MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58e859630e2c6bf67159e3749ab71038fcbcfb32ba0bbf3162d58a7fac6311eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58e859630e2c6bf67159e3749ab71038fcbcfb32ba0bbf3162d58a7fac6311eb
SHA3-384 hash: 9947553e1c64729430434560baa162097fdc3df98839aca3f32dc1bd32aed5e3fc0f7fa89ed74d90855ee9c1e1ffcf8f
SHA1 hash: 18f5bf748b554682a34bb92253f92c6081cd2489
MD5 hash: 711dfad09c91744b9992c13d0f48289e
humanhash: double-robert-queen-lemon
File name:Our New Order Feb 23 2021 at 2.70_PVV440_PDF.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:491'520 bytes
First seen:2021-02-23 06:59:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:QUu8tl6Akg2ifiv/1dpSEzOnfX0NOJ6y1AacZTXA1bXZCryrEI7lDlJAaN2+WN:QUu8CAkg2Yivddp9+OG1bcrzI7lZV2h
Threatray 404 similar samples on MalwareBazaar
TLSH 5BA4AE20269C9B4EE03EBB795110121F43F5A616D327E68FBDE541DF6DA2F404B72A23
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: servidor2.mediosenred.tv
Sending IP: 5.145.175.121
From: Dusan Matkovic <Dusan.azih@getinge.com>
Subject: RE: AW: Our New Order//Shipment No.00187
Attachment: Our New Order Feb 23 2021 at 2.70_PVV440_PDF.img (contains "Our New Order Feb 23 2021 at 2.70_PVV440_PDF.exe")

NetWire RAT C2:
mmakopl.duckdns.org:5569

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118462/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614884
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/58e859630e2c6bf67159e3749ab71038fcbcfb32ba0bbf3162d58a7fac6311eb/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 06:59:19 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldufsyyofrv7m4kz4n2jvnyqhd6lz6zsxif36mlc2wfh7lddchvq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
00ea5bf66857a669971686b5fdc1ea0cae6395d10b9e4c449aa1f5306273659b
NetWire
1a74db4455c36b2fe392324c62800ed3dfcfa5c4d32e845f7937bf270177b50d
NetWire
41cda64e265a121f8e57506fc5b51466e431786304e15216b567e01374522a25
NetWire
48709c3e07c128283d9d550331d6e5f7c4afeadfc61cad94d769ea8ce7399e77
NetWire
4cedaa22118c9bca2d63edb74a43cc292100d253dab2cd23240cc4e8cc567b92
NetWire
80622d6bf536ca1e21f411864d3c4af7f4ebded98ea3aeeb6c99b964b247e3ca
NetWire
8a7d56c6c4f937173a0a45145765feb562b1fae368d9297a03dd4ea098d90d03
NetWire
d798fc1115e9b445231646cc0fdbb5e1aa248b063bdb1e5b2f64739ac3682e9c
NetWire
d96042b51f171f68a99d4568f311f267fe595df0add3851e162cbcee7f897edb
NetWire
f22d8de0260841fba148d55ce317ac6a8c27ef46a6ccfb6ad7390eefe3d463bb
NetWire
+ 394 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210223-zjprt5sjks/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44
MD5 hash:
b6ce7c1d81b9271eab825ea63de154c3
SHA1 hash:
0e7b89555314f8908c1098b652c9bf50e5ecc27b
Link:
https://www.unpac.me/results/a4c39142-6f33-43b7-9dc1-ec506319b959/
SH256 hash:
58e859630e2c6bf67159e3749ab71038fcbcfb32ba0bbf3162d58a7fac6311eb
MD5 hash:
711dfad09c91744b9992c13d0f48289e
SHA1 hash:
18f5bf748b554682a34bb92253f92c6081cd2489
Link:
https://www.unpac.me/results/a4c39142-6f33-43b7-9dc1-ec506319b959/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/58e859630e2c6bf67159e3749ab71038fcbcfb32ba0bbf3162d58a7fac6311eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img 06599f6c48184ef1aa771d951682f985f4193e29b5b87e9dff23db388fb1c4b6

NetWire

Executable exe 58e859630e2c6bf67159e3749ab71038fcbcfb32ba0bbf3162d58a7fac6311eb

(this sample)

  
Dropped by
MD5 1e549aabc3ce0f57655164993d2e7e30
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 06599f6c48184ef1aa771d951682f985f4193e29b5b87e9dff23db388fb1c4b6
Cape
Cape
https://www.capesandbox.com/analysis/118462/

Comments