MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244
SHA3-384 hash: d09e22b24844c281fc345c2ee25cfc362d5962e989540cc12e40dd4e06d28c8b77f573f1f14b52adec25f0a71815df4a
SHA1 hash: 062eab232642c0d9ee9e6af266a8abe9fa14dbac
MD5 hash: ac2dd3566161994b4bc2af90113dd6ef
humanhash: vegan-asparagus-july-network
File name:ShippingBLINVPLPDF.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:782'848 bytes
First seen:2021-06-21 15:16:24 UTC
Last seen:2021-06-21 15:57:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:FzSdmzYonM/JnXsANAoVdvf6Sb/G0bXCr4XTAB43s8j24pKzry/WYTlm5/pOWFHS:+qid5TySbNXyn8j24pKzrOWYTC/3H
Threatray 1'038 similar samples on MalwareBazaar
TLSH CEF4E0343ED99A18F17B9B3A4DD0756197FFF9236713C1293CA1128A4723F81DEA112A
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
91.193.75.228:8760

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.193.75.228:8760 https://threatfox.abuse.ch/ioc/138306/

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ShippingBLINVPLPDF.exe
Verdict:
Malicious activity
Analysis date:
2021-06-21 15:19:48 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/157648f2-93d8-4413-a739-5c6a8e882248

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167323/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.850.9283.23175.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d92c3c61-9632-4f70-8b7c-9eed0df0d6e6
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805424
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 15:17:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kv5x2pn4h42dhd22nqkgp44zvpalh3yajvzxrn77pd4a3fx3yjca._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0c34d4763fc968ccbe9f33dec2ae9e3e132a61b40ffc93cc22f337a0758c0279
NetWire
2e54ae1fe78471492cc217d238fcd7f0158ae8f22a35e9576a91b3a6614c2d08
NetWire
573f11821c72786131d82bcdb3744b83d01615c25489f4cf2c46181ae6143226
NetWire
5f8cd119c7cc31eef0e66451fb05d5179c60850b2330ebcb76066dd289172a17
NetWire
6bcd9c589b51cbd1011942b2bdaeaab62748c7380a17336b35bf589c880553b8
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a
NetWire
b2e52f028aaa499f514e7684c6fae9f7db0532cbbce8fbef0234159fbc2e628b
NetWire
c4b73299f51cc04c30ee6080144f960c8d5de3d62c0e0b10c6c497f57b844474
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
+ 1'028 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210621-mm29tt4bwa/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
www.clfoor.net:8760
Unpacked files
SH256 hash:
15c36b53a8eac9944b9ddbf04c8105086eff13d3b13a07af52fe4670b7c7e975
MD5 hash:
fd4ba1bbee3853aba7ae7b405fbc8b16
SHA1 hash:
9dbde5a54a3a2b84ff03278556ba412a9170ef13
Link:
https://www.unpac.me/results/c37a224a-f497-49e6-9fd7-d3540e25b5a9/
SH256 hash:
e3abdf81bc27702cab8646a58dc51010423774842b8dab357232a79898d12ebf
MD5 hash:
57f5bb51070499ef3a81211f5d0d353e
SHA1 hash:
2b05ad051cb0022d349e20e09c08ef5ba153142e
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/c37a224a-f497-49e6-9fd7-d3540e25b5a9/
SH256 hash:
d80c290dc6cf8452c8d6cc71fbc79a55c015423c0c3acead84981e282c168a8e
MD5 hash:
c5ebfa2301a7fd95166b52007998e821
SHA1 hash:
1a5e961004f41d0455f1e9c664a9a4ea953fd006
Link:
https://www.unpac.me/results/c37a224a-f497-49e6-9fd7-d3540e25b5a9/
SH256 hash:
557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244
MD5 hash:
ac2dd3566161994b4bc2af90113dd6ef
SHA1 hash:
062eab232642c0d9ee9e6af266a8abe9fa14dbac
Link:
https://www.unpac.me/results/c37a224a-f497-49e6-9fd7-d3540e25b5a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167323/

Comments