MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4
SHA3-384 hash: b66a0ccadb75dfb86de3b6e97c3f50f74747f5d555e5f903b4acff64793f9051de242d3a9389474c4fe375ade57f07bd
SHA1 hash: 0e959367e7a15ab7ffbc32802089d6dcec563faa
MD5 hash: a5d908a447a9bf00dd0ef8750a00721e
humanhash: winner-louisiana-ack-kentucky
File name:RFQ BONATTI 18000229 IQ1201 WO 210000102767.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:813'568 bytes
First seen:2020-08-13 11:10:33 UTC
Last seen:2020-08-13 12:24:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd9a6764235778d7fabb327e5e20a560 (8 x AgentTesla, 6 x Loki, 2 x NetWire)
ssdeep 12288:Nmp9XVk3rNq8srw+ZdKSsWItO8n+D0s+rIJLSCb2eQgdHkPn1jhG8:alQNqHMWKKcAFrJeRoobG8
Threatray 1'738 similar samples on MalwareBazaar
TLSH D8057DE2E2E3743AD137197D9C2B77649C25BE1129247B862BE4394C5E392F1382F193
Reporter abuse_ch
Tags:exe NetWire


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp.kosmoindustries.com
Sending IP: 23.231.65.32
From: Bonatti International Company <order@kosmoindustries.com>
Reply-To: Bonatti International Company <logspass007@gmail.com>
Subject: RFQ BONATTI 18000229 IQ1201 WO 210000102767
Attachment: RFQ BONATTI 12.08.2020.zip (contains "RFQ BONATTI 18000229 IQ1201 WO 210000102767.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45112/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Replacing files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/425958
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 265595 Sample: RFQ BONATTI 18000229 IQ1201... Startdate: 14/08/2020 Architecture: WINDOWS Score: 100 71 Yara detected NetWire RAT 2->71 73 Sigma detected: Drops script at startup location 2->73 75 Machine Learning detection for sample 2->75 77 Contains functionality to detect sleep reduction / modifications 2->77 14 RFQ BONATTI 18000229 IQ1201 WO 210000102767.exe 2->14         started        17 wscript.exe 1 2->17         started        process3 signatures4 113 Writes to foreign memory regions 14->113 115 Allocates memory in foreign processes 14->115 117 Queues an APC in another process (thread injection) 14->117 19 notepad.exe 5 14->19         started        23 Notepadlite14.exe 17->23         started        process5 file6 63 C:\...63otepadlite14.exe:Zone.Identifier, ASCII 19->63 dropped 87 Creates files in alternative data streams (ADS) 19->87 89 Drops VBS files to the startup folder 19->89 25 Notepadlite14.exe 19->25         started        91 Maps a DLL or memory area into another process 23->91 28 Notepadlite14.exe 23->28         started        signatures7 process8 signatures9 101 Detected unpacking (changes PE section rights) 25->101 103 Detected unpacking (overwrites its own PE header) 25->103 105 Contains functionality to log keystrokes 25->105 107 5 other signatures 25->107 30 Notepadlite14.exe 3 25->30         started        32 notepadLite.exe 28->32         started        process10 signatures11 35 notepadLite.exe 30->35         started        67 Writes to foreign memory regions 32->67 69 Allocates memory in foreign processes 32->69 38 notepad.exe 32->38         started        process12 signatures13 79 Machine Learning detection for dropped file 35->79 81 Writes to foreign memory regions 35->81 83 Allocates memory in foreign processes 35->83 85 Contains functionality to detect sleep reduction / modifications 35->85 40 notepad.exe 2 35->40         started        42 Notepadlite14.exe 38->42         started        process14 signatures15 45 Notepadlite14.exe 40->45         started        109 Maps a DLL or memory area into another process 42->109 48 Notepadlite14.exe 42->48         started        process16 signatures17 111 Maps a DLL or memory area into another process 45->111 50 Notepadlite14.exe 2 45->50         started        52 notepadLite.exe 48->52         started        process18 signatures19 55 notepadLite.exe 50->55         started        93 Writes to foreign memory regions 52->93 95 Allocates memory in foreign processes 52->95 58 notepad.exe 52->58         started        process20 signatures21 97 Writes to foreign memory regions 55->97 99 Allocates memory in foreign processes 55->99 60 notepad.exe 4 55->60         started        process22 file23 65 C:\Users\user\AppData\...65otepadlite14.exe, PE32 60->65 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 11:12:10 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lm6mgbyzk6gzn33e5e2b4aho3mcvclxjnevs574sjkv4ktt2c3sa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
04100ed81b98bad69ba33472802db912c403111f7fef1cb58f8981b9ce310ee3
NetWire
09e71602eb0764d2729c47a67c19d64deecca8aa175b529f271cf72795725502
NetWire
20d66ddece0fa3ebb5a0573a7290ce696468ab27b55b99c37889ba6b4dab89ab
NetWire
5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
NetWire
7c6da3c6cdc2c4ba881925e305c2c2044105546e0b7a8ca1d8c523d8584be05a
NetWire
90a81b30439b28f93aedd6c172dc5caf76c2f350f6c1b11eacaedc8dc80edf52
NetWire
aa556dde1f62e5e897bf5db6980f8202febe626f2e9840190f1f2695eec3c065
NetWire
bcc8c0f61a1dfdfd76ebe02523c3eef4362cb7fb3413b24a7632a2262219a589
NetWire
c4b617def78629851cc46040994b385c369ec849a28d791605f39a0eb294ac6e
NetWire
d63afe1ea3ed68602cf36e5f78e76143fd7c70a1a2bfada402d1d5cc6428c68e
NetWire
+ 1'728 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/200813-dbw6p42dds/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip d2cf3893a66e3b26e7b84d30a9ad2a30e4a0d45555035e50cb90df7db0fe3d5b

NetWire

Executable exe 5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4

(this sample)

  
Dropped by
MD5 4e60d6a058b2452efedab5c5c9ca19c7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45112/
  
Dropped by
SHA256 d2cf3893a66e3b26e7b84d30a9ad2a30e4a0d45555035e50cb90df7db0fe3d5b

Comments