MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b64c512504060c171eee898bb53f7d402ccb274f9350a2f543803c6ef23a6fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	6b64c512504060c171eee898bb53f7d402ccb274f9350a2f543803c6ef23a6fd
SHA3-384 hash:	f4a5176f7c552be867a1a9df4bb38c58c984d484066bfb3e1e15ed15432fd75d2bfa4f3c6bf30a7655eb2795e0d00c50
SHA1 hash:	6173fa56081dc6d0dd17dde008140ac3e05dd0d0
MD5 hash:	c25c73ab1415e8dff04d4f8cf22194b6
humanhash:	jersey-ceiling-triple-emma
File name:	MAERSK ARRIVAL NOTICE_PDF.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	742'912 bytes
First seen:	2021-09-23 07:12:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:TymtiK5ou/g9lVFVew6WBBnoSVelnVHwOt3c30Yha37WfahHCk:O+FouSlVFMULlsZVQSck16fb
Threatray	587 similar samples on MalwareBazaar
TLSH	T1CCF48AC89D884613D7A44672DC5C670632292D4A7723938BCBE13D773EFE683C22D996
File icon (PE):
dhash icon	a28aa2e2e0aaa2a2 (14 x Formbook, 11 x AgentTesla, 5 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe Maersk NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

548

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MAERSK ARRIVAL NOTICE_PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-09-23 07:37:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e6bba39b-00cc-447c-94ec-d9b7512b94e7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/190659/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1fffd00-1598-43af-a811-c5af8076ca01

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/856298

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Defender Exclusion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b64c512504060c171eee898bb53f7d402ccb274f9350a2f543803c6ef23a6fd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-23 07:13:13 UTC

AV detection:

22 of 45 (48.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nnsmkesqibqmc4po5cmlwu7x2qbmzmtu7e2qul2uhab4n3zdu36q._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/210923-h15g4sfgd2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

night90.ddns.net:8999

Unpacked files

SH256 hash:

cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7

MD5 hash:

71a894ff252c767b80d65ab1e54fda2b

SHA1 hash:

bcc4ff628585ca28b8b0f2c30e63049b910d4d49

Link:

https://www.unpac.me/results/eaa81d20-739c-4934-b3be-10cb7c2f3527/

SH256 hash:

82e0f2631e35adfa5eec908f0aff6ef56e505e5eaf3c252910fd5e7966f90f0f

MD5 hash:

f1fea659eef3438f4e309a54effe36d2

SHA1 hash:

a0556aa28beaebf1e724bb338f733869f3f21111

Link:

https://www.unpac.me/results/eaa81d20-739c-4934-b3be-10cb7c2f3527/

SH256 hash:

3121f99240fd4c3f45da8f20d10d491bfd0b87c911f3f7c957c556c92d050029

MD5 hash:

b1b3d7734b861dfd6609920c2c94304b

SHA1 hash:

56a0059510c8e5951d115cfaaf897b98040e51c9

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/eaa81d20-739c-4934-b3be-10cb7c2f3527/

Parent samples :

466c6eed81c9e10b97b539264af394bef185fdfa72cd3550f62d6634dfb2acc3
46b6c90d331eabb7e554cfe3baa01ed3e72b40793f7bc670f95b22ee611725a9
11084f0e466c6e14a898cd1e806dcfddc4ae3c7819a617c3d0a54490989ba559
dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56
0257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650c
6b64c512504060c171eee898bb53f7d402ccb274f9350a2f543803c6ef23a6fd

SH256 hash:

2097f8090dedc1159e847128a06487ed396ef453099a8b5dad33e45f894e5162

MD5 hash:

270d6d00d28bf106ee2e73d9fcb9eeca

SHA1 hash:

4ad6126adb1dcc7a6fced18142f8fc273c3c5098

Link:

https://www.unpac.me/results/eaa81d20-739c-4934-b3be-10cb7c2f3527/

SH256 hash:

6b64c512504060c171eee898bb53f7d402ccb274f9350a2f543803c6ef23a6fd

MD5 hash:

c25c73ab1415e8dff04d4f8cf22194b6

SHA1 hash:

6173fa56081dc6d0dd17dde008140ac3e05dd0d0

Link:

https://www.unpac.me/results/eaa81d20-739c-4934-b3be-10cb7c2f3527/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/6b64c512504060c171eee898bb53f7d402ccb274f9350a2f543803c6ef23a6fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/190659/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample