MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42
SHA3-384 hash: d536ea158f622dd4ff40a625e29943d037e94f14df5b82140358ab33175af849ab1af7b22b71ba3cd4dadf90e490e6de
SHA1 hash: dfe8140401a22b40729ffdb3e333dbaea36965fa
MD5 hash: 0de551c3a895fb267496eed5d0741f36
humanhash: ack-fish-five-hotel
File name:Quote.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:543'232 bytes
First seen:2022-07-22 07:01:33 UTC
Last seen:2022-07-22 09:42:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 6144:YOrJjPQsjPm31hjRyOl7vzwXBHq6N8OkQdTQhGd9TZ7ukOVjJyAzx7ubb/R9lnlC:m31hr9O8m9l3Bu5jEAzm5NOS+zGx8
Threatray 940 similar samples on MalwareBazaar
TLSH T189C4F19F149CD36BE5798FB920279537677E3E3AAD63E30A3CD130D790A67A10212253
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter GovCERT_CH
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
Quote.exe
Verdict:
Malicious activity
Analysis date:
2022-07-22 08:08:30 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/4696c865-44aa-4ac7-900b-d0915261f321

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293307/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44349.11880.14868-222265.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62da4baeb1b58ed7a178fa01/reports/0e0670b7-c0fb-4531-9335-088a10e3796e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd4d6602-e6f4-450e-b065-a1a6fa61a931
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1039059
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42/
Threat name:
Win32.Trojan.Variadic
Create hunting rule
Status:
Malicious
First seen:
2022-07-22 04:18:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4jobirr44c5iq4mbgs2vt63tn2t7grmzcqrbqvrgydm3ldqrvba._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
12c7825f2a79392ee493c0e710f22666e1e6e52c97a231660dcabad407a90863
NetWire
4c93747030e17a8581b15cce2fd3aee28eb12dab9a8ec33839d083cda679487d
NetWire
9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b
NetWire
ad2a4c7b0a58ac2e841eaad428581b697a5a0a6589165cb5fd5e7550e9029f3f
NetWire
bcc6ba14b357c5f88e7e495d16411be6d488918c743214018db2c8e45961fd94
NetWire
e1a77fa5285413469295dae451a81e68613360acbd05c127701e6e289279acfd
NetWire
fb8a339c0426e7443a8a557a8db6745d4510abe1086a0ecad45493bbcab97fca
NetWire
+ 930 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220722-htsjzadfak/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
194.5.98.126:3378
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/7c560691-7bae-4dec-a909-1f4830834fc5/
SH256 hash:
5bc865baa545b3e2fe76acec061dcc878ebc9d95b1f9819da9a1b7ce39a48ecb
MD5 hash:
13e41b138849f9db93e14b080b85dde5
SHA1 hash:
c5c9f6da1b561bfe6487d2b5cee2893d31a307e7
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/7c560691-7bae-4dec-a909-1f4830834fc5/
Parent samples :
bcc6ba14b357c5f88e7e495d16411be6d488918c743214018db2c8e45961fd94
4c93747030e17a8581b15cce2fd3aee28eb12dab9a8ec33839d083cda679487d
5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42
917353ea039d88a7f25adb7ee1a33f525ff39fdc67f6d6ac23e62dab60ac9c06
9a558d058307b8c1ef997ef5aa803d4e1f91b94c3c4df9bf038c4b445713a37c
e1005be756be06a809c11b66b47c79ee2fba85b2870693bee2882f369f03cec7
43515ecf901ddf50a3dbc0e8e1915a61e390a77b5f1c9f52846ecbb68bb3b6e0
SH256 hash:
166c209182585d508255b60fb7b594e6bde4abf6fdc215346d417bd8db475141
MD5 hash:
3e8c74ffe6ffdd02ef56ddde5f602ae4
SHA1 hash:
9f7d2ffeaf6a39f6f8e5da1050faf302288a713b
Link:
https://www.unpac.me/results/7c560691-7bae-4dec-a909-1f4830834fc5/
SH256 hash:
ca4e3745f87ae419e10fa9dd15e9814f66a7dca601ae70bd3ae3b0b0781e9491
MD5 hash:
6491ab64072f34a6124f4cdf1d9bdd43
SHA1 hash:
78008e0c188d1732ebb5bbfe6d15892ebe32b1f7
Link:
https://www.unpac.me/results/7c560691-7bae-4dec-a909-1f4830834fc5/
SH256 hash:
175b739c083ab502050e07a1d97d17e6f54450ea7097d40090029a6d308fdfff
MD5 hash:
4bad8dfe0fb867040cfffe659dd40479
SHA1 hash:
3bdafc0939be84cf252ad12b7b172b17ebba0830
Link:
https://www.unpac.me/results/7c560691-7bae-4dec-a909-1f4830834fc5/
SH256 hash:
5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42
MD5 hash:
0de551c3a895fb267496eed5d0741f36
SHA1 hash:
dfe8140401a22b40729ffdb3e333dbaea36965fa
Link:
https://www.unpac.me/results/7c560691-7bae-4dec-a909-1f4830834fc5/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5712e0a231e7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42

(this sample)

  
Dropped by
netwire
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/293307/

Comments