MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e75af8d5d325800f4cfcaab0ec5a96976011f10544863ec3f75ee2a21eaded3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e75af8d5d325800f4cfcaab0ec5a96976011f10544863ec3f75ee2a21eaded3
SHA3-384 hash: 408dcd691f1f96ddb1f2ed77cdd539683bf7aa350d8d88fb7878aa9239a1d965acd8dabb84b6f05dd08f112af9cb09b5
SHA1 hash: 07ee272f677893765d60931d8698371286bd550b
MD5 hash: 36019894ec24a4a4a35af4d7abf26a6b
humanhash: autumn-fruit-venus-fix
File name:Bill of Lading, Invoice, & Packing LIsts.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:764'928 bytes
First seen:2021-06-30 09:06:34 UTC
Last seen:2021-06-30 14:25:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 49872ca347743de3342dae48ab6a2426 (2 x Formbook, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:3/GRJUeqFZCVHtc67SJFBoy7PoAMkANkLkU4uXc:3eRJsFQHGKSacRsNI
Threatray 54 similar samples on MalwareBazaar
TLSH 80F48DF2F1C59532E1562A38BC6BAB945821BF002D6C3D02F2F2394D8FBD1D27635696
Reporter lowmal3
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
3
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bill of Lading, Invoice, & Packing LIsts.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 06:31:16 UTC
Tags:
installer trojan rat netwire
Link:
https://app.any.run/tasks/e273c8a8-5b39-4464-93de-f89addbc7d7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168922/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0c0b8b4-4c10-4981-ad47-d2ae302d34fb
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809855
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442266 Sample: Bill of Lading, Invoice, & ... Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Yara detected NetWire RAT 2->51 53 4 other signatures 2->53 6 Bill of Lading, Invoice, & Packing LIsts.exe 1 19 2->6         started        11 Mtpqhfs.exe 16 2->11         started        13 Mtpqhfs.exe 16 2->13         started        process3 dnsIp4 25 onedrive.live.com 6->25 33 2 other IPs or domains 6->33 23 C:\Users\Public\Libraries\...\Mtpqhfs.exe, PE32 6->23 dropped 55 Writes to foreign memory regions 6->55 57 Allocates memory in foreign processes 6->57 59 Creates a thread in another existing process (thread injection) 6->59 15 DpiScaling.exe 2 6->15         started        27 onedrive.live.com 11->27 35 2 other IPs or domains 11->35 61 Machine Learning detection for dropped file 11->61 63 Injects a PE file into a foreign processes 11->63 19 DpiScaling.exe 11->19         started        29 192.168.2.1 unknown unknown 13->29 31 onedrive.live.com 13->31 37 2 other IPs or domains 13->37 21 DpiScaling.exe 13->21         started        file5 signatures6 process7 dnsIp8 39 sipex2021.ddns.net 194.5.98.48, 49735, 49760, 49761 DANILENKODE Netherlands 15->39 41 Contains functionality to log keystrokes 15->41 43 Contains functionality to steal Internet Explorer form passwords 15->43 45 Contains functionality to steal Chrome passwords or cookies 15->45 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e75af8d5d325800f4cfcaab0ec5a96976011f10544863ec3f75ee2a21eaded3/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 09:07:11 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nz227dk5gjmab5gpzkvq5rnjnf3achyqkregh3b7oxxcuipk33jq._file
Verdict:
malicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
NetWire
33f0d367ae282d4c9b9a6acbfefd3e86999eb84fc65c43d99f1de1b95c1f80af
NetWire
3d263b6e2cdc6e43060faf06203a211ed5f716238157fc36f3f0d5b21777c0ac
NetWire
3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719
NetWire
6a6d545fd995dbffb75332ad4a05e32f20777410b36e633c42e4f6c8cdc685d2
NetWire
6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
NetWire
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
NetWire
92258f992fbf15509591d96b11cb50eda41cf0c19f35fdd089c311ca5eace947
NetWire
9d109cc4f855ab857f7bc081a7bd0e2be2a46d59282970f1a189a019b4467173
NetWire
ebe0b8890392475537625aeefaec22b5f0115011e135117d7afd9325eb47fad8
NetWire
+ 44 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence stealer trojan
Link:
https://tria.ge/reports/210630-wxrvy6668n/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Netwire
Unpacked files
SH256 hash:
49f77536366703b0e3ca29cb6373d6514376a22680d0a06fcecd1934f0155413
MD5 hash:
593606abb6e00ea220a2527c44ffb6e7
SHA1 hash:
f8a90f103f62713f502a0f9a9219b4c1125e1516
Link:
https://www.unpac.me/results/16822885-b551-4cfa-b951-c565e5d15634/
SH256 hash:
869918d02d073c45b461ccfe3101d1f0ca9449c5787d49f641be069d0f3ce6d5
MD5 hash:
d595a2d32b8cbe9a5ac508f32a99eb9b
SHA1 hash:
0a8670e1fa9ebbb296eec97588ff6b7c23112b9a
Link:
https://www.unpac.me/results/16822885-b551-4cfa-b951-c565e5d15634/
SH256 hash:
6e75af8d5d325800f4cfcaab0ec5a96976011f10544863ec3f75ee2a21eaded3
MD5 hash:
36019894ec24a4a4a35af4d7abf26a6b
SHA1 hash:
07ee272f677893765d60931d8698371286bd550b
Link:
https://www.unpac.me/results/16822885-b551-4cfa-b951-c565e5d15634/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e75af8d5d325800f4cfcaab0ec5a96976011f10544863ec3f75ee2a21eaded3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_ArtraDownloader2_Aug19_1
Create hunting rule
Author:Florian Roth
Description:Detects ArtraDownloader malware
Reference:https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 6e75af8d5d325800f4cfcaab0ec5a96976011f10544863ec3f75ee2a21eaded3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/168922/

Comments