MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 805d12ed4c01c46608247a67de367e4ff274977219804246df7739707873fd2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	805d12ed4c01c46608247a67de367e4ff274977219804246df7739707873fd2b
SHA3-384 hash:	d2f938a501453fe73afa6c9273cef2c75a5acc116c739bdeacf7208770b0bbbec61270a05124bc58c587c76cf3bf14c7
SHA1 hash:	4d28c789cb3cad0540ee01c53e16482027aab21f
MD5 hash:	a07604082ea5483a894f1aaee559e739
humanhash:	sodium-uranus-zebra-eighteen
File name:	a07604082ea5483a894f1aaee559e739.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	146'432 bytes
First seen:	2022-08-28 19:47:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	18fb8f04991eef6621d9adfb6b5f7ff8 (8 x NetWire)
ssdeep	3072:9uO/rZAi3Tqn2ZiaPiJcuy/CBzjYqqKb33wqwwIKM:w6dQ2Ziamcu8K8KbP
Threatray	105 similar samples on MalwareBazaar
TLSH	T14CE39E54B9C1C073DAAA1A310475EFF45A3DF5301F219EFB63841A798F202D19639EAE
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
51.77.67.168:5550

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
51.77.67.168:5550	https://threatfox.abuse.ch/ioc/845994/

Intelligence

File Origin

# of uploads :

# of downloads :

380

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

a07604082ea5483a894f1aaee559e739.exe

Verdict:

Malicious activity

Analysis date:

2022-08-28 19:50:27 UTC

Tags:

netwire

Link:

https://app.any.run/tasks/7a12a817-0163-4c28-ae83-b317fc57e98f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/301917/

Detection(s):

Win.Dropper.Redline-9965170-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/30571/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1ea658a4-4ba3-422f-8515-e21aff39a470

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1059367

Signature

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/805d12ed4c01c46608247a67de367e4ff274977219804246df7739707873fd2b/

Threat name:

Win32.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2022-08-28 19:48:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qborf3kmahcgmcbepjt54nt6j7zhjf3sdgaeerw7o44xa6dt7uvq._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e

NetWire

3a07d1cbc8052ba733faaacff6b69858057ad8efc52583a78fcd98f6e96be88f

NetWire

4724dfa919b8bdd3b2f595fdff502601becfff608cbbc9e81a461c7d464b16d8

NetWire

924793b589437dd9c07931c44c64d50552b7f46630412ee5d8befbdbc2915dd7

NetWire

976d246968ae18dbdb5edf65693eaaff089451933c91c912a33b8391cf535193

NetWire

a440e693962c333be050ef7ba0f9b5cbeac959d149a5f5b4d299197fb9415133

NetWire

cf5dfc3feff20dd62375a05e9dad36dcda140c283d3d197624e06712f679aa9a

NetWire

+ 95 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220828-yh35bsdfhn/

Unpacked files

SH256 hash:

805d12ed4c01c46608247a67de367e4ff274977219804246df7739707873fd2b

MD5 hash:

a07604082ea5483a894f1aaee559e739

SHA1 hash:

4d28c789cb3cad0540ee01c53e16482027aab21f

Detections:

win_vigilant_cleaner_auto

Link:

https://www.unpac.me/results/d021aefc-cff0-4c90-8535-3bc99c9a45f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/805d12ed4c01c46608247a67de367e4ff274977219804246df7739707873fd2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	win_vigilant_cleaner_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.vigilant_cleaner.