MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08
SHA3-384 hash:	e5a61867e5096c9d399af9d0269190d468277990155f84b36551508c0589cfd4e8c91b0ba1a047ae06b3441ec0804f8a
SHA1 hash:	1500830e31d710531398faec93e0d72ce5ff3f22
MD5 hash:	4f1dde6a0e85ec1f25111ff2e89dd9b8
humanhash:	leopard-purple-winter-stream
File name:	Proof of payment.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	815'616 bytes
First seen:	2022-09-20 15:15:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:hJp7/xpfrKI9Ne/flL3MICFcG52Kh2mIDQfdADqjJ5n:9vfr1kN3NCWGT6Qljr
Threatray	111 similar samples on MalwareBazaar
TLSH	T14E051A2025EB521CF4BA9BB91FD4B4F64D9BFE71252AB0FA24A163464B33E04CDE1135
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
37.0.14.214:3346

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
37.0.14.214:3346	https://threatfox.abuse.ch/ioc/850617/

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

Proof of payment.exe

Verdict:

Malicious activity

Analysis date:

2022-09-20 15:15:43 UTC

Tags:

trojan netwire

Link:

https://app.any.run/tasks/87ac044c-6cad-4059-a446-66fdcbf4599e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311718/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.FQW.gen.Eldorado.32289.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6329d9f1e64c53f047f8439b/reports/871820a5-17b7-4cdf-a6db-c7dc6f76a981/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3e63d90f-d8ca-4182-a02b-7b4019eb6a71

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1073832

Signature

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

netwire

Link:

https://mwdb.cert.pl/sample/87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-20 15:16:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=q7hgiz6xcar5nfrrltig2v4pfilsdaasx25fkatui54wct6gp4ea._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

3dddb479a1240c5cfdc2636cdd8bc0ecd3d2e9da37a6b4d73e206a768cc24181

NetWire

78a34fd37cc442092f3a04e644171e6f88bd95a0d0a71e14da814c42e86c5be9

NetWire

7dbd922cbaeb1e527c1f5816f6f6d7a2d768f46014ed0235924411eb1721c542

NetWire

bc7a7312a0b437df65d203117337461ac6fb0db097fe24f9e9acdb4c42480c6c

NetWire

ccbe221a1b6dcd936a03136f1dc2741d086ae4513a903389dc789b540143ced2

NetWire

+ 101 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet evasion rat stealer

Link:

https://tria.ge/reports/220920-snfy4ahbam/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

37.0.14.214:3346
37.0.14.214:4478
37.0.14.214:3469
37.0.14.214:3565
37.0.14.214:3360
37.0.14.214:5589
37.0.14.214:6425

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6f324bad-97e4-4df1-a368-09e6ad001a17

Unpacked files

SH256 hash:

e9ae8c84b6ce6407410e57d94d1bf64ff09f4ffccd8458cd4078d0e3c9167418

MD5 hash:

994c5d91324028f2e26bd64db88877c4

SHA1 hash:

84474fdde1606edbe0c4e55693ef4ec374b28e3f

Detections:

Netwire

win_netwire_auto

win_netwire_g1

Link:

https://www.unpac.me/results/5b48910b-92fe-4019-ba8e-16b967314253/

SH256 hash:

79dc9d1ed4f0e2889e7e255ac895c153ca29d2cb8365b639878673c82d978c93

MD5 hash:

2d8db335d28f7aca5993b7a75e81655e

SHA1 hash:

6694b014fb11af09f0c67117dc63fb72d4767de1

Link:

https://www.unpac.me/results/5b48910b-92fe-4019-ba8e-16b967314253/

SH256 hash:

4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde

MD5 hash:

f4ba8570299eabf8fe2d02cc1dc0606a

SHA1 hash:

5d7add32313074f5a1e9b4ab379298dee8b6217e

Link:

https://www.unpac.me/results/5b48910b-92fe-4019-ba8e-16b967314253/

SH256 hash:

87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08

MD5 hash:

4f1dde6a0e85ec1f25111ff2e89dd9b8

SHA1 hash:

1500830e31d710531398faec93e0d72ce5ff3f22

Link:

https://www.unpac.me/results/5b48910b-92fe-4019-ba8e-16b967314253/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/87ce6467d710/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/311718/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample