MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143
SHA3-384 hash: 5e6d09cf0629862d868ab921aa773fe09d56a32b49929b5ff027d88b173cba5f25f46d68c2f1572adf46a171afda2997
SHA1 hash: fa7b809286f880f938529680fe9ac15f1af4cd6c
MD5 hash: 76dcf81a67e2661ad35a3270b38f7513
humanhash: ack-massachusetts-enemy-triple
File name:8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:3'161'218 bytes
First seen:2022-09-04 05:51:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:kAI+tes2jTe59++yYZSk55P/eRK+FuuI9xYJdn5tvkRo8u4Cfyqv:kAI+tx2v8AYZSkGRK0uuIozzvk0v
TLSH T10DE51234F2E1C6FAC45329B6CD5AB1F160E8AF04CE791C8F6E993E2879762090275D4D
TrID 92.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.8% (.SCR) Windows screen saver (13101/52/3)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 13699696a28ad021 (3 x njrat, 1 x Amadey, 1 x NetWire)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
198.12.91.245:3360

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
198.12.91.245:3360 https://threatfox.abuse.ch/ioc/847733/

Intelligence

File Origin
# of uploads :
1
# of downloads :
556
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe
Verdict:
No threats detected
Analysis date:
2022-09-04 05:53:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59f73ec8-3cbc-4dd8-ab3e-ddaeaffa33a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307679/
Detection(s):
Win.Dropper.Nanocore-9189507-1
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Creating a file
Modifying a system file
Creating a process from a recently created file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36579/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
fingerprint greyware nanocore overlay packed shell32.dll strictor
Link:
https://www.filescan.io/uploads/63143db079105e0996e81cf3/reports/4ca5975d-1fcc-4765-a11c-04d85e37ed70/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/554cd435-1af4-4dd0-ab9a-cf3ed3e90b7a
Result
Threat name:
NetWire, AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1064665
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Adds a new user with administrator rights
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: NetWire
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected NetWire RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 697187 Sample: 8DC073CC9C71F0EF0E77D8942A7... Startdate: 04/09/2022 Architecture: WINDOWS Score: 100 87 alice2019.myftp.biz 2->87 99 Snort IDS alert for network traffic 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 15 other signatures 2->105 9 8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe 14 10 2->9         started        13 svchost.exe 2->13         started        16 dwm.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 73 C:\Users\user\AppData\Local\Temp\dwm.exe, PE32 9->73 dropped 75 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 9->75 dropped 77 C:\Program Files (x86)\...\Uninstall.exe, PE32 9->77 dropped 79 C:\Program Files (x86)\...\Set-up.exe, PE32 9->79 dropped 115 Drops PE files with benign system names 9->115 20 dwm.exe 5 6 9->20         started        24 Set-up.exe 1 11 9->24         started        95 192.168.2.1 unknown unknown 13->95 81 C:\Windows\Temp\glefgiuu.inf, Windows 13->81 dropped 117 Antivirus detection for dropped file 13->117 119 Multi AV Scanner detection for dropped file 13->119 121 Machine Learning detection for dropped file 13->121 123 Injects a PE file into a foreign processes 13->123 26 netiougc.exe 13->26         started        29 powershell.exe 13->29         started        31 cmstp.exe 13->31         started        83 C:\Windows\Temp\p32iqiwx.inf, Windows 16->83 dropped 125 Writes to foreign memory regions 16->125 127 Allocates memory in foreign processes 16->127 129 Adds a directory exclusion to Windows Defender 16->129 33 grpconv.exe 16->33         started        35 powershell.exe 16->35         started        39 2 other processes 16->39 97 127.0.0.1 unknown unknown 18->97 131 Query firmware table information (likely to detect VMs) 18->131 133 Changes security center settings (notifications, updates, antivirus, firewall) 18->133 37 consent.exe 18->37         started        file6 signatures7 process8 dnsIp9 71 C:\Windows\Cursors\...\svchost.exe, PE32 20->71 dropped 107 Antivirus detection for dropped file 20->107 109 Multi AV Scanner detection for dropped file 20->109 111 Machine Learning detection for dropped file 20->111 113 6 other signatures 20->113 41 diskperf.exe 20->41         started        45 net.exe 20->45         started        47 net.exe 20->47         started        53 7 other processes 20->53 91 alice2019.myftp.biz 26->91 49 conhost.exe 29->49         started        93 alice2019.myftp.biz 33->93 51 conhost.exe 35->51         started        file10 signatures11 process12 dnsIp13 89 alice2019.myftp.biz 198.12.91.245, 3360, 49725, 49732 AS-COLOCROSSINGUS United States 41->89 85 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 41->85 dropped 55 conhost.exe 45->55         started        57 net1.exe 45->57         started        59 conhost.exe 47->59         started        61 net1.exe 47->61         started        63 conhost.exe 53->63         started        65 conhost.exe 53->65         started        67 net1.exe 53->67         started        69 6 other processes 53->69 file14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2022-07-30 20:13:00 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rxahhte4ohyo6dtx3ckcu53iq3jzcplmitidjdbwhosyfqoysfbq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet discovery evasion persistence rat stealer trojan
Link:
https://tria.ge/reports/220904-gkxlwsbadm/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Windows security modification
Executes dropped EXE
Grants admin privileges
NetWire RAT payload
Netwire
Windows security bypass
Malware Config
C2 Extraction:
alice2019.myftp.biz:3360
Unpacked files
SH256 hash:
3a3c2a569dfd7c49fea20c4e3a72ab8d7e47be7cff5a36d21eab06b2b499141c
MD5 hash:
92484b72cfe7c74149135ed547ead069
SHA1 hash:
1c085ad68ac12146a2afb08f07739d8a1008330e
Link:
https://www.unpac.me/results/0e3597c2-cc25-41e5-9ff7-05e947faad7d/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/0e3597c2-cc25-41e5-9ff7-05e947faad7d/
SH256 hash:
f631ffe76d6fd1636d5738eaa32fa6d5c424859909c1541595bab0df2f2d4371
MD5 hash:
4229c419d1b0a843360cbc92b76f0e2b
SHA1 hash:
a8ebec2f585f10c08a8f41507e18a5c840abbb5e
Link:
https://www.unpac.me/results/0e3597c2-cc25-41e5-9ff7-05e947faad7d/
SH256 hash:
8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143
MD5 hash:
76dcf81a67e2661ad35a3270b38f7513
SHA1 hash:
fa7b809286f880f938529680fe9ac15f1af4cd6c
Link:
https://www.unpac.me/results/0e3597c2-cc25-41e5-9ff7-05e947faad7d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8dc073cc9c71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/307679/

Comments