MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5eb158bf47ebe6172da19eff3f5924634a91a4e10186b352ada8b027e1c3c527. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5eb158bf47ebe6172da19eff3f5924634a91a4e10186b352ada8b027e1c3c527
SHA3-384 hash: 854203e4861fdb5e160d5795d065255267438468ff94a92191e89768991c3bec3f230d68bfb7246ecf5772066d47879d
SHA1 hash: e84a6ebb8e629d1a01bc4d40484b2213d1372cee
MD5 hash: 9d73b9b92913e8e944b5117247e1b012
humanhash: golf-social-wisconsin-gee
File name:wheatstagnet.png.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:57'344 bytes
First seen:2020-09-18 15:18:54 UTC
Last seen:2020-09-18 15:41:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 49c418e16dd988570ec7297406512c8f (1 x NetWire)
ssdeep 768:Ocpe4Odrda1+1B+SHc6AEkYD/yk96vgpoIZ/v3z4mJY:H/Odrdgm6O/yehpvjg
Threatray 1'537 similar samples on MalwareBazaar
TLSH AC439D16F81949F2FA514BBA09851FB001EFBC244106DC067AD8BB2F7F7D7019AA972D
Reporter James_inthe_box
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Razy.752499.13742.13754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
NetWire GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/470071
Signature
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NetWire
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 287466 Sample: wheatstagnet.png.exe Startdate: 18/09/2020 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Potential malicious icon found 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 6 other signatures 2->49 8 wheatstagnet.png.exe 2->8         started        11 chrome.exe 2->11         started        13 chrome.exe 2->13         started        process3 signatures4 51 Tries to detect Any.run 8->51 53 Hides threads from debuggers 8->53 15 wheatstagnet.png.exe 9 8->15         started        20 chrome.exe 6 11->20         started        22 chrome.exe 6 13->22         started        process5 dnsIp6 37 bzpip.xyz 213.188.29.200, 49723, 49727, 49737 TDCTDCASDK Norway 15->37 31 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32 15->31 dropped 39 Tries to detect Any.run 15->39 41 Hides threads from debuggers 15->41 24 chrome.exe 15->24         started        file7 signatures8 process9 signatures10 55 Multi AV Scanner detection for dropped file 24->55 57 Machine Learning detection for dropped file 24->57 59 Tries to detect Any.run 24->59 61 Hides threads from debuggers 24->61 27 chrome.exe 3 6 24->27         started        process11 dnsIp12 33 bzpip.xyz 27->33 35 stada.cc 23.106.122.153, 3621, 49728 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Singapore 27->35 63 Tries to detect Any.run 27->63 65 Hides threads from debuggers 27->65 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5eb158bf47ebe6172da19eff3f5924634a91a4e10186b352ada8b027e1c3c527/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-09-18 13:24:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2yvrp2h5ptbolnbt37t6wjemnfjdjhbagdlguvnvcycpyodyutq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
guloader
Create hunting rule
Similar samples:
1d117728ec260d80f6c6a347c4c32c965c69ff10bd4f08444fc70e82eebb1094
NetWire
404655117f92200c14e7c2aa641f27337e18bf8d148e73bbc5d7d37b73b7fc28
NetWire
4a3e5ec3cb8e7de4807f8ab6684291a02eea7a64c76f0e32df1b0a0bb17c047c
NetWire
4dc38cd2854259162ce68bb83f6ce11a755aa96aeba2134cdd18fd69720bece0
NetWire
60c2a6a0bc12f4b6fd4ecb473d5de3d9de561ee3125055dbbf2d8ff12bb83f60
NetWire
60ccdec92b23413b1b5391cb9923931e5b151f0f5877f1f90d730f0fede5f365
NetWire
68f66dd88b1a69a8ff2e63cca5e4554e1b147ccd2474d356b60a749c21412fd4
NetWire
7d53275640b52b08bb54259f6bc85edad2dfe30b6b5f9cea9ddc8d7469d97cd8
NetWire
98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced
NetWire
9e6cf2b57d1e96bced0f7742e883a8fdf94847fcf3344ae55f05324b59fde328
NetWire
+ 1'527 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
persistence botnet stealer family:netwire
Link:
https://tria.ge/reports/200918-y2y8kdlgh6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5eb158bf47ebe6172da19eff3f5924634a91a4e10186b352ada8b027e1c3c527

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/63479/
  
URLhaus
https://urlhaus.abuse.ch/url/556747/

Comments