MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84b059bbd79f2a5484b3cc1f9bbd05786ce6bfb7e55d1bdbbe4659237b55899f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84b059bbd79f2a5484b3cc1f9bbd05786ce6bfb7e55d1bdbbe4659237b55899f
SHA3-384 hash: b384955732368d5a3c428b680b8199268c00ed736d19d6dc8a0033d659ffaa6df1f22fc8362c34da21662a6144ebfe18
SHA1 hash: 2f637c78eb095d57443db1e690e545ac5901e0bc
MD5 hash: 3cee8a0164ab5b36ea03a4b0e111fabb
humanhash: timing-salami-wyoming-robert
File name:84b059bbd79f2a5484b3cc1f9bbd05786ce6bfb7e55d1bdbbe4659237b55899f
Download: download sample
Signature NetWire
Create hunting rule
File size:470'016 bytes
First seen:2020-11-15 23:21:00 UTC
Last seen:2020-11-16 00:42:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f0922943cd5e72743dc95ef474069cfd (8 x AgentTesla, 8 x NanoCore, 5 x NetWire)
ssdeep 12288:trZQw9z/6mXQVn7KOGDB+7w2tkoMB30LoF7:trT9mjVn7KhD0pGB34
Threatray 315 similar samples on MalwareBazaar
TLSH EEA423F1D8A184E0E63A8570F4379EFB2A5BC1480E0C78295CA1D745BD7A3E38BE9157
Reporter seifreed
Tags:NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536789
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317493 Sample: K4LBgqdSZB Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 46 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected NetWire RAT 2->50 52 2 other signatures 2->52 8 K4LBgqdSZB.exe 2->8         started        11 Host.exe 2->11         started        13 K4LBgqdSZB.exe 2->13         started        process3 signatures4 54 Contains functionality to log keystrokes 8->54 56 Contains functionality to steal Internet Explorer form passwords 8->56 58 Contains functionality to steal Chrome passwords or cookies 8->58 60 Contains functionality to detect sleep reduction / modifications 8->60 15 K4LBgqdSZB.exe 3 8->15         started        18 K4LBgqdSZB.exe 8->18         started        62 Maps a DLL or memory area into another process 11->62 20 Host.exe 11->20         started        22 Host.exe 11->22         started        24 K4LBgqdSZB.exe 13->24         started        26 K4LBgqdSZB.exe 13->26         started        process5 file6 42 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 15->42 dropped 28 Host.exe 15->28         started        31 K4LBgqdSZB.exe 18->31         started        process7 signatures8 64 Multi AV Scanner detection for dropped file 28->64 66 Machine Learning detection for dropped file 28->66 68 Maps a DLL or memory area into another process 28->68 70 Contains functionality to detect sleep reduction / modifications 28->70 33 Host.exe 3 28->33         started        36 Host.exe 28->36         started        38 K4LBgqdSZB.exe 31->38         started        40 K4LBgqdSZB.exe 31->40         started        process9 dnsIp10 44 43.226.229.43, 2030 SOFTLAYERUS Hong Kong 33->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84b059bbd79f2a5484b3cc1f9bbd05786ce6bfb7e55d1bdbbe4659237b55899f/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:22:49 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsyfto6xt4vfjbftzqpzxpifpbwonp5x4vorxw56izmsg62vrgpq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1254f2a5cf88750e22a29c78e1e316cd034d3763302bfafaea0ceac3fec49e1e
NetWire
2388b2c1717d5f5741c2730b205a04d627d2cb6a1d4f781fb2f5fae3fa508e76
NetWire
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
NetWire
940ca9e10bfa12f912ed6d60e827f89726fd036eadafa77eff33a7168b59839a
NetWire
a170710f4db4414908be1c82fc27c902e9d0680fc2bfa76c6c52037febfeeb77
NetWire
a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521
NetWire
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
NetWire
de7a446a8d4bd4c53ba8ac5b909252692e79b27cd9e7abb6396e62e22274b3b4
NetWire
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
NetWire
ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d
NetWire
+ 305 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer upx
Link:
https://tria.ge/reports/201115-89trbh3hfe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
84b059bbd79f2a5484b3cc1f9bbd05786ce6bfb7e55d1bdbbe4659237b55899f
MD5 hash:
3cee8a0164ab5b36ea03a4b0e111fabb
SHA1 hash:
2f637c78eb095d57443db1e690e545ac5901e0bc
Link:
https://www.unpac.me/results/28cd8cb4-bc26-4015-9996-a7ed5cd7426f/
SH256 hash:
cf9b5e889a331411137d01a7fcbbf7a17814fe9af39c14050424c09f68031706
MD5 hash:
6023c57d932e2df808133e1aa66bc5ce
SHA1 hash:
f0b8baeb2a71de3d8622abaa3ab4f54f65f0a831
Link:
https://www.unpac.me/results/28cd8cb4-bc26-4015-9996-a7ed5cd7426f/
SH256 hash:
1ef852296cf26a66b448fefb9cd2ee206966d381a17d694c49c0ceec8711f187
MD5 hash:
a9b4da412cb30e80199c4694bb9513cb
SHA1 hash:
35b2514951d0c19316e7da76aad871065c0fe139
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/28cd8cb4-bc26-4015-9996-a7ed5cd7426f/
Parent samples :
2388b2c1717d5f5741c2730b205a04d627d2cb6a1d4f781fb2f5fae3fa508e76
61fd33e67dd2c5b06907d8a68d5b5a5156388777487bc9691c9b499e9e1a3ae9
84b059bbd79f2a5484b3cc1f9bbd05786ce6bfb7e55d1bdbbe4659237b55899f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84b059bbd79f2a5484b3cc1f9bbd05786ce6bfb7e55d1bdbbe4659237b55899f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments