MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5df825473da5a98d094c7cb03b8e8cb87936eb6a2dbc009920a4e215d085f71c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5df825473da5a98d094c7cb03b8e8cb87936eb6a2dbc009920a4e215d085f71c
SHA3-384 hash: 1baca09ab11b6cc85f2d7b62a04b5ff6efb7a272d79e9745908cbd1d4f26f8c9d82685852f21c723dfcd0531e617f68f
SHA1 hash: 4bdfa7c370522dec1b21c1e9e05c5be74cf21147
MD5 hash: 4b53dde49dd1f2be76d0ba7790e6fc45
humanhash: lithium-arizona-single-sodium
File name:NV003974844.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:954'368 bytes
First seen:2022-07-05 09:03:29 UTC
Last seen:2022-07-05 10:00:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:DblBePSVM+qCKOdsthVAFuB7qFES1nEuJ6DBlBW8JtAx+IctP6cUBl4PXDlt:/lBZZOOitzAQBspNJGBrxJQ+IkID4
Threatray 3'047 similar samples on MalwareBazaar
TLSH T11315F1407AB5AFB1DE3887F589201050A7FB619A28ADEB2C9EC530CF5734F844964F67
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter lowmal3
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
NV003974844.7z
Verdict:
Malicious activity
Analysis date:
2022-07-05 08:40:10 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/99e71b03-2f00-4472-9031-acf9ecc50b3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.21920.31645.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/62c3fec1783441cda107fb46/reports/147a8c04-7309-4eb4-85eb-f9ff3ed5e351/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bbdbf5a-309b-4673-8e8b-6080de171a9e
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024658
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5df825473da5a98d094c7cb03b8e8cb87936eb6a2dbc009920a4e215d085f71c/
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 08:44:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
47
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lx4ckrz5uwuy2ckmpsydxdumxb4tn23kfw6abgjautrbluef64oa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
33a19ea1c739df9fbb3a9f8d81efb67050339afc59e44c611f98ccdd66cc37fa
NetWire
73662d6a7b9efd762e7a7942b2b4c9f0b16b0421875f1a22c8d58034323d4d37
NetWire
a2700363ab4167505a43f933449a4b25a9036f8fae65e46e28b9bb1ce319e9cb
NetWire
a5140fceb2803eef7a1c8081c3428310baaa0dea404ef86e5d2d4a96b80fe538
NetWire
afd47bb332ef06bf7c4f7c4a4470cf5b6e2acb6c4db3b3e6f453ff0dfc4a63f7
NetWire
d60219d448eb46ada30fb1edcba7067602d7f99bdee66d9556ab96706ea33c2d
NetWire
f53a21f7dbd23dbb06174d92ba8c94f9a4296ae1271372c3e5369121aa7a6e62
NetWire
+ 3'037 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220705-k1l2waheh7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
xman2.duckdns.org:4433
Unpacked files
SH256 hash:
c2d2d239c67fb6fd84228b2e12476e577935501e759ba243c7cf3989426b3527
MD5 hash:
ae8c11a2489a019b2dafbf1f9a3f8737
SHA1 hash:
748e6dea8723485108664db4ebe84ee949e8e8e6
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/641bc529-8788-41f2-8457-7b1d98337810/
Parent samples :
33a19ea1c739df9fbb3a9f8d81efb67050339afc59e44c611f98ccdd66cc37fa
5df825473da5a98d094c7cb03b8e8cb87936eb6a2dbc009920a4e215d085f71c
SH256 hash:
98369be26e1b65d30560c8365d04c25eca6445b9ea5f541a0fff7103a6eda0bc
MD5 hash:
79036cb1c04f3acd4540c580e72e5e94
SHA1 hash:
08f1488bc7d03e7d5b4ea18582a320aac9eeffa8
Link:
https://www.unpac.me/results/641bc529-8788-41f2-8457-7b1d98337810/
SH256 hash:
fb7b2910d440e17d1464dc029c5de11d22a3996d0d9eb816aff45e8ef74a9f78
MD5 hash:
a135b8d731aaf0afd725a2b2f7c71a7a
SHA1 hash:
d1db203974aa6eb0d0fdf92f0f200029cfde6fbc
Link:
https://www.unpac.me/results/641bc529-8788-41f2-8457-7b1d98337810/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/641bc529-8788-41f2-8457-7b1d98337810/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/641bc529-8788-41f2-8457-7b1d98337810/
SH256 hash:
5df825473da5a98d094c7cb03b8e8cb87936eb6a2dbc009920a4e215d085f71c
MD5 hash:
4b53dde49dd1f2be76d0ba7790e6fc45
SHA1 hash:
4bdfa7c370522dec1b21c1e9e05c5be74cf21147
Link:
https://www.unpac.me/results/641bc529-8788-41f2-8457-7b1d98337810/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5df825473da5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 5df825473da5a98d094c7cb03b8e8cb87936eb6a2dbc009920a4e215d085f71c

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments