MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b4962b939b67929dcb5b0c5a90b75e617f9af630271d710a21ccbe0d7738e05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b4962b939b67929dcb5b0c5a90b75e617f9af630271d710a21ccbe0d7738e05
SHA3-384 hash: b9dee76b79f5356561eded94cead66e1957d14125b94c405c047d9b58d5a1a8c3e78be5cd0c385e37c9e5080e7d1d5d2
SHA1 hash: a8dd1348c866219ea5357bc3919c9885184949ba
MD5 hash: 51e38c5c7a3a24dd8092f94d915de981
humanhash: black-crazy-music-robert
File name:51E38C5C7A3A24DD8092F94D915DE981.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:6'656 bytes
First seen:2021-07-22 23:40:57 UTC
Last seen:2021-07-23 00:54:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 96:7qCecXKXi8xkHjhPp2TI6ySSVmrDDnpJCwJvwWzWVG1Oe:7q8Ky8xYBpcIbuJNv7
Threatray 489 similar samples on MalwareBazaar
TLSH T15DD17736A7E847B5FDF60B31ADB62241077AFA04DD23EB6E9884620E5D222144B61B35
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
74.201.28.67:3021

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
74.201.28.67:3021 https://threatfox.abuse.ch/ioc/162209/

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
51E38C5C7A3A24DD8092F94D915DE981.exe
Verdict:
Malicious activity
Analysis date:
2021-07-22 23:43:17 UTC
Tags:
trojan rat netwire loader
Link:
https://app.any.run/tasks/511dce85-5c1b-4f52-8882-4b67987584f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173453/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37261574.14320.4331.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc4f1808-e41a-4f9c-8ce3-e1289174dd9a
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820463
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b4962b939b67929dcb5b0c5a90b75e617f9af630271d710a21ccbe0d7738e05/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 00:40:09 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnewfojzwz4stxfvwdc2sc3v4yl7tl3dajy5oefcdtf6bv3trycq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821
NetWire
5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
NetWire
5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4
NetWire
608ec84d6c6d1b552b0c77210475ead69a437d02cc688d60e798cf530c02897e
NetWire
797a9a105652922546340d44d623196f8f5d22410011156a710bdf4f239a3d40
NetWire
7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32
NetWire
a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2
NetWire
c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
NetWire
d98e919482d344212e9e79e1154ee7015bba50d90107fe122a59cae38484eb84
NetWire
f6262c14a5f6c845a95cab29a6e1e2a662d5df47499935c1f050d908ee01db90
NetWire
+ 479 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210722-bvtst1a3ka/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
finerthings.duckdns.org:3021
Unpacked files
SH256 hash:
5b4962b939b67929dcb5b0c5a90b75e617f9af630271d710a21ccbe0d7738e05
MD5 hash:
51e38c5c7a3a24dd8092f94d915de981
SHA1 hash:
a8dd1348c866219ea5357bc3919c9885184949ba
Link:
https://www.unpac.me/results/ec65ccc7-2119-4b75-bd39-f12b4f41ca9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b4962b939b67929dcb5b0c5a90b75e617f9af630271d710a21ccbe0d7738e05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173453/

Comments