MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6556bd37ac00c8f0572f458828376e56469268fb5e1e38a60569148f54123612. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6556bd37ac00c8f0572f458828376e56469268fb5e1e38a60569148f54123612
SHA3-384 hash: 229f6a171ca66a9da0bb6d2f398007e1b3df4f8341d9562807fa8f269da52e605a8efb873d4036a4f359a7d74786d0d0
SHA1 hash: 4235f6557db5ce08cea24b94010221d41e4f1c28
MD5 hash: 9bb6cce68d6a41391864f4749d5603f3
humanhash: crazy-montana-network-muppet
File name:20220421_NEWPURCHASE_ORDER.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:705'536 bytes
First seen:2022-04-22 08:17:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:SzvVliPFrR5OwwxRnhoFvvW5PFK/f6C6r6u0tqtIFrIq0:SzqPh2wwrhoEFK/iC6GujtI2j
Threatray 900 similar samples on MalwareBazaar
TLSH T1E2E4E06DEA58A633C2EB0FFCD2E3924446AC5FE16950D3556D903FCE3C33B846861A16
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 48d4f4f0f0f0d8c0 (37 x RedLineStealer, 18 x AgentTesla, 9 x SnakeKeylogger)
Reporter pr0xylife
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/265661/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed pos
Link:
https://www.filescan.io/uploads/626264bc482f2f41cae724c6/reports/b80cb472-2a71-4e78-bcc6-37ba282c2578/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6796fdd2-79ac-48fa-a009-01f550426cdc
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981203
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6556bd37ac00c8f0572f458828376e56469268fb5e1e38a60569148f54123612/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-21 17:55:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
16 of 42 (38.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvll2n5madepavzpiwecqn3okzdje2h3lypdrjqfneki6vasgyja._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2af61f931dc2506cad5886bd31c8d30a5964ac35ad143ffe25c23e862c46855c
NetWire
3cc9ec44e7516c0db0a27794c540fcc5a0c6d322821debaee8bd4d0a1231b4df
NetWire
abcdd8e778aa71065141457f413012aca2a8d404e498aa15ee49332d0f33dc58
NetWire
d2920f24362916812453b6d19427ad8cb8f127ebd07f993d30d26f2ed602be9e
NetWire
da91ebb2535be02b6cf046e0c03dbfc8e917794a997332d1c0d5cd134a476581
NetWire
e93e184bdd79942741080f43ec59940240a63961ae3c0e4eb0c63bf2886254d8
NetWire
+ 890 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220422-j69vfsbee5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
uhie.hopto.org:3994
uhie.hopto.org:3918
Unpacked files
SH256 hash:
eff00e2e3610bb0c7c9e6cf26692de5d3156075250e819f995646095981a33b4
MD5 hash:
81df083fbb69790be0cf93b19890557a
SHA1 hash:
8f5c1f97b22a30de1c0b073dedc07857d6cf71d0
Link:
https://www.unpac.me/results/c29fc914-f3a4-4502-a50a-4108d1bbd1cb/
SH256 hash:
ef058d0a23b36683b62d8331a6c43c2356bede56fdbe3587ba5b6889f344a67e
MD5 hash:
b41d180b984cffb701dc35d732f53494
SHA1 hash:
86a8c95cfabccfb57ca2e4520122d165776dee20
Link:
https://www.unpac.me/results/c29fc914-f3a4-4502-a50a-4108d1bbd1cb/
SH256 hash:
6c0d434df95f00ab1db4e9fbf31cd998745bb1b2e9c354bae88a502bcb5e55ec
MD5 hash:
8250a97e782cb9703d468eba6ef36a6e
SHA1 hash:
346a212b3895d8900fb74cf2db45e002092573c6
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/c29fc914-f3a4-4502-a50a-4108d1bbd1cb/
SH256 hash:
43ff066583cf1cc3de7bf3221583d3cd09ee96fac2c42b0445bd984fdafa0e7d
MD5 hash:
0602d4ba03cc0dd988b3043a528dd0b3
SHA1 hash:
1dd36e15bcd46c9398df16cf8ffd387562938be1
Link:
https://www.unpac.me/results/c29fc914-f3a4-4502-a50a-4108d1bbd1cb/
SH256 hash:
6556bd37ac00c8f0572f458828376e56469268fb5e1e38a60569148f54123612
MD5 hash:
9bb6cce68d6a41391864f4749d5603f3
SHA1 hash:
4235f6557db5ce08cea24b94010221d41e4f1c28
Link:
https://www.unpac.me/results/c29fc914-f3a4-4502-a50a-4108d1bbd1cb/
Malware family:
NetWiredRC
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6556bd37ac00/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6556bd37ac00c8f0572f458828376e56469268fb5e1e38a60569148f54123612

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/265661/

Comments