MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bf0c3505263c0d5101750057d26a58377b6af83db9fad3ec45bd412c2121d7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bf0c3505263c0d5101750057d26a58377b6af83db9fad3ec45bd412c2121d7a
SHA3-384 hash: 2afa356dd3600e7843530462a4188ed7e8e52ec3394726d54e7d11d26268e68368745aed27fae0ab392900eeb3414b66
SHA1 hash: 825f06b14b5150c0b76398b01969bf13c27d09c9
MD5 hash: 8562b4db21d7ab120b4164026146663b
humanhash: social-dakota-edward-video
File name:8BF0C3505263C0D5101750057D26A58377B6AF83DB9FA.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:625'594 bytes
First seen:2022-09-26 09:26:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fe895aedd16ceec2ae2be0942fa7418d (1 x NetWire)
ssdeep 12288:vBJ1YFRuFKa00Cl3MY5ygMiQOjgONQkS49tN0i/vO80Wynic9:vVER/0Cl3MYRnNQM9tN0kv8jl
TLSH T17BD4AF23E6914C3BC0631D7CAC975B689826BD013E64DC067EE81E4C4F3939179E9E97
TrID 46.5% (.EXE) InstallShield setup (43053/19/16)
15.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
14.1% (.SCR) Windows screen saver (13101/52/3)
7.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00c292d2d2d2d200 (3 x DBatLoader, 2 x RemcosRAT, 1 x NetWire)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
184.105.237.196:3871

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
184.105.237.196:3871 https://threatfox.abuse.ch/ioc/851747/

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313534/
Detection(s):
Win.Dropper.Remcos-9761322-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39198/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
fareit keylogger overlay packed remcos upatre virus
Link:
https://www.filescan.io/uploads/6331712ffbcd636ef748eb8e/reports/426fe680-c768-4887-9c8c-cc45c252e378/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73c7f59a-cce9-40e0-b259-2f62f0a2e623
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1077198
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bf0c3505263c0d5101750057d26a58377b6af83db9fad3ec45bd412c2121d7a/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 23:49:00 UTC
File Type:
PE (Exe)
Extracted files:
93
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rpymgucsmpankeaxkacx2jvfqn33nl4d3op22pwelpkbfqqsdv5a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence rat stealer trojan
Link:
https://tria.ge/reports/220926-leq95sace7/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader, DBatLoader
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
https://cdn.discordapp.com/attachments/720370823554138118/753853112418041956/Wxhkvco
fuckfuck0.ddns.net:3871
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bfbad50a-5a57-4224-80a8-69bdd0399469
Unpacked files
SH256 hash:
f0409f285c95707ea5f1c80ca1fcb1e992211a4440725ee8f94d38f6d90cdeb0
MD5 hash:
7457c78898b05a7ea4b2fb125ddf9a3f
SHA1 hash:
e4860a47bea08a4c937d919b7f5ce64671e1d205
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/9d5018d4-00c1-4413-8cc8-a7e400a4d88a/
SH256 hash:
8bf0c3505263c0d5101750057d26a58377b6af83db9fad3ec45bd412c2121d7a
MD5 hash:
8562b4db21d7ab120b4164026146663b
SHA1 hash:
825f06b14b5150c0b76398b01969bf13c27d09c9
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/9d5018d4-00c1-4413-8cc8-a7e400a4d88a/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8bf0c3505263/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bf0c3505263c0d5101750057d26a58377b6af83db9fad3ec45bd412c2121d7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_ArtraDownloader2_Aug19_1
Create hunting rule
Author:Florian Roth
Description:Detects ArtraDownloader malware
Reference:https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:MAL_ArtraDownloader2_Aug19_1_RID30FB
Create hunting rule
Author:Florian Roth
Description:Detects ArtraDownloader malware
Reference:https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313534/

Comments