93cd666885641e0c283074a10e9cdd8134b10a8a7d322ed4d3f553ed7080b69be4e76741f075127f91a8b
SHA1 hash:	70c6e08d8df5f434bdf00f05e86f3fbe51e23d2c
MD5 hash:	7d1b6ed27776a594a98c509f12f475e2
humanhash:	eighteen-burger-tango-cold
File name:	2897043264.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	1'047'040 bytes
First seen:	2022-03-31 08:44:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:SMkSewUdbPhJ5hMVhg79koKftoSM3T2Y7lZ9ioa/w2ApohE/uxB+MgSpm3euI0b:BknJ4h8kdfKL3TX4y/aBXgS2
Threatray	15'050 similar samples on MalwareBazaar
TLSH	T15325125BB0941A77DF2C14FA4C54908113FAAC262CB3EFC52CA638D612F778B152669B
File icon (PE):
dhash icon	72c8c6c65a262c0e (1 x NetWire)
Reporter	pr0xylife
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

351

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/259951/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.17604.7233.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Creating a file

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62456a121f204239485ab507/reports/efdfa142-6d40-4edc-8d57-fd7edcfea7cb/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a8a40399-0f8e-4aab-8cbf-c97bbf449dbc

Result

Threat name:

AgentTesla NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/968210

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5456779d0c758825ed118932f851b341ea9fd2e64bac720de93232e8c648b412/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-31 08:45:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

netwirerc

NetWire

5b3332c8ab54721c4b4771b748c9852b4fee0e77ca63915231e7473a827574a7

NetWire

887dc596452817d1ec48e073fd28312f0e75932e34fecf13bdc6ce68ee665f4d

NetWire

9407b4a736fe6f81101adb5a2e66bdd35171d9f15e756fd90a50a3e86a35d71d

NetWire

abcdd8e778aa71065141457f413012aca2a8d404e498aa15ee49332d0f33dc58

NetWire

e4715658b6981b37c06e063e6b59af6d82c8c5edeb93e339e367d497332b7b69

NetWire

+ 15'040 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:agenttesla family:netwire botnet collection keylogger persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/220331-knqjjahbe6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

betterday.duckdns.org:5345
https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument

Unpacked files

SH256 hash:

25a07bf04a9c39b589adf2c276dc2569b0a3b61f7d3b9004c7d9ae4530064520

MD5 hash:

4eb81e5b3433fdc56d2abcfb833875f7

SHA1 hash:

a83e9373a9a443f0a2de4c121165d027080cf1a1

Link:

https://www.unpac.me/results/d1ed6b18-a54a-4612-b293-5a41bfdd0f03/

SH256 hash:

3b7919c38841ba38e1034d7f91262f4948352158d2e68a5f47daf73ad50429be

MD5 hash:

730f84b98cdf9b4c0f32cbc2601b1cf4

SHA1 hash:

0abcde16aa10acb237ad317aacf3e80b22454d51

Detections:

win_netwire_g1

Link:

https://www.unpac.me/results/d1ed6b18-a54a-4612-b293-5a41bfdd0f03/

Parent samples :

5b3332c8ab54721c4b4771b748c9852b4fee0e77ca63915231e7473a827574a7
5456779d0c758825ed118932f851b341ea9fd2e64bac720de93232e8c648b412

SH256 hash:

41024f74b83d1d7c7a650d499a98d4367170e71e5d116ec3b0932008beadad13

MD5 hash:

5806a6728c003d2311777e8d0453b7ff

SHA1 hash:

bff129dbecadb91d2df2d37e37d33eb4ed009ba4

Link:

https://www.unpac.me/results/d1ed6b18-a54a-4612-b293-5a41bfdd0f03/

SH256 hash:

423193b4b8f42edbedb5e19ade208e63defb21087fc6052562205d27f9111170

MD5 hash:

65abeb3970f94b23c7caf06362b093c1

SHA1 hash:

94c1f3538180cd644b80a1b9500bad83ba200100

Link:

https://www.unpac.me/results/d1ed6b18-a54a-4612-b293-5a41bfdd0f03/

SH256 hash:

613b2819d35360cbfe6c94b2b998d1a4998c89f5bdef505e0e158e1288ab684c

MD5 hash:

3096cbaf4b5d40f9c61bf7ce13fde62f

SHA1 hash:

6b3c580e51fd306bfdc2e727ca3bc7805aba4b53

Link:

https://www.unpac.me/results/d1ed6b18-a54a-4612-b293-5a41bfdd0f03/

SH256 hash:

82faa4bb0e1d13985175bd0b6c6dad9db093048ffcc09f2d2f3dab4bbcf25933

MD5 hash:

4d3d19ec67dbcb7bb5e012cd67e69919

SHA1 hash:

009faeeec7c3e69622e3206c6ba856f35a002890

Link:

https://www.unpac.me/results/d1ed6b18-a54a-4612-b293-5a41bfdd0f03/

SH256 hash:

5456779d0c758825ed118932f851b341ea9fd2e64bac720de93232e8c648b412

MD5 hash:

7d1b6ed27776a594a98c509f12f475e2

SHA1 hash:

70c6e08d8df5f434bdf00f05e86f3fbe51e23d2c

Link:

https://www.unpac.me/results/d1ed6b18-a54a-4612-b293-5a41bfdd0f03/

Malware family:

NetWiredRC

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5456779d0c75/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5456779d0c758825ed118932f851b341ea9fd2e64bac720de93232e8c648b412

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/259951/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample