MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32
SHA3-384 hash: 027eb5e939a6b00b8860ae001116b91e126160a8791a4ea2adc6b142c32203389f46394c86921d69e19d768871201199
SHA1 hash: 72250774c05d90f827cd3e9a85a0d5b7b4e3b791
MD5 hash: 5413d7925b6e67e27e6ffdab67974dbf
humanhash: mars-august-bulldog-high
File name:5413D7925B6E67E27E6FFDAB67974DBF.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:188'080 bytes
First seen:2021-07-22 23:10:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (433 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 3072:5DKW1LgppLRHMY0TBfJvjcTp5XmfMtCRTgCohP9Wo/:5DKW1Lgbdl0TBBvjc/mfMtCIV9Wg
Threatray 592 similar samples on MalwareBazaar
TLSH T1AD049D2075C1C5B3C8B7513044E5CB3A9E7930214B6A95E7B7AC1BBA6F213D1A3362CE
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
74.201.28.67:3021

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
74.201.28.67:3021 https://threatfox.abuse.ch/ioc/162209/

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5413D7925B6E67E27E6FFDAB67974DBF.exe
Verdict:
Malicious activity
Analysis date:
2021-07-22 23:12:45 UTC
Tags:
opendir trojan rat netwire loader
Link:
https://app.any.run/tasks/afda1436-3f0b-4cd8-aed8-73a8b42b43bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173449/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25f41d16-7c5f-47b2-bc67-2884d4695439
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820456
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 01:00:31 UTC
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pyjim7b6qnj7yqlvwvm3x5suzthbwjjsat6xyxaofjzlkybgziza._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821
NetWire
5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
NetWire
5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4
NetWire
608ec84d6c6d1b552b0c77210475ead69a437d02cc688d60e798cf530c02897e
NetWire
797a9a105652922546340d44d623196f8f5d22410011156a710bdf4f239a3d40
NetWire
a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2
NetWire
c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
NetWire
d98e919482d344212e9e79e1154ee7015bba50d90107fe122a59cae38484eb84
NetWire
f52c73e9a148074ad2d20b27874e0c183a461f0e21ed09874ef706e464757e2e
NetWire
f6262c14a5f6c845a95cab29a6e1e2a662d5df47499935c1f050d908ee01db90
NetWire
+ 582 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210722-k8vlb34kes/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
finerthings.duckdns.org:3021
Unpacked files
SH256 hash:
f0e28d6089afd24ecaa5198138212e579504648e9fd0f9e1c8f6fb24e83cb434
MD5 hash:
d0e85021ad21de4570d19fc83aed02fa
SHA1 hash:
92722b75deadcf39b96d9451760b4f85005b2f80
Link:
https://www.unpac.me/results/b26c2966-d69b-4c0d-adf2-41fe5922c37f/
SH256 hash:
f34db96b9dda4d3808e1d7db726cf386cd902cedf31facc5176a92c9e628847f
MD5 hash:
0002724f5c662ad569dbdefaff77ac8d
SHA1 hash:
8c8b81343049391daa45fd602d24ecf9a94ee9e2
Link:
https://www.unpac.me/results/b26c2966-d69b-4c0d-adf2-41fe5922c37f/
SH256 hash:
7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32
MD5 hash:
5413d7925b6e67e27e6ffdab67974dbf
SHA1 hash:
72250774c05d90f827cd3e9a85a0d5b7b4e3b791
Link:
https://www.unpac.me/results/b26c2966-d69b-4c0d-adf2-41fe5922c37f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173449/

Comments