MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 869fa23919d381e4af0d8c04881d65ad842cb96020da5c1e16f65c48190d3eef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 869fa23919d381e4af0d8c04881d65ad842cb96020da5c1e16f65c48190d3eef
SHA3-384 hash: e4a908ec4a822ab0cc4f4089587f3a8e776ad1116ad3142b8331d3f80f15383e37868d1aa75340dcbe48fd296e1d3792
SHA1 hash: 2a3d233fed9ea294b049061fe85e471cabc83f97
MD5 hash: 5df0240aa06b38e1a88fde9c6c5c306e
humanhash: crazy-lemon-sixteen-delaware
File name:PO-9768708-Hyundai-09221-6138 pdf.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:719'360 bytes
First seen:2022-05-04 05:16:01 UTC
Last seen:2022-05-04 05:40:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/oSZx2L2Im3h2C2NT+bEYysqDrdW3Z3XVo9VwDGtXwxacE:n2w3r2T+bL3uOZ3FoLfgxacE
Threatray 1'048 similar samples on MalwareBazaar
TLSH T1A7E40110B6678897C27507B292E651A003F62E4EE016D38B2EE513D6B7237FA1DC4F97
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1f3774d468310b06 (1 x NetWire)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
62.113.215.200:2983

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
62.113.215.200:2983 https://threatfox.abuse.ch/ioc/548048/

Intelligence

File Origin
# of uploads :
2
# of downloads :
418
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
PO-9768708-Hyundai-09221-6138 pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-04 05:20:22 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/8a3fed2f-0a5e-41bc-8759-a6e806742071

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268517/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.AgentTesla.ERR.MTB.30581.17593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/62720c1d0d3e2bd52d274d78/reports/2b23978d-8283-40c3-a58c-b1363a82c34f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/987485
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/869fa23919d381e4af0d8c04881d65ad842cb96020da5c1e16f65c48190d3eef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 03:39:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2p2eoiz2oa6jlynrqciqhlfvwcczolaednfyhqw6zoeqginh3xq._file
Verdict:
malicious
Similar samples:
1358ae104519c839bd0061450f88c14cf807dfbea7e5125b92c476119eb05b13
NetWire
1b4e95e41bfcdfb87d4d21958cd3a794171978418067b0d003d37fc35e2d8b71
NetWire
1e1598cc98aed52a46c1e28d2bf775232d01d6698eec3d3eadbc3a039167ed8b
NetWire
a2700363ab4167505a43f933449a4b25a9036f8fae65e46e28b9bb1ce319e9cb
NetWire
afd47bb332ef06bf7c4f7c4a4470cf5b6e2acb6c4db3b3e6f453ff0dfc4a63f7
NetWire
b9d9fc33dc623971bbbf29c9ba63b81e71177163aa404366622fd3f083b89136
NetWire
f618dcbc522a7fcd1b196f9af050ddd1c5cd8d16e460c26cdb1ada8af00f9021
NetWire
+ 1'038 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220504-fx5ycsdba4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
a66f268f1d85d39f01517e39e6118464e73d84b8f4f730792c00dbf805b6dfbb
MD5 hash:
dd009fa5ef8b5f57b6028c460eaf07c0
SHA1 hash:
d9c08c33764a94932731ccbe6c368151941c63e4
Link:
https://www.unpac.me/results/31d86f2d-7bbc-4d7c-8787-19660b879c3b/
SH256 hash:
553f74bd9189509de5e5e143e2995ee60003cfc95cda9a9f69ceabb2240f7f4b
MD5 hash:
b297c1828530266969e3d8cad6936f81
SHA1 hash:
aa303b0bab34c53dbcfbf091586d9e3ec9e9b5ef
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/31d86f2d-7bbc-4d7c-8787-19660b879c3b/
Parent samples :
869fa23919d381e4af0d8c04881d65ad842cb96020da5c1e16f65c48190d3eef
3a01de5d3ac9d4bc94221c451ab5fb25d154b032c7b7e8d20f5cbb380434beed
f44a73e6b77e302b6b0f4c2a2f93860dd7d69a01219b2aa5d0a0fb3937ea5f70
SH256 hash:
f7596dc7200ac9ce4d030e9a8801a35b5b1a35e87aaf5ce8e227c2cbae2675d4
MD5 hash:
3d8cf80a54f67fca60213d40fad43c46
SHA1 hash:
c8e41eba2634a707da5797f144205fef0d9ec7c5
Link:
https://www.unpac.me/results/31d86f2d-7bbc-4d7c-8787-19660b879c3b/
SH256 hash:
044e6e22943ac21887eaef4daf70bc43b8d7b54b7160ecc2e0b6ff77a6832a99
MD5 hash:
0512fe61b5e75a5aa25f0c17882292cd
SHA1 hash:
3b05ecfbb15a15fd46a9d9b588620454b6361745
Link:
https://www.unpac.me/results/31d86f2d-7bbc-4d7c-8787-19660b879c3b/
SH256 hash:
869fa23919d381e4af0d8c04881d65ad842cb96020da5c1e16f65c48190d3eef
MD5 hash:
5df0240aa06b38e1a88fde9c6c5c306e
SHA1 hash:
2a3d233fed9ea294b049061fe85e471cabc83f97
Link:
https://www.unpac.me/results/31d86f2d-7bbc-4d7c-8787-19660b879c3b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/869fa23919d381e4af0d8c04881d65ad842cb96020da5c1e16f65c48190d3eef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268517/

Comments