MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6758299aa38548e854ba372cea8a99d20578059a34d2572d3d4fc8bc76362186. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 15

Intelligence 15 IOCs YARA 14 File information Comments

SHA256 hash:	6758299aa38548e854ba372cea8a99d20578059a34d2572d3d4fc8bc76362186
SHA3-384 hash:	c62ebbb8093b484fbb049c5b11c67fc20c645c25f13ba058bb582d4d1880d11d4f3cf203b2153caeb6d9bd4030986a1c
SHA1 hash:	a64e165ab3a61a15ea4626f18d44b05bacd703b2
MD5 hash:	2f3c785c61316024dfd1d11eafefedc6
humanhash:	artist-thirteen-low-triple
File name:	6758299aa38548e854ba372cea8a99d20578059a34d2572d3d4fc8bc76362186
Download:	download sample
Signature	NetWire Create hunting rule
File size:	1'389'632 bytes
First seen:	2022-03-23 08:05:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYz:8u0c++OCvkGs9Fa+rd1f26RaYz
Threatray	9'105 similar samples on MalwareBazaar
TLSH	T17355BF52E39EC2F0DE165172BA7DF71A2F3F3C254530B956AFC52D3AAD21021112DAA3
File icon (PE):
dhash icon	c4c0ccc8ccf4d4fc (23 x NetWire, 14 x AveMariaRAT, 11 x Formbook)
Reporter	JAMESWT_WT
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RDPWrap

Link:

https://www.capesandbox.com/analysis/255450/

Detection(s):

Win.Trojan.Ulise-7135679-1

Win.Malware.Ulise-9940505-0

Win.Malware.Razy-6703914-0

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

DNS request

Unauthorized injection to a recently created process

Launching a process

Creating a process with a hidden window

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10731/overview

Behaviour

MalwareBazaar

CheckNumberOfProcessor

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit control.exe expand.exe greyware hacktool keylogger netwire overlay shell32.dll

Link:

https://www.filescan.io/uploads/623ad508dfdfa8501cd21077/reports/b3e70c7b-479b-496e-b2e7-427db6c0009d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

AveMaria NetWire UACMe

Detection:

malicious

Classification:

phis.troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/962751

Behaviour

Behavior Graph:

n/a

Detection:

netwire

Link:

https://mwdb.cert.pl/sample/6758299aa38548e854ba372cea8a99d20578059a34d2572d3d4fc8bc76362186/

Threat name:

Win32.Trojan.NetWired

Status:

Malicious

First seen:

2022-03-13 16:35:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

35 of 42 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m5mctgvdqveoqvf2g4wovcuz2icxqbm2gtjfolj5j7ely5rwegda._file

Verdict:

malicious

Label(s):

avemaria

netwirerc

NetWire

623ae88bce9d510aafbbeb7a65d3eb39510b563231e0e22108fe04c77be90a29

NetWire

7c1b5c0d17c9cccf560f4dc6f07809a28b4908e505817984d6eb17da80be34d4

NetWire

912350f695617227e3644f49e97c597c83f2f53363251802245cad33c7466d16

NetWire

a0fb1b78653306e1f6e110457fa3e9723c8a43e5b236a1b880b1724ab07bf415

NetWire

a665187e18e7f9666da6e401c3c09093db2a404912f3e69984fc39bd6ee1cd90

NetWire

d264787c86170b5704f7ca06c65df5f8f6007699bc8e8a76ff06af2cb2c562f6

NetWire

+ 9'095 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:netwire family:warzonerat botnet infostealer rat stealer

Link:

https://tria.ge/reports/220323-jzgv4aedcn/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

AutoIT Executable

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Warzone RAT Payload

NetWire RAT payload

Netwire

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

wealth.warzonedns.com:5202

Unpacked files

SH256 hash:

1b99a30b68e89c3070ccd76b665438b3b4b28f32528366e4244b4d00b245328f

MD5 hash:

8a1140353644d539b9ee609c235e4bb0

SHA1 hash:

caaeecbcafb7b857c2f771b4f38295bae85751b6

Link:

https://www.unpac.me/results/2efdb450-5e7c-453f-ba4a-16aed225ce60/

SH256 hash:

6e153cfbc21319ca200a135e4dd3a658673ec3118441105fbccc6419c92b5f80

MD5 hash:

15a31f1af27c3bf5288dd0409f7b3b2b

SHA1 hash:

7fa036a5b24a746da91cae7f87042ffce01e802c

Link:

https://www.unpac.me/results/2efdb450-5e7c-453f-ba4a-16aed225ce60/

SH256 hash:

fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c

MD5 hash:

6b906764a35508a7fd266cdd512e46b1

SHA1 hash:

2a943b5868de4facf52d4f4c1b63f83eacd882a2

Link:

https://www.unpac.me/results/2efdb450-5e7c-453f-ba4a-16aed225ce60/

SH256 hash:

4157d266ee4d606c42ca19d42a363744db82f056cc20721642240cc91fa6870e

MD5 hash:

e6359328349527d84d8a02bf1f937d80

SHA1 hash:

f02c501584647d65f12371bcd086722642664f5b

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/2efdb450-5e7c-453f-ba4a-16aed225ce60/

