MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dda840eccb53427037b3a06dd5f886c78e6e55fe69d96b256b05176e85172db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 17


Intelligence 17 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dda840eccb53427037b3a06dd5f886c78e6e55fe69d96b256b05176e85172db
SHA3-384 hash: 4671e9d59c43551f2657d724203b5fcd6d009681bab693f58e089ecc259814d33aebce4c5619a853b61a6cf7d52a5642
SHA1 hash: 76b58185f5aa824e5bafc589aaa6c228b341b239
MD5 hash: d23e1e317d68720216699e1c9e524a78
humanhash: quiet-carpet-lithium-speaker
File name:INV_0893.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'248'871 bytes
First seen:2022-10-03 13:34:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:5AOcZgAgB9ZE+UDuAWGyrb1pUVgfMgLAWDXxo8FVCaWXZWcbISNY:zTAgBLUDqZ1+O3VokCp7U+Y
Threatray 2'617 similar samples on MalwareBazaar
TLSH T178451242BB9D88B1F06319355A35AA315A7D3C204EE0A7DFB3D03B6DDB305D15227BA2
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 26c286aab2524a86 (6 x NetWire, 1 x RemcosRAT)
Reporter JAMESWT_WT
Tags:exe JustClickAm-com NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
https://justclickam.com/INV_0893.exe
Verdict:
Malicious activity
Analysis date:
2022-09-23 21:39:43 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/137078e7-6665-4454-ad8b-bbda0799a644

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316133/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Adding an access-denied ACE
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40866/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/633ae5065c60ccc9fcff2027/reports/e50b6fb2-fff8-491b-8be6-2a55ead926fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06772e48-5142-4e3b-ae95-9db34a565ce4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1082506
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files with a suspicious file extension
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715068 Sample: INV_0893.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 84 69 Antivirus / Scanner detection for submitted sample 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected AntiVM autoit script 2->73 14 INV_0893.exe 62 2->14         started        18 uvbdlqfvw.pif 2->18         started        20 uvbdlqfvw.pif 1 2->20         started        22 uvbdlqfvw.pif 2->22         started        process3 file4 65 C:\Users\user\1_102\uvbdlqfvw.pif, PE32 14->65 dropped 79 Drops PE files with a suspicious file extension 14->79 24 uvbdlqfvw.pif 4 3 14->24         started        28 wscript.exe 18->28         started        30 wscript.exe 20->30         started        32 wscript.exe 22->32         started        signatures5 process6 dnsIp7 67 192.168.2.1 unknown unknown 24->67 75 Antivirus detection for dropped file 24->75 77 Multi AV Scanner detection for dropped file 24->77 34 wscript.exe 1 24->34         started        36 uvbdlqfvw.pif 28->36         started        39 uvbdlqfvw.pif 30->39         started        41 uvbdlqfvw.pif 32->41         started        signatures8 process9 file10 43 uvbdlqfvw.pif 34->43         started        63 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 36->63 dropped 45 wscript.exe 39->45         started        47 wscript.exe 41->47         started        process11 process12 49 wscript.exe 1 43->49         started        51 uvbdlqfvw.pif 45->51         started        process13 53 uvbdlqfvw.pif 49->53         started        process14 55 wscript.exe 53->55         started        process15 57 uvbdlqfvw.pif 55->57         started        process16 59 wscript.exe 57->59         started        process17 61 uvbdlqfvw.pif 59->61         started       
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8dda840eccb53427037b3a06dd5f886c78e6e55fe69d96b256b05176e85172db/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 09:41:40 UTC
File Type:
PE (Exe)
Extracted files:
110
AV detection:
28 of 41 (68.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rxniidwmwu2coa33hidn2x4inr4onzk742oznmswwbixn2crolnq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105
NetWire
2abcdb606044f4db592baa3f9c808bf4fcab2146c49d83ba45a4ccbb20bc8354
NetWire
5e6ed3f0eda07ab20f0de1f4c2f9e355a558de4f53b1f81cadae2f3b2d4609a4
NetWire
69230008ebd4db702b501b5d35d6c5551ae5d1cc779d0bbcf4526f606f332650
NetWire
aa005608adb8e7e3c775383f20f2608164056713bcbb92d0ec5c99994d8af750
NetWire
b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25
NetWire
f3ba07ea43adc68f25d26028ec31b752001be473d77b69d5c89e1ef393d37812
NetWire
ff522148c553515ff4fcec77ffa6e2140c1c8faae3006133f5b82a0f1b8019dd
NetWire
+ 2'607 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/221003-qvnleahde8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
212.193.30.230:3363
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c8c943e9-f9b9-4618-9864-32622b5fb737
Unpacked files
SH256 hash:
9b002495bc198dcb299bc4033f75fb0019c1d77d2f7e6be77d5b4f426bbd469b
MD5 hash:
8553db084183d80ab82417e920eb7ab1
SHA1 hash:
52e598c0434ef579c1ed223f0c439953c2c691a8
Link:
https://www.unpac.me/results/c3eeb2cf-b455-4b0d-8598-a7113e7291e2/
SH256 hash:
f237c46923a6575179a2d8c8c8f95b3f3a07b479de3a398ee99ce1dbba5872ac
MD5 hash:
79d9011acf9a55d7ca861fbe30a828dd
SHA1 hash:
c951fcae46bc1908b7d2321334bf5bc1bab2a314
Detections:
Netwire
Create hunting rule
win_netwire_auto
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/c3eeb2cf-b455-4b0d-8598-a7113e7291e2/
SH256 hash:
d1fa3e8165b12cbe97056859637049b49a9c3afc591940c299b7aa230e01d9ef
MD5 hash:
fb815f8b72a9f28985e594ce82fbaf54
SHA1 hash:
0ed68894428d6b83c7e8654dcb8963e5f3a59dc6
Link:
https://www.unpac.me/results/c3eeb2cf-b455-4b0d-8598-a7113e7291e2/
SH256 hash:
8dda840eccb53427037b3a06dd5f886c78e6e55fe69d96b256b05176e85172db
MD5 hash:
d23e1e317d68720216699e1c9e524a78
SHA1 hash:
76b58185f5aa824e5bafc589aaa6c228b341b239
Link:
https://www.unpac.me/results/c3eeb2cf-b455-4b0d-8598-a7113e7291e2/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8dda840eccb5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8dda840eccb53427037b3a06dd5f886c78e6e55fe69d96b256b05176e85172db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:malware_netwire_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:netwire
Create hunting rule
Author:jeFF0Falltrades
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316133/

Comments