MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 811690717824917911f152507cf4232df4aec5f198a57a638a3a9e0a738e84b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments 1

SHA256 hash:	811690717824917911f152507cf4232df4aec5f198a57a638a3a9e0a738e84b8
SHA3-384 hash:	81406f367893ed3e1ceb77ea768c3eff79397722419ba2c970f13f5c610b20e85b6ccf9c826ef0818da387cfbccbed9b
SHA1 hash:	f74867d322ab1f6ff47a03e0e762ffd222d5809e
MD5 hash:	580a3eb425ff685473ce8efb4102f57d
humanhash:	seven-indigo-florida-uncle
File name:	580a3eb425ff685473ce8efb4102f57d
Download:	download sample
Signature	NetWire Create hunting rule
File size:	704'512 bytes
First seen:	2022-06-08 10:01:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	12288:UJpiV09qto47CgnHHRIvT2oWgZzJ/Wcjc1H80ibEHw:ypiV0K7HHxIvT2oZB7x
Threatray	1'955 similar samples on MalwareBazaar
TLSH	T114E4D090B3AA9F71F17963F27520A00817F4391E45D1E23A8ECDB0CE66A1B8259F5F17
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	cc00ecc4b6e400c4 (8 x Loki, 7 x AgentTesla, 7 x SnakeKeylogger)
Reporter	zbetcheckin
Tags:	32 exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

549

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

580a3eb425ff685473ce8efb4102f57d

Verdict:

Malicious activity

Analysis date:

2022-06-08 10:05:42 UTC

Tags:

trojan netwire

Link:

https://app.any.run/tasks/c7de1fd5-a602-4827-818f-07193d919421

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/277735/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1364.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook obfuscated packed replace.exe update.exe wacatac

Link:

https://www.filescan.io/uploads/62a073b5e22d00d5e195cac0/reports/8b1fb08f-1738-4472-a50a-5a1cbdabb61c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1f523c6a-b185-4892-9dab-833d3d83ba44

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1008905

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/811690717824917911f152507cf4232df4aec5f198a57a638a3a9e0a738e84b8/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-06-07 04:29:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qelja4lyesixseprkjihz5bdfx2k5rprtcsxuy4khkpau44oqs4a._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

3d8f8701d2e460d4ffd915ea185cc03e742693a4a91bca5accedd4b3748870b6

NetWire

6256837f37931d7a847387e4a9bed704309ac37c85f7421ffdd49c8d6b12b207

NetWire

8397c04c6cebbfcb4ffbc18722a72e8485626304db1fb5c83875e1d64b873a23

NetWire

b5e057dd035dc2c643e93e2ca114b458c6e8376b137236ab2c4840de7acba6c8

NetWire

d32e7f778d59cbb96067b134ba83c1d95ce3133461dd5024bbb5aab8ee4f4b51

NetWire

f50147158432f892c1c6ab6abc876ec3e3a18e84265ceb28ac2c82b9688be576

NetWire

+ 1'945 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220608-l2s29afcer/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

194.5.98.188:3364
194.5.98.188:3366

Unpacked files

SH256 hash:

21da22837446e7df483c9b356b94bb13608fe2af97342e99f87958ac44789a94

MD5 hash:

f3eb70868490586501a54d92ce0b4c7d

SHA1 hash:

367d488858cff4bfc0ec9722d76949a0a00c62e2

Link:

https://www.unpac.me/results/a7dfc437-886d-455d-ada4-fa743e5e764a/

SH256 hash:

de22036472e81dabf9eccf0195ea882a36f2ffb33c74af4fa59e08d13fae98f2

MD5 hash:

d84e8ed7db5f443f58c86c78a9558d08

SHA1 hash:

5bb35db9782b6828d52240e2dbdce454a1a957bb

Link:

https://www.unpac.me/results/a7dfc437-886d-455d-ada4-fa743e5e764a/

SH256 hash:

75f4f1ca5e228602b065741163bba250072c6e4c79089aa5ebbf32cb70988912

MD5 hash:

47646eab70f417fa27352902af2bc509

SHA1 hash:

60c9f96a2c6fc9c6579d559a1091df3d7802c89a

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/a7dfc437-886d-455d-ada4-fa743e5e764a/

SH256 hash:

ee63986957a24cf19f90bb9f2f22960a2cccf2ac64e54038e40170a02c3a1a70

MD5 hash:

731451f1856b8eab74b242d563af0d3c

SHA1 hash:

931c0a8b444919a9897a654ab2d0fb5a090f515d

Link:

https://www.unpac.me/results/a7dfc437-886d-455d-ada4-fa743e5e764a/

SH256 hash:

811690717824917911f152507cf4232df4aec5f198a57a638a3a9e0a738e84b8

MD5 hash:

580a3eb425ff685473ce8efb4102f57d

SHA1 hash:

f74867d322ab1f6ff47a03e0e762ffd222d5809e

Link:

https://www.unpac.me/results/a7dfc437-886d-455d-ada4-fa743e5e764a/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/811690717824/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/811690717824917911f152507cf4232df4aec5f198a57a638a3a9e0a738e84b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

exe 811690717824917911f152507cf4232df4aec5f198a57a638a3a9e0a738e84b8

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2229647/

Cape

https://www.capesandbox.com/analysis/277735/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-06-08 10:01:57 UTC

url : hxxp://192.3.194.246/fresh.exe