MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
SHA3-384 hash: cfbd20f5e25c8a38642b841f7d8a74962daac3a9ea7689a59cf4f9afb0a473c0274066d7c2c76c5536d2b995c01a05e6
SHA1 hash: e7518db06a5b1489f19b5c289f13baee4b451232
MD5 hash: 9c8caafe400cd27300dadc9680981124
humanhash: mountain-lemon-iowa-grey
File name:Our New Order No. 64788926.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:813'568 bytes
First seen:2020-08-13 11:18:54 UTC
Last seen:2020-08-13 12:24:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd9a6764235778d7fabb327e5e20a560 (8 x AgentTesla, 6 x Loki, 2 x NetWire)
ssdeep 12288:9mp9XVk3rNq8srw+ZdKSsWItO8n+D0s+rIJGWb66YPSXCbjtgxyYFzf:qlQNqHMWKKcAFrJ1bUKXlxxFzf
Threatray 1'738 similar samples on MalwareBazaar
TLSH 83058D62A2D3F432D12B153DC81B76F498EABE51E9247B472BE47C4C7E3927138251A3
Reporter abuse_ch
Tags:exe NetWire


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: torrespardo.ncloud.es
Sending IP: 185.57.172.23
From: David Zhang <info@nnmed.com>
Subject: RE: AW: Our New Order No. 647889026
Attachment: Our New Order No. 647889026.zip (contains "Our New Order No. 64788926.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45126/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Replacing files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/425998
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 265620 Sample: Our New Order No. 64788926.exe Startdate: 14/08/2020 Architecture: WINDOWS Score: 100 74 Yara detected NetWire RAT 2->74 76 Sigma detected: Drops script at startup location 2->76 78 Machine Learning detection for sample 2->78 80 3 other signatures 2->80 14 Our New Order No. 64788926.exe 2->14         started        17 wscript.exe 1 2->17         started        process3 signatures4 116 Writes to foreign memory regions 14->116 118 Allocates memory in foreign processes 14->118 120 Queues an APC in another process (thread injection) 14->120 19 notepad.exe 5 14->19         started        23 Notepadlite14.exe 17->23         started        process5 file6 66 C:\...66otepadlite14.exe:Zone.Identifier, ASCII 19->66 dropped 86 Creates files in alternative data streams (ADS) 19->86 88 Drops VBS files to the startup folder 19->88 25 Notepadlite14.exe 19->25         started        90 Maps a DLL or memory area into another process 23->90 28 Notepadlite14.exe 23->28         started        signatures7 process8 dnsIp9 104 Detected unpacking (changes PE section rights) 25->104 106 Detected unpacking (overwrites its own PE header) 25->106 108 Contains functionality to log keystrokes 25->108 110 5 other signatures 25->110 31 Notepadlite14.exe 3 25->31         started        33 svchost.exe 25->33         started        70 192.168.2.1 unknown unknown 28->70 35 Host.exe 28->35         started        signatures10 process11 signatures12 38 Host.exe 31->38         started        82 Writes to foreign memory regions 35->82 84 Allocates memory in foreign processes 35->84 41 notepad.exe 35->41         started        process13 signatures14 92 Machine Learning detection for dropped file 38->92 94 Writes to foreign memory regions 38->94 96 Allocates memory in foreign processes 38->96 98 Contains functionality to detect sleep reduction / modifications 38->98 43 notepad.exe 4 38->43         started        46 Notepadlite14.exe 41->46         started        process15 file16 68 C:\Users\user\AppData\...68otepadlite14.exe, PE32 43->68 dropped 49 Notepadlite14.exe 43->49         started        122 Maps a DLL or memory area into another process 46->122 52 Notepadlite14.exe 46->52         started        signatures17 process18 signatures19 72 Maps a DLL or memory area into another process 49->72 54 Notepadlite14.exe 2 49->54         started        56 Host.exe 52->56         started        process20 signatures21 59 Host.exe 54->59         started        100 Writes to foreign memory regions 56->100 102 Allocates memory in foreign processes 56->102 62 notepad.exe 56->62         started        process22 signatures23 112 Writes to foreign memory regions 59->112 114 Allocates memory in foreign processes 59->114 64 notepad.exe 2 59->64         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 11:20:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5a5mdvnj3cxy4pcotjd22sfkbsq4vhn65qtugan5edutiggkhfa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
04100ed81b98bad69ba33472802db912c403111f7fef1cb58f8981b9ce310ee3
NetWire
09e71602eb0764d2729c47a67c19d64deecca8aa175b529f271cf72795725502
NetWire
20d66ddece0fa3ebb5a0573a7290ce696468ab27b55b99c37889ba6b4dab89ab
NetWire
5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4
NetWire
7c6da3c6cdc2c4ba881925e305c2c2044105546e0b7a8ca1d8c523d8584be05a
NetWire
90a81b30439b28f93aedd6c172dc5caf76c2f350f6c1b11eacaedc8dc80edf52
NetWire
aa556dde1f62e5e897bf5db6980f8202febe626f2e9840190f1f2695eec3c065
NetWire
bcc8c0f61a1dfdfd76ebe02523c3eef4362cb7fb3413b24a7632a2262219a589
NetWire
c4b617def78629851cc46040994b385c369ec849a28d791605f39a0eb294ac6e
NetWire
d63afe1ea3ed68602cf36e5f78e76143fd7c70a1a2bfada402d1d5cc6428c68e
NetWire
+ 1'728 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/200813-abkgyey1ya/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip b6c944eb502737470183eca23c4766365c9e9fde16aeda42d3f26ffb95ff97b2

NetWire

Executable exe 5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca

(this sample)

  
Dropped by
MD5 561632c068135fac3c755cd2f921cd09
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b6c944eb502737470183eca23c4766365c9e9fde16aeda42d3f26ffb95ff97b2
Cape
Cape
https://www.capesandbox.com/analysis/45126/

Comments