MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85648195f2224ec1ad0531e85ae3128ef57d59b408edbfb5a3c817812960429a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85648195f2224ec1ad0531e85ae3128ef57d59b408edbfb5a3c817812960429a
SHA3-384 hash: 4467d6c4bd675b40b634d59442e4dd34dbc1cd400972af490aea9aee8f9cd27e369dcd8e78c3fc737daf18ad08c9cc9b
SHA1 hash: 9ec274b2c74ad3d3d81b88a6a423f2c1db2999f2
MD5 hash: 9260efe0d8de105190e21d68d612d73e
humanhash: oxygen-glucose-mike-juliet
File name:9260efe0d8de105190e21d68d612d73e
Download: download sample
Signature NetWire
Create hunting rule
File size:526'848 bytes
First seen:2022-01-07 07:25:54 UTC
Last seen:2022-01-07 10:20:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:SuwDoXVvmRkgEVurAbE97tv1J946w66RNPsNGW:Sh2vmRx+urz97J1z4676RNPyf
Threatray 648 similar samples on MalwareBazaar
TLSH T14AB4CE6573A8CF48C5B93BF55460805043B6BE1A6826C20E9EF535CE2E31B93CE65B4F
File icon (PE):PE icon
dhash icon 6947373773594d53 (1 x NetWire)
Reporter zbetcheckin
Tags:32 exe NetWire

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.77:3457 https://threatfox.abuse.ch/ioc/291718/

Intelligence

File Origin
# of uploads :
3
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9260efe0d8de105190e21d68d612d73e
Verdict:
Malicious activity
Analysis date:
2022-01-07 07:32:31 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/c872dea6-e688-4775-984b-a07eed748a25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217656/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.23682.26904.25444.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware obfuscated packed
Link:
https://www.filescan.io/uploads/61d7eb0f02e388f9fdb24288/reports/42271940-9b6b-4dad-b1cb-390ae49e8b3b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/954bb07f-aabb-4dc5-a683-c844024496a7
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916769
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to steal Chrome passwords or cookies
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549241 Sample: Mw88NVpBmZ Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 75 Multi AV Scanner detection for dropped file 2->75 77 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 6 other signatures 2->81 9 Mw88NVpBmZ.exe 7 2->9         started        13 Host.exe 2->13         started        15 Host.exe 2->15         started        process3 file4 67 C:\Users\user\AppData\Roaming\AIIklJG.exe, PE32 9->67 dropped 69 C:\Users\user\AppData\Local\...\tmp94DC.tmp, XML 9->69 dropped 71 C:\Users\user\AppData\...\Mw88NVpBmZ.exe.log, ASCII 9->71 dropped 85 Contains functionality to steal Chrome passwords or cookies 9->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 9->87 89 Adds a directory exclusion to Windows Defender 9->89 17 Mw88NVpBmZ.exe 3 9->17         started        20 powershell.exe 24 9->20         started        23 schtasks.exe 1 9->23         started        25 powershell.exe 13->25         started        27 schtasks.exe 13->27         started        29 Host.exe 13->29         started        signatures5 process6 file7 65 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 17->65 dropped 31 Host.exe 5 17->31         started        83 Adds a directory exclusion to Windows Defender 20->83 34 powershell.exe 20->34         started        36 schtasks.exe 20->36         started        38 conhost.exe 20->38         started        40 Host.exe 20->40         started        42 conhost.exe 23->42         started        44 conhost.exe 25->44         started        46 conhost.exe 27->46         started        signatures8 process9 signatures10 91 Multi AV Scanner detection for dropped file 31->91 93 Contains functionality to steal Chrome passwords or cookies 31->93 95 Adds a directory exclusion to Windows Defender 31->95 48 Host.exe 31->48         started        51 powershell.exe 31->51         started        53 schtasks.exe 31->53         started        55 Host.exe 31->55         started        57 conhost.exe 34->57         started        59 conhost.exe 36->59         started        process11 dnsIp12 73 mateking3888.linkpc.net 79.134.225.77, 3457, 49771 FINK-TELECOM-SERVICESCH Switzerland 48->73 61 conhost.exe 51->61         started        63 conhost.exe 53->63         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85648195f2224ec1ad0531e85ae3128ef57d59b408edbfb5a3c817812960429a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 07:57:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
56
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qvsidfpsejhmdlifghufvyysr32x2wnubdw37nndzalycklaikna._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0538554b73f98f395950af81f30e4fc99407e991babdce510bb61f9f9b56f23e
NetWire
3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078
NetWire
42949a2f912c87695ebffdd714eae9ae470935a2323f75a937fa3521155b3701
NetWire
482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7
NetWire
8a5035fd03311d20137b4111bee190142fa9c653ed60e57be2802665fe8bdb24
NetWire
b4ac3be33fd7d731376ea3b504995b465122d8ef268e59e7ded5d433762cc932
NetWire
b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f
NetWire
bdf2ac2fd9106e36b071409e48ba9c1996c4b987b6d28e6baf70046316d27c00
NetWire
d60de14c758c25427363470c83986085c1e46740906b6fa0c946b1483b741696
NetWire
d79ea371b04796b7433a6143387517306bc37835c4cf4c6962e0844325c018ee
NetWire
+ 638 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/220107-h9h1gacdal/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
mateking3888.linkpc.net:3457
Unpacked files
SH256 hash:
d8579688f34281e4176b2889aae4af143212e017e15db3b7fe4f4b82b050af7b
MD5 hash:
4258bbffb5d16286361fe065db86ab5f
SHA1 hash:
c6cc1becdc80f121719da869826da30b0c8a433f
Link:
https://www.unpac.me/results/0b86b9f2-6a4f-4d06-8be0-1f3410e929c7/
SH256 hash:
c30eb38773877ec300c30315d7ba5f918da879803798a0f8951f250fa0e6f8d5
MD5 hash:
6f977c47a43e654c43de470201873b2c
SHA1 hash:
4ca4332c7fcb22553f759cfa8653622706af00d1
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/0b86b9f2-6a4f-4d06-8be0-1f3410e929c7/
SH256 hash:
c88a5a9f1d1f452a735fd128d1b8781315236c21aef60dd3ca6d749e3863d4a0
MD5 hash:
cb5498afeb3287bcc08a84bff8c5e36b
SHA1 hash:
365b9cbdd07197b0d70b6e7b8fe8d7cc74b66be4
Link:
https://www.unpac.me/results/0b86b9f2-6a4f-4d06-8be0-1f3410e929c7/
SH256 hash:
85648195f2224ec1ad0531e85ae3128ef57d59b408edbfb5a3c817812960429a
MD5 hash:
9260efe0d8de105190e21d68d612d73e
SHA1 hash:
9ec274b2c74ad3d3d81b88a6a423f2c1db2999f2
Link:
https://www.unpac.me/results/0b86b9f2-6a4f-4d06-8be0-1f3410e929c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85648195f2224ec1ad0531e85ae3128ef57d59b408edbfb5a3c817812960429a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe 85648195f2224ec1ad0531e85ae3128ef57d59b408edbfb5a3c817812960429a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1954693/
Cape
Cape
https://www.capesandbox.com/analysis/217656/

Comments


Avatar
zbet commented on 2022-01-07 07:26:00 UTC

url : hxxps://62.171.179.219/wordpress/wp-content/plugins/byaiawmyuq/inv/Copy%20of%20Invoice%20Payment%20Order%20confirmation.pif