MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7418fd3ec75f43bed921ecf2df4ba922fbd86c2e1e158bf309bbee13d4374125. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7418fd3ec75f43bed921ecf2df4ba922fbd86c2e1e158bf309bbee13d4374125
SHA3-384 hash: 7b7df2b942206f9ef5c094fa04b505db8016e581e839cb320c6839b53e9e0d04534d084a447147c3d65f472d92980b77
SHA1 hash: 308238e449d97520e21cfb601feb15193bf89a68
MD5 hash: 41afcc620b9a87add5322f3f17d563bb
humanhash: skylark-wolfram-batman-six
File name:41afcc620b9a87add5322f3f17d563bb.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:77'312 bytes
First seen:2022-07-08 11:15:53 UTC
Last seen:2022-07-08 12:01:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 192:KvHnOEzHwbWG4dWZV3C0xOjmTeuQsMllqAPoBraVR:KRzHwm8ZV3C3jmSwVAgBraV
Threatray 1'798 similar samples on MalwareBazaar
TLSH T1A1731FA256DC4299F6934ABD8C24BB30429C7D62D8F263FFABC47393DD702C156136A1
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 26c286aab2524a86 (6 x NetWire, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
194.5.98.176:3363

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.176:3363 https://threatfox.abuse.ch/ioc/817826/

Intelligence

File Origin
# of uploads :
2
# of downloads :
336
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.420.9072.21228.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file
Creating a window
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c8123211764e36f822583f/reports/f32a5105-9ea6-4687-bf66-2cd138a916b2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31ed8837-0de7-431d-a082-de8e937b1939
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1027162
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7418fd3ec75f43bed921ecf2df4ba922fbd86c2e1e158bf309bbee13d4374125/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-07 23:22:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oqmp2pwhl5b35wjb5tzn6s5jel55q3bodykyx4yjxpxbhvbxiesq._file
Verdict:
malicious
Similar samples:
15b8325df5457903aa6a8f86ddd64b7ea2fca232231e2e63044a1a0f9cc3f73b
NetWire
4f3642f36e5ba22aec031ad20349200b39114fdb470b78247f1c1a5626146a87
NetWire
566525c61d64c378c99f59da573aa7712061bad58bbda3fb6b58842184e88f3a
NetWire
714e70af0dfb6315bc61dd40729e507e0037caa6f3ccdcb7c30055523ea43745
NetWire
7887aebb0bce6a49dca946ca99b69c3fad43bf7b66eb94a5491c8fc20847d52f
NetWire
9d19c6e678c823c2c0e75fb23280ae1308a01f52e36e7e327014502e5f907f1a
NetWire
d916077d4a9b8fb616ff3fec16dc7fed1e2a72eec92c3fcf460861f13e2cc0ac
NetWire
f2ddfe5553b44391c9d1805e9186567e989dceda846eff17de8e703f7b5b9ccd
NetWire
ff01480f787117c95dfd4f7b80e4f8da656b7ff73233e7731b72406700e06a35
NetWire
+ 1'788 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220708-nc4tkacaar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
194.5.98.176:3363
194.5.98.176:3365
Unpacked files
SH256 hash:
7418fd3ec75f43bed921ecf2df4ba922fbd86c2e1e158bf309bbee13d4374125
MD5 hash:
41afcc620b9a87add5322f3f17d563bb
SHA1 hash:
308238e449d97520e21cfb601feb15193bf89a68
Link:
https://www.unpac.me/results/79cea1cc-cc0f-45d9-8419-c1ada4d1616e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7418fd3ec75f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/7418fd3ec75f43bed921ecf2df4ba922fbd86c2e1e158bf309bbee13d4374125

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 7418fd3ec75f43bed921ecf2df4ba922fbd86c2e1e158bf309bbee13d4374125

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2229648/
  
Delivery method
Distributed via web download

Comments