MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d9d8df653e49a9bda60668f00988aa638e3825b8c4153363f689422a8396e3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d9d8df653e49a9bda60668f00988aa638e3825b8c4153363f689422a8396e3b
SHA3-384 hash: dd0c373294f75a5ae8fc6d4acb9a96eeccf0e93c641eaa70b6652c0b5f30812d0831882260b708bf683e984b60e62e50
SHA1 hash: 0084f875ae3dfecfecd0d3472e6a51450711538f
MD5 hash: 3f91db4ca7928f8b60d4ed299d1ea9ec
humanhash: august-uniform-oxygen-charlie
File name:DOCUMENT.EXE
Download: download sample
Signature NetWire
Create hunting rule
File size:566'296 bytes
First seen:2021-05-14 05:50:38 UTC
Last seen:2021-05-14 10:52:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash da84464fb1fefd0829e366a614c59044 (2 x RemcosRAT, 1 x NetWire, 1 x Formbook)
ssdeep 6144:pc/Z6uWRs695nvBqHMbeqMBgLh06/yz0Utp2G0kyq73bCGU9hZ5iTCcFs:m/Z6Ls6TrMKt060cGn17r6nIF
Threatray 725 similar samples on MalwareBazaar
TLSH 7FC48DF6E2A00472D66F5E788C0B7A70A8377E612E9914B516F87C889F357C22D0758F
Reporter cocaman
Tags:DHL exe NetWire signed

Code Signing Certificate

Organisation:DDDDDDDDDDFFFFFFFFFF
Issuer:DDDDDDDDDDFFFFFFFFFF
Algorithm:sha1WithRSA
Valid from:2021-05-13T07:57:25Z
Valid to:2039-12-31T23:59:59Z
Serial number: -529a144440ce9c4abeb683cc510aeb77
Thumbprint Algorithm:SHA256
Thumbprint: e61eb7784f078220f6539a26cb546b771efb076b3bb228bbe0557d7842b3f86f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
5
# of downloads :
366
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOCUMENT.EXE
Verdict:
Malicious activity
Analysis date:
2021-05-14 05:54:54 UTC
Tags:
installer
Link:
https://app.any.run/tasks/a1ae3545-f0f9-47f2-9b30-88a86c497586

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156409/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Deleting a recently created file
Launching a process
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/781593
Signature
Allocates memory in foreign processes
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 413990 Sample: DOCUMENT.EXE Startdate: 14/05/2021 Architecture: WINDOWS Score: 100 40 Legend.casacam.net 2->40 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected NetWire RAT 2->66 68 3 other signatures 2->68 7 Akmeii.exe 16 2->7         started        11 DOCUMENT.EXE 1 19 2->11         started        14 Akmeii.exe 16 2->14         started        signatures3 process4 dnsIp5 42 v0el2a.am.files.1drv.com 7->42 52 2 other IPs or domains 7->52 70 Machine Learning detection for dropped file 7->70 72 Writes to foreign memory regions 7->72 74 Allocates memory in foreign processes 7->74 16 dialer.exe 7->16         started        44 v0el2a.am.files.1drv.com 11->44 46 onedrive.live.com 11->46 48 dm-files.fe.1drv.com 11->48 24 C:\Users\Public\Akmeii\Akmeii.exe, PE32 11->24 dropped 76 Creates a thread in another existing process (thread injection) 11->76 78 Injects a PE file into a foreign processes 11->78 20 mshta.exe 2 11->20         started        50 v0el2a.am.files.1drv.com 14->50 54 2 other IPs or domains 14->54 22 logagent.exe 14->22         started        file6 signatures7 process8 dnsIp9 26 legend23.ddns.net 16->26 34 4 other IPs or domains 16->34 28 legend21.ddns.net 185.157.162.238, 49743, 49744, 49745 OBE-EUROPEObenetworkEuropeSE Sweden 20->28 30 legend23.ddns.net 20->30 36 5 other IPs or domains 20->36 56 Contains functionality to log keystrokes 20->56 58 Contains functionality to steal Internet Explorer form passwords 20->58 60 Contains functionality to steal Chrome passwords or cookies 20->60 32 legend23.ddns.net 22->32 38 4 other IPs or domains 22->38 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d9d8df653e49a9bda60668f00988aa638e3825b8c4153363f689422a8396e3b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-05-14 05:51:08 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
22 of 47 (46.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwoy35st4snjxwtam2hqbgekuy4ohas3rravgnr7nckcfkbzny5q._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
16fc50c5d5b5419d2a3244294c7d6a77087edca488ec63146b573b31f1526809
NetWire
2f3c9eec055b5c11f8bbd794fde194e68a7c27cad4112d131ae999b953759ac0
NetWire
3ffc5daa049116311ac1363623b7a8960b7aabb4b874d1126a358b8d483e33cd
NetWire
49551fe3b312425f0a4f946b3a6eb9044bc7b2b7b1665288153295677384509e
NetWire
56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58
NetWire
8e3dd0c0c4913e5eb7de42a42bea5c3ff396542ee47737ed9eeb3b5439e95c6b
NetWire
deabb312ade9d16c64ea491e5cf9477e1b98f2c5cda72ab2cb1b8b75af558d31
NetWire
e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762
NetWire
f3ad47ca842225f405e277f5f2b0521266fe65a90bf746ac39a67990835ddf14
NetWire
f862eb253778c7b1c35349d798736124d7ee97db446217b2e5962fe2431d1e46
NetWire
+ 715 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence stealer trojan
Link:
https://tria.ge/reports/210514-1tr199tsse/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d9d8df653e49a9bda60668f00988aa638e3825b8c4153363f689422a8396e3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

iso aaaa59f4f0d42d0be02cc5e26d988616b18d30f2759b3090b62565c0107f4ff8

NetWire

Executable exe 5d9d8df653e49a9bda60668f00988aa638e3825b8c4153363f689422a8396e3b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 aaaa59f4f0d42d0be02cc5e26d988616b18d30f2759b3090b62565c0107f4ff8
Cape
Cape
https://www.capesandbox.com/analysis/156409/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-14 06:03:43 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [F0002.002] Collection::Polling
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0051] File System Micro-objective::Read File
7) [C0052] File System Micro-objective::Writes File
8) [C0007] Memory Micro-objective::Allocate Memory
9) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
10) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
11) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
12) [C0038] Process Micro-objective::Create Thread
13) [C0041] Process Micro-objective::Set Thread Local Storage Value
14) [C0018] Process Micro-objective::Terminate Process