MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e
SHA3-384 hash: 326f1aa96bf555c1386123e296356b16a39c2c04a1a5e1ff59bda3047ae53ab151c20bc310f55b0c92f4855f8b981bc8
SHA1 hash: 7ec0c6d7d9b75ef8f078383a15d977b45dc434c1
MD5 hash: 959be976070ea4820a2e24dcce3d0bdf
humanhash: eleven-one-salami-november
File name:SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980
Download: download sample
Signature NetWire
Create hunting rule
File size:347'381 bytes
First seen:2021-07-23 11:10:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 3072:XBkfJpRXATwMdFCcPVbIfDO8+OhttIB7BQBWI/qYgK7WlKxMOsYJX9PJ:XqjIZZIy8dhzIhKBWI/3gK7WlKJsIh
Threatray 493 similar samples on MalwareBazaar
TLSH T11074D0097690D062CBD122305FB4CAF61BB4DC1858D1AA1737D8BFAF3AFF24759096A1
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
35A80E79A290DFCE0D019D467EC8DC9C.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 04:23:31 UTC
Tags:
opendir trojan rat netwire loader
Link:
https://app.any.run/tasks/cc4f6243-af43-4c00-9e69-d7f624b49fa9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173599/
Detection(s):
SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a572f6f5-be7f-4e0a-afb7-908ac8925674
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820712
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 06:03:21 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nng5cpvgeqngzcwszft5rdztgz4y3qpdbxjez6rto743gy6xbmxa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821
NetWire
5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
NetWire
5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4
NetWire
5b4962b939b67929dcb5b0c5a90b75e617f9af630271d710a21ccbe0d7738e05
NetWire
608ec84d6c6d1b552b0c77210475ead69a437d02cc688d60e798cf530c02897e
NetWire
797a9a105652922546340d44d623196f8f5d22410011156a710bdf4f239a3d40
NetWire
7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32
NetWire
a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2
NetWire
ee70cb2fc82abe10d225555baf80864b1c8f779fce79dcb2b76943d145a8130e
NetWire
f6262c14a5f6c845a95cab29a6e1e2a662d5df47499935c1f050d908ee01db90
NetWire
+ 483 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210723-gqzv6zrmt6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
finerthings.duckdns.org:3021
Unpacked files
SH256 hash:
1f21ddc86b61da3f6dfd77c015e7f5d05e221f385b3813934ec5b6b84f55b817
MD5 hash:
c4a93541def98c89441d88e7671f0d2d
SHA1 hash:
cc2bd924f95d116ae2814a0709909a3ddb41f7e2
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/787922b5-d9bd-4f27-a1d8-8afdc48bf316/
SH256 hash:
03d53a25652bbf853ab65f0428ebc68db0497654206b95bb86f0d45f0b0ebd70
MD5 hash:
c6740f343d8777430307336fcb50d504
SHA1 hash:
54e4bafc84ab18dab87731ee3b3647d923af7fd7
Link:
https://www.unpac.me/results/787922b5-d9bd-4f27-a1d8-8afdc48bf316/
SH256 hash:
16327115ed90bf98b216a97fd4cfc792727962d848797755fc158109ca975ab9
MD5 hash:
e029bdf1937ee0597da65dcf52c70f3d
SHA1 hash:
26c167fdd7bd1250a4c7c990bb8481cfb386e81c
Link:
https://www.unpac.me/results/787922b5-d9bd-4f27-a1d8-8afdc48bf316/
SH256 hash:
6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e
MD5 hash:
959be976070ea4820a2e24dcce3d0bdf
SHA1 hash:
7ec0c6d7d9b75ef8f078383a15d977b45dc434c1
Link:
https://www.unpac.me/results/787922b5-d9bd-4f27-a1d8-8afdc48bf316/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1475522/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1475526/
Cape
Cape
https://www.capesandbox.com/analysis/173599/

Comments