MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
SHA3-384 hash: a3d98a750a0e2275b7af764e91bb54b8822c6f52ef6a4f00d7fe1988d21a01244988603a4088ee9d9a91ab6c0421d466
SHA1 hash: 4699f3485ba9da714ea346c0aa1db2bb35947dda
MD5 hash: ccc5553d844306dac7d4e112d27b6bf8
humanhash: carpet-mike-eight-mike
File name:PO 9047579 FDX PREMIUM 96 NTZ.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:635'904 bytes
First seen:2023-01-11 10:15:05 UTC
Last seen:2023-01-11 11:34:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:lAfWCREY+hUP5MMBn1CyvVwviXN4Nq0ymm82Ss0a15wKchkv3Am+8ubkw:6+07RBMMt1L9hwq0yb82SjywKcSvF+bf
Threatray 5'803 similar samples on MalwareBazaar
TLSH T1FFD4E08F08D1F520EFC41435C241B9ED1E772F15AAF6E84E9C937C2F29219DD6AA418B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
212.193.30.230:6063

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
PO 9047579 FDX PREMIUM 96 NTZ.exe
Verdict:
Malicious activity
Analysis date:
2023-01-11 10:15:30 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/024dd190-04fe-469a-9083-751805a86872

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351890/
Detection(s):
Can't access file ERROR
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63be8c635f356e00329d09fa/reports/9d15db95-73d8-40eb-ab94-ef7ad8284d22/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c81d090-0dd4-4aa0-8c76-742cb3f0bc62
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149506
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782238 Sample: PO 9047579 FDX PREMIUM 96 NTZ.exe Startdate: 11/01/2023 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 9 other signatures 2->88 9 PO 9047579 FDX PREMIUM 96 NTZ.exe 7 2->9         started        13 aTGTGTYybfHCv.exe 5 2->13         started        15 aTGTGTYybfHCv.exe 2->15         started        17 2 other processes 2->17 process3 file4 70 C:\Users\user\AppData\...\aTGTGTYybfHCv.exe, PE32 9->70 dropped 72 C:\...\aTGTGTYybfHCv.exe:Zone.Identifier, ASCII 9->72 dropped 74 C:\Users\user\AppData\Local\...\tmpD3D9.tmp, XML 9->74 dropped 76 C:\...\PO 9047579 FDX PREMIUM 96 NTZ.exe.log, ASCII 9->76 dropped 96 Adds a directory exclusion to Windows Defender 9->96 19 PO 9047579 FDX PREMIUM 96 NTZ.exe 3 9->19         started        22 powershell.exe 21 9->22         started        24 schtasks.exe 1 9->24         started        26 PO 9047579 FDX PREMIUM 96 NTZ.exe 9->26         started        98 Multi AV Scanner detection for dropped file 13->98 100 Machine Learning detection for dropped file 13->100 28 schtasks.exe 13->28         started        30 aTGTGTYybfHCv.exe 13->30         started        32 aTGTGTYybfHCv.exe 15->32         started        35 schtasks.exe 15->35         started        37 4 other processes 17->37 signatures5 process6 file7 66 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 19->66 dropped 39 Host.exe 5 19->39         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 28->46         started        80 Creates autostart registry keys with suspicious names 32->80 48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        52 conhost.exe 37->52         started        signatures8 process9 signatures10 90 Multi AV Scanner detection for dropped file 39->90 92 Machine Learning detection for dropped file 39->92 94 Adds a directory exclusion to Windows Defender 39->94 54 Host.exe 39->54         started        58 powershell.exe 39->58         started        60 schtasks.exe 39->60         started        process11 dnsIp12 78 212.193.30.230, 49695, 49696, 49697 SPD-NETTR Russian Federation 54->78 68 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 54->68 dropped 62 conhost.exe 58->62         started        64 conhost.exe 60->64         started        file13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 10:16:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lkfr5x7jubnsb3boyoerzprjrej6tshct6xe5fcbdpbxm3eqppra._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
NetWire
1bb72419895796c3a394f4b55f0c31959c992111803764d8167dcb6c7af3088c
NetWire
22a7c02eac7f7940eba9afa9ca51a179789e22257ffe87cbab02c15360a9fded
NetWire
63c76b6d8a6c83e113d4a72361c8df64d493339fe94503522b3f666b19aacfa2
NetWire
98949b9cd7eb063eb4a2970136d3483b29891bd8c1c2ec6104e45b76f838ddf9
NetWire
99e8dfa23cef1d5d67c765df3de3bc6e750a2d8fa4628a9442d08fc40aaaa656
NetWire
b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e
NetWire
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
NetWire
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
NetWire
e19bcbf0c3ca0fe5e246cede2ef4ee264d0908faf4ca4b39aeb687c443f85f91
NetWire
+ 5'793 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/230111-maal9sbg63/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
212.193.30.230:6063
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0e6c1d94-e950-4ed2-9227-f9bfebd2f34a
Unpacked files
SH256 hash:
8fdbfe82d6673fbcc2bf7e9c0895c82036599e680bf9c83db3b5f1024a0a27c1
MD5 hash:
67ea53d629ba729eec4796e5343e8b39
SHA1 hash:
c9b851c3c269e57deae0c09463001aa165476df2
Link:
https://www.unpac.me/results/116fb00f-9327-4d5d-9ab6-1532f0decdaa/
SH256 hash:
d5718cfc5ded3ac791f539fab3a5559384b2a1694a0dc689f58e98e57bed18aa
MD5 hash:
207f7ee2a146b265261dbb94a29b06a9
SHA1 hash:
c2d0954cd772f6d6e6c020796fe90f3aee4c18bb
Link:
https://www.unpac.me/results/116fb00f-9327-4d5d-9ab6-1532f0decdaa/
SH256 hash:
4a66ba72ecf6bc0d3d5da847e5698c7690a9b29dd18ae343d1eab64f57a6b202
MD5 hash:
f836e0a237254da9d52e5ea9fc9ae14d
SHA1 hash:
a132e0e7cd08f3e0aadbeb0733e7ec79f79dbdce
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/116fb00f-9327-4d5d-9ab6-1532f0decdaa/
SH256 hash:
47671e7228459787f800299398fcb760125bd7a9950bf13e82ed868c94674431
MD5 hash:
6f3f16005586d93489853c13dfd6abae
SHA1 hash:
98cf6314fe463440ca8f423bd855a108b01fc752
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/116fb00f-9327-4d5d-9ab6-1532f0decdaa/
Parent samples :
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e
f81832eab926f0dfe31ac63017cb7f6d8fb933e31f6d8742f94a5cecf012bab1
a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/116fb00f-9327-4d5d-9ab6-1532f0decdaa/
SH256 hash:
5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
MD5 hash:
ccc5553d844306dac7d4e112d27b6bf8
SHA1 hash:
4699f3485ba9da714ea346c0aa1db2bb35947dda
Link:
https://www.unpac.me/results/116fb00f-9327-4d5d-9ab6-1532f0decdaa/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5a8b1edfe9a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351890/

Comments