MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77256dbd8c0a417df262ad441056cc29c4ee5a70a9005b2fa4f32efbec768083. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77256dbd8c0a417df262ad441056cc29c4ee5a70a9005b2fa4f32efbec768083
SHA3-384 hash: 300c56242879f0661c6568622f63b517244e7d82064379f2fe233ab75dde43f28d5bfa1804e3e8c278b002b5b7663e2a
SHA1 hash: b4eeda6860e62ff4cb48184d1312df126a40aee8
MD5 hash: e3cdf4e912503638d5b738447cf025ea
humanhash: east-ten-texas-bulldog
File name:3wLErjZm74CL9UB.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:613'376 bytes
First seen:2021-11-03 10:16:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 12288:X9ELuVoE06YLibFEnIJdoUnB6FmpaebjrTlPF:X9ELfW0IJuukIpaknTD
Threatray 640 similar samples on MalwareBazaar
TLSH T126D49D27AAC16116CE3589BC94544A307360DC7FB9E0B316ADE4FD8B3E7AB518C431A7
File icon (PE):PE icon
dhash icon f0cceaa4b092ec70 (2 x NetWire)
Reporter GovCERT_CH
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3wLErjZm74CL9UB.exe
Verdict:
Malicious activity
Analysis date:
2021-11-03 10:20:13 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/d0e74bce-c38e-4e87-b97f-cbd7a0301289

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201730/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47300229.15364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618261a01c62c3566080be74/reports/558b8e43-0ab7-46f7-88ce-330c33067c6c/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/856d14a1-c623-44d7-b92b-fc3dfe904ed8
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/882074
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 514508 Sample: 3wLErjZm74CL9UB.exe Startdate: 03/11/2021 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 6 other signatures 2->66 9 3wLErjZm74CL9UB.exe 7 2->9         started        13 Host.exe 4 2->13         started        15 Host.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\LkgkUFcmpajn.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\Local\...\tmpAEBA.tmp, XML 9->54 dropped 56 C:\Users\user\...\3wLErjZm74CL9UB.exe.log, ASCII 9->56 dropped 72 Contains functionality to steal Chrome passwords or cookies 9->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 9->74 17 3wLErjZm74CL9UB.exe 3 9->17         started        20 schtasks.exe 1 9->20         started        22 3wLErjZm74CL9UB.exe 9->22         started        32 2 other processes 9->32 24 schtasks.exe 1 13->24         started        26 Host.exe 13->26         started        28 schtasks.exe 15->28         started        30 Host.exe 15->30         started        signatures5 process6 file7 50 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 17->50 dropped 34 Host.exe 5 17->34         started        37 conhost.exe 20->37         started        39 conhost.exe 24->39         started        41 conhost.exe 28->41         started        process8 signatures9 68 Multi AV Scanner detection for dropped file 34->68 70 Contains functionality to steal Chrome passwords or cookies 34->70 43 Host.exe 3 34->43         started        46 schtasks.exe 1 34->46         started        process10 dnsIp11 58 23.105.131.227, 3360, 49753, 49755 LEASEWEB-USA-NYC-11US United States 43->58 48 conhost.exe 46->48         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77256dbd8c0a417df262ad441056cc29c4ee5a70a9005b2fa4f32efbec768083/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 04:54:55 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4sw3pmmbjax34tcvvcbavwmfhco4wtqveafwl5e6mxpx3dwqcbq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0f67fd50b46ca7283dc172211a42e3ffab7b524a1e2e23433c34c88e657cd364
NetWire
27fc1cbcf702e483b8eec78bc2605e0d45dda7f0dae2c0adcd6f90b396a1151e
NetWire
2e5d08e10497cdd14499b4ae823f7d639a738d37784882db758e70fa3804e4e9
NetWire
5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a
NetWire
abd18b2d7cfc702e56442f2549808b301f2e0fc214cdf2230d5fbefc9620fd42
NetWire
bd62e723aff056a5f6dd9b9ece4f5ea4bae0a50cc3bdd5f4228fb265c2a96170
NetWire
ce0791b1ccec1c7907e99e48f2207cafa0cd2c8528a5e0f6625187b51a14f284
NetWire
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
NetWire
+ 630 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/211103-mbdejsafhl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
23.105.131.227:3360
Unpacked files
SH256 hash:
7ec7c47de5927351c7035f8657a2dd91c42fd6ed6e4da309e34b87ef0b0ba785
MD5 hash:
171a2669225911b41301096cd9dcf19f
SHA1 hash:
dc25f1f69faec5174e489a0d1a18cf14cf7fd1b5
Link:
https://www.unpac.me/results/a61dda6f-628a-420f-b937-28b99c5e7ee2/
SH256 hash:
08873b8f3788a2df8283032aba13e816c2d89b60635494bee33b4b2a4de418cc
MD5 hash:
e62b92faf84a5152d7c928f00741d8f2
SHA1 hash:
8030c96bc520654c8975d68751cda376fc69961d
Link:
https://www.unpac.me/results/a61dda6f-628a-420f-b937-28b99c5e7ee2/
SH256 hash:
41fcbe21483232458b28f522a9bd4dc6facb6193c3a0ac12730f831183f4788a
MD5 hash:
74d68fb9afba0baf5745b28998536ca2
SHA1 hash:
264256b89ee37eac1096b1fc177b3f8e2bc94e22
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/a61dda6f-628a-420f-b937-28b99c5e7ee2/
Parent samples :
97c7b0acbb0d187d280e20cd3ac147295ea599462d57f0d56488cda19fcaf3ed
77256dbd8c0a417df262ad441056cc29c4ee5a70a9005b2fa4f32efbec768083
SH256 hash:
77256dbd8c0a417df262ad441056cc29c4ee5a70a9005b2fa4f32efbec768083
MD5 hash:
e3cdf4e912503638d5b738447cf025ea
SHA1 hash:
b4eeda6860e62ff4cb48184d1312df126a40aee8
Link:
https://www.unpac.me/results/a61dda6f-628a-420f-b937-28b99c5e7ee2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77256dbd8c0a417df262ad441056cc29c4ee5a70a9005b2fa4f32efbec768083

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 77256dbd8c0a417df262ad441056cc29c4ee5a70a9005b2fa4f32efbec768083

(this sample)

  
Dropped by
NetWire
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/201730/

Comments