MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c12a820fd7e576f3a179cdccaefbfcd090e0f890fccfab7615bc294795dc244. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c12a820fd7e576f3a179cdccaefbfcd090e0f890fccfab7615bc294795dc244
SHA3-384 hash: e811f1710d8cefe309a538ae584a0e6a3a588beb4468439904bb18552316ef50bfcf223b7f8d86ee03d8ce00b6518cc6
SHA1 hash: 64eac04c3421dabe908e12384469a8586cd88e67
MD5 hash: f0b43a3f4821a4cf4b514144b496e4d7
humanhash: high-edward-avocado-solar
File name:GOM.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:361'472 bytes
First seen:2021-09-09 11:18:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 33354ffe65b7ce59baad710496aff111 (1 x NetWire)
ssdeep 6144:YGOTxpKg+kR1R+MGj/57bXAOSQxM3QLylFzk8x2dQ325Y/XDz1qRQ:YtTxpKg+kR1wxbXXxM3+yHY84dQmGzz5
Threatray 981 similar samples on MalwareBazaar
TLSH T1AD74CF54F4E1C072D47105751AF4EAB8493DBC210B2279EB6FC40FEE6F362D15A31AAA
dhash icon f0e8ce868694e070 (1 x NetWire)
Reporter 0xrb
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
773
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://66.154.112.212/GOM.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 11:17:40 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/9964214c-f262-42ef-8afe-3875c2ce8780

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186568/
Detection(s):
Win.Packed.Trickbot-9888545-0
Create hunting rule

Win.Malware.NetWire-9888539-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99148e4e-2537-429c-bf31-b728a71e7b71
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
75 / 100
Link:
https://www.joesandbox.com/analysis/848011
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 480442 Sample: GOM.exe Startdate: 09/09/2021 Architecture: WINDOWS Score: 75 53 Found malware configuration 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 5 other signatures 2->59 7 GOM.exe 2 2->7         started        10 Gom Player.exe 2 2->10         started        12 Gom Player.exe 2 2->12         started        process3 signatures4 61 Contains functionality to steal Chrome passwords or cookies 7->61 63 Contains functionality to inject code into remote processes 7->63 65 Injects a PE file into a foreign processes 7->65 14 cmd.exe 3 7->14         started        18 GOM.exe 2 7->18         started        21 conhost.exe 7->21         started        23 cmd.exe 1 10->23         started        25 Gom Player.exe 10->25         started        27 conhost.exe 10->27         started        29 cmd.exe 1 12->29         started        31 Gom Player.exe 12->31         started        33 conhost.exe 12->33         started        process5 dnsIp6 47 C:\Users\user\AppData\Localbehaviorgraphom Player.exe, PE32 14->47 dropped 49 C:\Users\...behaviorgraphom Player.exe:Zone.Identifier, ASCII 14->49 dropped 67 Uses cmd line tools excessively to alter registry or file data 14->67 35 conhost.exe 14->35         started        37 reg.exe 1 1 14->37         started        51 66.154.103.106, 13377 ASN-QUADRANET-GLOBALUS Canada 18->51 39 conhost.exe 23->39         started        41 reg.exe 1 23->41         started        43 conhost.exe 29->43         started        45 reg.exe 1 29->45         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c12a820fd7e576f3a179cdccaefbfcd090e0f890fccfab7615bc294795dc244/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 07:52:13 UTC
AV detection:
26 of 27 (96.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pqjkqih5pzlw6oqxttomv357zueq4d4jb7gpvn3blpbji6k5yjca._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0f67fd50b46ca7283dc172211a42e3ffab7b524a1e2e23433c34c88e657cd364
NetWire
2e54ae1fe78471492cc217d238fcd7f0158ae8f22a35e9576a91b3a6614c2d08
NetWire
5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a
NetWire
557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a
NetWire
c4b73299f51cc04c30ee6080144f960c8d5de3d62c0e0b10c6c497f57b844474
NetWire
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
+ 971 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210909-nevcxabbgj/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
66.154.103.106:13377
Unpacked files
SH256 hash:
081a21befa61d89785dbe6d598720622bea10a5415cb5913ca32d1e67dcc95aa
MD5 hash:
53d609c3d19c2dfbfe787694f3f933a5
SHA1 hash:
95d1eff937e7ce83cf2e21896f60d1c8d6c4fb30
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/412ee190-f28d-46dc-8d57-0e0280a57897/
Parent samples :
5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a
7c12a820fd7e576f3a179cdccaefbfcd090e0f890fccfab7615bc294795dc244
SH256 hash:
7c12a820fd7e576f3a179cdccaefbfcd090e0f890fccfab7615bc294795dc244
MD5 hash:
f0b43a3f4821a4cf4b514144b496e4d7
SHA1 hash:
64eac04c3421dabe908e12384469a8586cd88e67
Link:
https://www.unpac.me/results/412ee190-f28d-46dc-8d57-0e0280a57897/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c12a820fd7e576f3a179cdccaefbfcd090e0f890fccfab7615bc294795dc244

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186568/

Comments