MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54d8f78bd1fe792e03f5e128d9fe6f930e73199ba028960ecd62bf22d5242c6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54d8f78bd1fe792e03f5e128d9fe6f930e73199ba028960ecd62bf22d5242c6d
SHA3-384 hash: df20ddcb72d771db70e3262f04b1f15877d559942db150bc1b598c157bc63bb40f468dfb3657611a391ea27b1fe8407d
SHA1 hash: 1dfdc7dfbe83a8212222d30a433e6d7135bbe38c
MD5 hash: 09e3f1623df6ec7412a68af246f60e7b
humanhash: mexico-two-violet-mango
File name:kAFIi0D3kfignSd.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:868'352 bytes
First seen:2020-10-19 10:12:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:REMJZGDm//mx37jGXQoVz+D9A1GKZHNYPzodG7/P:RBcrCXQiz+JA1GUKzodG7/
Threatray 54 similar samples on MalwareBazaar
TLSH 5005581023F80B09F57B97F5962850419BB67A9A613ED24C7DCD31DE9FB2B010A63B27
Reporter abuse_ch
Tags:exe geo NedBank NetWire nVpn RAT ZAF


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mail.genoxyl.ga
Sending IP: 168.235.67.97
From: NedBank <Notification@nedbank.co.za>
Reply-To: Notification@nedbank.co.za
Subject: Proof of Payment
Attachment: Proof of Payment.tar (contains "kAFIi0D3kfignSd.exe")

NetWire RAT C2:
185.140.53.167:3382

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-BE
country: BE
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-10-02T20:59:33Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.31913.22965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
Netwire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495212
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/54d8f78bd1fe792e03f5e128d9fe6f930e73199ba028960ecd62bf22d5242c6d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 07:05:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktmppc6r7z4s4a7v4eunt7tpsmhhggm3uaujmdwnmk7sfvjefrwq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
3b97909b8cc676b840fd25680d29f211efcc6c71a0234f33365dd0fec17e8438
NetWire
58bd9279e5ef2a3c1a55c9257c276f8203b69c79e29008399c6629eaf8ca6d56
NetWire
6490275833a54ddb21377ef003cacd595697c7659c1b7c6fc24a285fec1946ee
NetWire
680e6e46c8bed6c48e63f6dab3409bb9cd05f6642084ef8b0d03898dacc500a7
NetWire
99cc56c49ea22eaf929c14180a5625096c6652ae122fb35d913ae774604965f0
NetWire
a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e
NetWire
b8e4dfdddae3c40ef710797605631573fe5689ae296637a411a88f8f3c1d7389
NetWire
ba5cf0e14767afbaf1ef4310a5a7a55e152b7c54507a1b567133cdf42493629d
NetWire
d18f27370f8ee9d89c588980241ef2757a4a5d6cc70a357c7a45fae186c7e84b
NetWire
eacd132f69b64ef7a47c959fd92f50343be23e5768f0476c665870f5de4f89ee
NetWire
+ 44 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/201019-1xtjfnrg6x/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
54d8f78bd1fe792e03f5e128d9fe6f930e73199ba028960ecd62bf22d5242c6d
MD5 hash:
09e3f1623df6ec7412a68af246f60e7b
SHA1 hash:
1dfdc7dfbe83a8212222d30a433e6d7135bbe38c
Link:
https://www.unpac.me/results/7c4b7abb-45b7-453c-9514-c805efb02b31/
SH256 hash:
62495bea1d97e5759109e9e784308726d1d10838e400822c8579a103511d1125
MD5 hash:
e87b8a52edbd8bb2927279cea3a58e64
SHA1 hash:
15cb3a3b7d9b3bb5a8575f8127531d1fcdadb549
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/7c4b7abb-45b7-453c-9514-c805efb02b31/
Parent samples :
c4814643da678ac9446ec619e269db1ccd32ebf1fa81f1d6ea8c7bc2c4e739ce
54d8f78bd1fe792e03f5e128d9fe6f930e73199ba028960ecd62bf22d5242c6d
4c5670614501c7d604bc9c591c931d27a564038c042617214ea6e70b037bbcaa
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/7c4b7abb-45b7-453c-9514-c805efb02b31/
SH256 hash:
89e424fef27d9fa5fb6935552afe1336e3413b3aa6b2dbaa816916ee2100c7fc
MD5 hash:
ea1467e5d94c5b4fe74dee3027c03e5d
SHA1 hash:
f0a150563ff9554d8956ea705d74f9f6d8227b68
Link:
https://www.unpac.me/results/7c4b7abb-45b7-453c-9514-c805efb02b31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54d8f78bd1fe792e03f5e128d9fe6f930e73199ba028960ecd62bf22d5242c6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar 56ab818bd3b0dd8adaf6a4e720d006b3be9755b40898a00e4be175d6e81b3391

NetWire

Executable exe 54d8f78bd1fe792e03f5e128d9fe6f930e73199ba028960ecd62bf22d5242c6d

(this sample)

  
Dropped by
MD5 690361ea902b317b6deb36fbff8f8c39
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72874/
  
Dropped by
SHA256 56ab818bd3b0dd8adaf6a4e720d006b3be9755b40898a00e4be175d6e81b3391

Comments