MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9
SHA3-384 hash: 9db7920d9a055f2141f0e6d0f3b9b7b189ccb9124076cab1e4ced98bf768da0bfa63a91be5799ca63194a2a247003479
SHA1 hash: 754c7e767823aa6b39db9266c3fbd6f466b942a8
MD5 hash: ba419928d6a9ef178f04260d57f1df7e
humanhash: ceiling-rugby-mike-autumn
File name:Payment confirmation.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:848'896 bytes
First seen:2022-08-01 11:57:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:tKElSfbt2iNxlsG2NN5sqdtbE/CFrVtfrI04yx+6+7TmPAFOS5erDAgaojrNkDVw:tNlot1l2NN5vdpG4jTL4gk43
Threatray 1'850 similar samples on MalwareBazaar
TLSH T1B505F79CB21172DFC957C872CA981C64EA5176BB831F9203A02725ADDA1D8E7DF148F3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter GovCERT_CH
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295574/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen18.28299.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e7c0575c07b66577e6b51e/reports/85cce55d-210c-40dc-930b-0446ab70563f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4793a96-28e5-425c-8d6a-1aecd7acd5bb
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044135
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 09:43:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ruylc4j33pxfohwqqns6fhju3yp5buksvhmbnipdcxmswocpstuq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42
NetWire
7d43cddf5679f4233ebf701f89050ec267f892165a4c34084ad65963af7ebc36
NetWire
9a558d058307b8c1ef997ef5aa803d4e1f91b94c3c4df9bf038c4b445713a37c
NetWire
9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b
NetWire
bcc6ba14b357c5f88e7e495d16411be6d488918c743214018db2c8e45961fd94
NetWire
d2723a5c5c192b80edf6e6ed6d033cd1f916ad9bffefed86ebd6120499c4a058
NetWire
+ 1'840 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220801-n456pshbbn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
185.140.53.61:3363
185.140.53.61:3365
Unpacked files
SH256 hash:
5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6
MD5 hash:
01800f6b045def8d90c649842f56d752
SHA1 hash:
f8434a4636d0772d01aac44bb3f9753a41f01d34
Link:
https://www.unpac.me/results/ffd5c11e-e12d-4aea-9c49-e0297b4069b9/
SH256 hash:
b5be3a13a15fc4e760c824e5f82a4a73db1adee9f8fcbb29d197f4f04727edb4
MD5 hash:
54d3f3d2a72a302ddd014c9769922f88
SHA1 hash:
b083aae8204f319ab80cc40d1d20ecdacb13954b
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/ffd5c11e-e12d-4aea-9c49-e0297b4069b9/
Parent samples :
8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9
59c95c7e7882d8eafd5314cda19c7fd39a25da55f7ea6109025693a17d5ec6f7
6ace19befa598ac3913865abf5fea0eac3d66b77425a9700274094d58b50630f
6ad8db92a404b43169c0a93eea5f957867b6c2b10067fbf081192d9c25c3687c
cdee2421636a518cb027f5670691b8f879676a67516d7fb525432ca74efe6bee
e29897654f6d41445ee402a68379f5b87519d4c62528ee1267f65002672ebd26
SH256 hash:
a1bbdb17b97ca9a6ac17317ec71d163fca90b83dc2612aa13d661d62fa5e24e4
MD5 hash:
94cecfedc0df8341b52ae541e5e52fb0
SHA1 hash:
114f0b1af33b677c082f012155362f8dd748888b
Link:
https://www.unpac.me/results/ffd5c11e-e12d-4aea-9c49-e0297b4069b9/
SH256 hash:
8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9
MD5 hash:
ba419928d6a9ef178f04260d57f1df7e
SHA1 hash:
754c7e767823aa6b39db9266c3fbd6f466b942a8
Link:
https://www.unpac.me/results/ffd5c11e-e12d-4aea-9c49-e0297b4069b9/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d30b1713bdb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe 8d30b1713bdbee571ed08365e29d34de1fd0d152a9d816a1e315d92b384f94e9

(this sample)

  
Dropped by
netwire
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/295574/

Comments