Parent samples :

2a2c98c65ef497baf7ebfa7ecca3b177869eaa2f73a9dc9b438990fa9e42250e
34b6799a600ee5174594a4a2d047bc8dbe7b667ced9de8d452d78431b6b075ca
a665187e18e7f9666da6e401c3c09093db2a404912f3e69984fc39bd6ee1cd90
ab3f6d53c07cb9b2a7f20569090b72e3ef405e8b9376268793857b98c3715b5d
14b430ff66208cf2afc283b6242e845793a00d8b577dda3efa34fc43ab441bd7
38f3b0091a63de45d06e5d073684a9ac020dd9963f2cde74dffc00d7ede040cc
623ae88bce9d510aafbbeb7a65d3eb39510b563231e0e22108fe04c77be90a29
d8ce9d7bb93911413a8dae7b85dbd7ba085a87900dcbc5087e1719da40bb4448
56439f2c3a02075273e7ec8cad208e231d9576bf4f9dce25905d18a888b3b92e
bbaa3341664b5cad875b8510d3382594a4027345c520e998e41c3fdf78309d91
52e2b49e0f984106767e959a30fd5af4a0ae8b8589660123a3ade4692d43ebd2
ad8f61066e79e711cf2d4f56522d4dd2383a3ca39ef89eba8ab2f9467ce0aced
1e291af24e96233dace8b196896a6b9c6dd185ab98f40d5869483b039586315a
d2df9078d5a72c5212ef2423afc8a6b04f50ab4f4c79f63f270c2d8249ebd3d9
e6467917f8ba730b9d20d4df66e1fdef1cfbacd2cfd6e15cacbf4374a3ef114e
d264787c86170b5704f7ca06c65df5f8f6007699bc8e8a76ff06af2cb2c562f6
912350f695617227e3644f49e97c597c83f2f53363251802245cad33c7466d16
6758299aa38548e854ba372cea8a99d20578059a34d2572d3d4fc8bc76362186
ff82e890982c7581994ec00d26ca72dcf6fccd826da43db1b806f1b61d972eae
a0fb1b78653306e1f6e110457fa3e9723c8a43e5b236a1b880b1724ab07bf415
fb5f29ba7b562bb99de4c48eec30ecd7de055db7e4cae9104dca7eda41c7198c
7c1b5c0d17c9cccf560f4dc6f07809a28b4908e505817984d6eb17da80be34d4
2ede91c491c0f0be911e2bc12f5c2b94c3fd717f27f89cfa0af475f34bee525f
23db1a1d6db934f635f353189beb610124ee7243030edf13f549b25d7972de5b
a34a8ccae60c06d71d28db52c7bf0630177cd9ee20fd65363b565d2a1b88e072
df011861231413952f0d069257942b342bf62befd354a5c4ad8d2b6b3f7093ec
a79c13e326d308fa0596474c6de1001639e9ffaa86872cae9a121ffad9f0039a
4a73b7f50b95f4164c68e1e003b5e149f6fcf83352702fe29d722260c7fb57ff
b0183d2016f99466eb45c654e9dc8e53bd4b90df2512acf3c526bdf65b372ba5
91d4c54eb5e24448922894a73d0a3ca2b0a84caa3d2a5526e57098791ad75f73
f291625e88495cd7da966f1c724c30b6bab3788c42760d6de3d7fd55274a3b0d
e797bb75f04bcac68e688769585623a306a0442a5614f28cb1a38d4232f525ec
bd2104c458f1c7197b830efb636df4741232585d55334fcdb6e37e8657571c24
c3dc5d9c25e3ef368835ad761bc9b0650170a018d70f93869608105375b73019
ce69de794ef8654455e9323c8dd184a507c39bb319b9c1b34fce460deca631bf

SH256 hash:

a54eada3bf161f8eef69e86a7e9fb3ff0ff303e12bf37699884196955167ca8b

MD5 hash:

e54073355a8d55962fade23996cf0d60

SHA1 hash:

9cac795e54827e9ea9b1c3c379d0d6b07bda3538

Detections:

win_ave_maria_g0

win_ave_maria_auto

Link:

https://www.unpac.me/results/2efdb450-5e7c-453f-ba4a-16aed225ce60/

SH256 hash:

6758299aa38548e854ba372cea8a99d20578059a34d2572d3d4fc8bc76362186

MD5 hash:

2f3c785c61316024dfd1d11eafefedc6

SHA1 hash:

a64e165ab3a61a15ea4626f18d44b05bacd703b2

Detections:

win_netwire_g1

Link:

https://www.unpac.me/results/2efdb450-5e7c-453f-ba4a-16aed225ce60/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6758299aa385/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6758299aa38548e854ba372cea8a99d20578059a34d2572d3d4fc8bc76362186

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	AveMaria_WarZone Create hunting rule

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_2_RID2C2E Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	malware_netwire_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect netwire in memory
Reference:	internal research

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	netwire Create hunting rule
Author:	jeFF0Falltrades

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

Rule name:	win_ave_maria_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/255450/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample