MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b2046a98f7f06d33fa42e473ee16465340713c76e27dc3cdd883c42fe06ed2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b2046a98f7f06d33fa42e473ee16465340713c76e27dc3cdd883c42fe06ed2a
SHA3-384 hash: 3a5840edb50e9a5114d69de47c240295c2c497b2bcf54c3fab53d6c71745a4ceb979124b885160dc07654a2aeb6c34bc
SHA1 hash: 4f0757b191ebce65a5cd02931f2a8e5f86af9b8a
MD5 hash: 1e4b30611539dea616886e182faa606d
humanhash: monkey-connecticut-foxtrot-berlin
File name:annexedpayment.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:48'568 bytes
First seen:2021-11-12 16:35:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 768:7V30dhz4sFnh7icDv0LZfrJPwuWNnwPLB+VyzhKzquhq1qZjpmohe:7VkPt58ZfnDhKzquhKf
Threatray 1'201 similar samples on MalwareBazaar
TLSH T10E23D829B1127037C5EEA872C085F213E83D569699BA0B4B76DF404E95C139B52FFF82
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
107.172.73.148:3360

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
107.172.73.148:3360 https://threatfox.abuse.ch/ioc/247474/

Intelligence

File Origin
# of uploads :
1
# of downloads :
442
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205337/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/618e98013edf00a722d094b9/reports/bd4b90b5-6600-479e-bbbb-c919fa89d9fe/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22259390-333f-431f-b572-bdf6ca8d8f0a
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888251
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected NetWire RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520724 Sample: annexedpayment.exe Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for domain / URL 2->33 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 8 other signatures 2->39 7 annexedpayment.exe 21 6 2->7         started        process3 dnsIp4 29 cdn.discordapp.com 162.159.129.233, 443, 49756, 49757 CLOUDFLARENETUS United States 7->29 27 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->27 dropped 41 Contains functionality to steal Chrome passwords or cookies 7->41 43 Adds a directory exclusion to Windows Defender 7->43 45 Hides threads from debuggers 7->45 12 annexedpayment.exe 7->12         started        15 powershell.exe 24 7->15         started        17 powershell.exe 25 7->17         started        19 5 other processes 7->19 file5 signatures6 process7 dnsIp8 31 exportmunic007.duckdns.org 107.172.73.148, 3360, 49758 AS-COLOCROSSINGUS United States 12->31 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 AdvancedRun.exe 19->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b2046a98f7f06d33fa42e473ee16465340713c76e27dc3cdd883c42fe06ed2a/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 08:09:44 UTC
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmqenkmpp4dngp5efzdt5ylemu2aoe6hnyt5ypg5ra6ef7qg5uva._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0f67fd50b46ca7283dc172211a42e3ffab7b524a1e2e23433c34c88e657cd364
NetWire
22dd73a06a3bff8a7866c95b5191aa6a7b57d67d632b2373235e7b2ba4fd46fa
NetWire
27fc1cbcf702e483b8eec78bc2605e0d45dda7f0dae2c0adcd6f90b396a1151e
NetWire
5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a
NetWire
abd18b2d7cfc702e56442f2549808b301f2e0fc214cdf2230d5fbefc9620fd42
NetWire
bd62e723aff056a5f6dd9b9ece4f5ea4bae0a50cc3bdd5f4228fb265c2a96170
NetWire
c657a69c6832a40ff81651b72dde98ebd3dd5cece06ee57afe835370a2d51a3a
NetWire
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
NetWire
dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb
NetWire
fb55f300cbcea6d62e33eb76a196849d1a67ce91c46255d2180fcd6a2cdc43f9
NetWire
+ 1'191 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet evasion rat stealer trojan
Link:
https://tria.ge/reports/211112-t3916aahan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
NetWire RAT payload
Netwire
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
exportmunic007.duckdns.org:3360
Unpacked files
SH256 hash:
7b2046a98f7f06d33fa42e473ee16465340713c76e27dc3cdd883c42fe06ed2a
MD5 hash:
1e4b30611539dea616886e182faa606d
SHA1 hash:
4f0757b191ebce65a5cd02931f2a8e5f86af9b8a
Link:
https://www.unpac.me/results/e3232f1d-05ff-4f67-b9dc-97e8ff2352c7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205337/

Comments