MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5759a1711d0f78b7be3f76aa9e451516f93d91370586f863dd5a68291c82ee3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	5759a1711d0f78b7be3f76aa9e451516f93d91370586f863dd5a68291c82ee3b
SHA3-384 hash:	65fcf9cf61707e1f3284555d1cd58df014ae3eaedfac0329ef42d7a228556a75a7bdf5e913ad524efcb840a9b3a73e5e
SHA1 hash:	92e7dd35847659444c564e51ddafb265216954b2
MD5 hash:	230793cd297cccf26cdd66bd353c5c41
humanhash:	alaska-maryland-lion-mississippi
File name:	ORDER#594.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	1'140'744 bytes
First seen:	2021-03-01 07:29:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b4043a309d0347d03a7fb07fb4b5acc1 (2 x AveMariaRAT, 1 x RemcosRAT, 1 x BitRAT)
ssdeep	24576:VhTP85JKIq20xIQ40TMt7zVT6lVINTgZi4:vTPAvTzVT6lKNTL4
Threatray	368 similar samples on MalwareBazaar
TLSH	60357D22A2534CF6C0221B379D3B5278D5A5BE20B5345C4636AC6C68BFEF7907C1F992
Reporter	abuse_ch
Tags:	exe NetWire

abuse_ch

Malspam distributing unidentified malware:

HELO: mail0.vpatelcompany.site
Sending IP: 206.189.41.172
From: Esmee <sales@vpatelcompany.site>
Subject: Re: New Order
Attachment: ORDER594.rar (contains "ORDER#594.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

337

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ORDER#594.exe

Verdict:

Malicious activity

Analysis date:

2021-03-01 07:35:28 UTC

Tags:

rat netwire trojan

Link:

https://app.any.run/tasks/f65c2512-38d2-4b10-a1af-8f4821d1775a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/120143/

Detection(s):

SecuriteInfo.com.Mal.Generic-S.20015.3732.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Deleting a recently created file

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/621752

Signature

Contains functionality to detect sleep reduction / modifications

Contains functionality to steal Chrome passwords or cookies

Detected unpacking (creates a PE file in dynamic memory)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: NetWire

Sigma detected: Suspicious Program Location Process Starts

Uses dynamic DNS services

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5759a1711d0f78b7be3f76aa9e451516f93d91370586f863dd5a68291c82ee3b/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-03-01 07:30:20 UTC

AV detection:

16 of 47 (34.04%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k5m2c4i5b54lppr7o2vj4rivc34t3ejxawdpqy65ljucshec5y5q._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet persistence stealer

Link:

https://tria.ge/reports/210301-mlkgjfjfta/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Netwire

Unpacked files

SH256 hash:

5bcde4d165f66f58ce0446462a038b7ae84e2fd2275885f61f68287547aac66d

MD5 hash:

34cb499bbd566c24dcf888e9bab46083

SHA1 hash:

3bb97e3103868691e57e7cf3be88a7ff30f46ea1

Link:

https://www.unpac.me/results/00aa710d-13c0-47b5-9821-2e654e084785/

SH256 hash:

5759a1711d0f78b7be3f76aa9e451516f93d91370586f863dd5a68291c82ee3b

MD5 hash:

230793cd297cccf26cdd66bd353c5c41

SHA1 hash:

92e7dd35847659444c564e51ddafb265216954b2

Link:

https://www.unpac.me/results/00aa710d-13c0-47b5-9821-2e654e084785/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5759a1711d0f78b7be3f76aa9e451516f93d91370586f863dd5a68291c82ee3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar fc49fb197c6cf35a2931050c9ac2f6815c488d3f137039f7b3bbf4032a307c86

NetWire

exe 5759a1711d0f78b7be3f76aa9e451516f93d91370586f863dd5a68291c82ee3b

(this sample)

Dropped by

MD5 345dd35907dac1ba8740e05b9c838e6c

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/120143/

Dropped by

SHA256 fc49fb197c6cf35a2931050c9ac2f6815c488d3f137039f7b3bbf4032a307c86

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample