MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d3724894277765b2182d26064f7891d58b3f3614f6adaa281a7b673d2b7b071. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d3724894277765b2182d26064f7891d58b3f3614f6adaa281a7b673d2b7b071
SHA3-384 hash: 1b0182a2555ceda4c7a2984b325149d89844d8c77937022e0c961c4f0485eb5f32f63d0140f921b0a7237cdad32754d2
SHA1 hash: 911a39e9f6ddfd3c1c480a88f77714c2baf37adb
MD5 hash: fe34cb07d710d922bda89fc12cc1bcb9
humanhash: three-black-ceiling-five
File name:Fatura.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'257'288 bytes
First seen:2021-02-24 15:05:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f90dcec0e8a4aa224157a453075012d8 (6 x RemcosRAT, 1 x Loki, 1 x NetWire)
ssdeep 24576:wnYO6b38bEngZQ4MS9/PB29Buz15W+FXEy59dA:wnSnSkWXXEy59C
Threatray 365 similar samples on MalwareBazaar
TLSH C44538B2E90A8FE1F52B153DFA0FD6746515BE2E350D54A62EE83B469FAF30134101B2
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mail0.pawcompany.store
Sending IP: 143.110.221.121
From: MTEC Co Ltd <info@pawcompany.store>
Subject: Re: Fatura
Attachment: Fatura.rar (contains "Fatura.exe")

NetWire RAT C2:
necerfail.ddns.net

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fatura.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 22:44:36 UTC
Tags:
rat netwire trojan
Link:
https://app.any.run/tasks/e7480bf2-723e-446a-9331-197f759a241c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.19238.19298.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/618029
Signature
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: NetWire
Sigma detected: Suspicious Program Location Process Starts
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d3724894277765b2182d26064f7891d58b3f3614f6adaa281a7b673d2b7b071/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 15:06:32 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lu3sjckco53fwimc2jqgj54jdvmlh43bj5vnviubu63hhuvxwbyq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2f3c9eec055b5c11f8bbd794fde194e68a7c27cad4112d131ae999b953759ac0
NetWire
42808813b67b34a144d03a26fb5a9cf6cd59e185e58d73750585654c09242e5b
NetWire
49551fe3b312425f0a4f946b3a6eb9044bc7b2b7b1665288153295677384509e
NetWire
56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58
NetWire
8546c35ea3d72e58b06dbcdb3d790fe9d39772ec986a2b89c406daab67efe79b
NetWire
85c2475f5bb564338727b25d030019e2ec0f08a9892df26024e45339ef3c0792
NetWire
8e3dd0c0c4913e5eb7de42a42bea5c3ff396542ee47737ed9eeb3b5439e95c6b
NetWire
ca56f164e3387d34ca23f7d609648ce13fb36596ec8bde7608abc8502e4f26cb
NetWire
e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762
NetWire
f862eb253778c7b1c35349d798736124d7ee97db446217b2e5962fe2431d1e46
NetWire
+ 355 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence stealer
Link:
https://tria.ge/reports/210224-gv5kdba8m6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Netwire
Unpacked files
SH256 hash:
706d20d3ed5a944ad7351b2b1e6510db719e150baf045713dfba5494879cd959
MD5 hash:
5e793005579e35e29886ecd8c19b78bb
SHA1 hash:
688b72e225d35b6a0caf21ccbac0fd580374d2d8
Link:
https://www.unpac.me/results/e2baacce-6a1e-49e4-8040-54d3cb471095/
SH256 hash:
196efb16582184ac7bd01e411136c44087da1a5b363a833796bbad5fe5eab46a
MD5 hash:
15a2515b48c9fd1dd8f9cd56ec7c7890
SHA1 hash:
607a2e90cff55e41aca7fb3a71784a8953657461
Link:
https://www.unpac.me/results/e2baacce-6a1e-49e4-8040-54d3cb471095/
SH256 hash:
5d3724894277765b2182d26064f7891d58b3f3614f6adaa281a7b673d2b7b071
MD5 hash:
fe34cb07d710d922bda89fc12cc1bcb9
SHA1 hash:
911a39e9f6ddfd3c1c480a88f77714c2baf37adb
Link:
https://www.unpac.me/results/e2baacce-6a1e-49e4-8040-54d3cb471095/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_ArtraDownloader2_Aug19_1
Create hunting rule
Author:Florian Roth
Description:Detects ArtraDownloader malware
Reference:https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar 58b61bee34227ad25a7754245493a9790ed147520ed14d3d91d686aba8be699b

NetWire

Executable exe 5d3724894277765b2182d26064f7891d58b3f3614f6adaa281a7b673d2b7b071

(this sample)

  
Dropped by
MD5 5982aed8f0bc7fd0b92acee1adc2ba9c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 58b61bee34227ad25a7754245493a9790ed147520ed14d3d91d686aba8be699b

Comments