MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b
SHA3-384 hash: b798702c1b5bce56738b8ea72d9b4ac029784259066457dcfa4546f31cd9d7ea628d9f30682fb945fe83dacb4ccf9f82
SHA1 hash: 85cc76ba184adde81799ef4174d2412aba7c8dfd
MD5 hash: 5c145bcd4ec07ab79558d72affbed677
humanhash: eight-nevada-speaker-three
File name:Proof of Payment.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'104'621 bytes
First seen:2020-08-28 06:32:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:JAOcZypZR/eoUGEsBXPn1hMYsfpOYxg539FQZMaBQi2ji:jhR/eoJEGXNhM3fdxw96ZMAR
Threatray 488 similar samples on MalwareBazaar
TLSH 65351202B7D688B2D0320E3149266B21AD7C3D215F29DA2FA3E4197DEE751D19721BF3
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mail.genoxy.tk
Sending IP: 45.147.162.159
From: Notification@nedbank.co.za
Reply-To: No-repIy@nedbank.co.za
Subject: Payment Notification
Attachment: Proof of Payment.z (contains "Proof of Payment.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52198/
Detection(s):
Win.Dropper.NetWire-9102409-0
Create hunting rule

Win.Malware.Vasal-9406011-0
Create hunting rule

Win.Malware.Nanocore-9406023-1
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Sending a UDP request
Creating a process from a recently created file
Creating a file
Creating a file in the %temp% directory
Adding an access-denied ACE
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/453287
Signature
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected AntiVM autoit script
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279014 Sample: Proof of Payment.exe Startdate: 28/08/2020 Architecture: WINDOWS Score: 88 59 Malicious sample detected (through community Yara rule) 2->59 61 Yara detected NetWire RAT 2->61 63 Yara detected AntiVM autoit script 2->63 65 3 other signatures 2->65 14 Proof of Payment.exe 29 2->14         started        17 ghjn.pif 2->17         started        process3 file4 57 C:\Users\user\AppData\Roaming\...\ghjn.pif, PE32 14->57 dropped 19 ghjn.pif 4 3 14->19         started        22 wscript.exe 1 17->22         started        process5 signatures6 67 Multi AV Scanner detection for dropped file 19->67 24 wscript.exe 1 19->24         started        26 ghjn.pif 22->26         started        process7 process8 28 ghjn.pif 24->28         started        30 wscript.exe 26->30         started        process9 32 wscript.exe 1 28->32         started        34 ghjn.pif 30->34         started        process10 36 ghjn.pif 32->36         started        38 wscript.exe 34->38         started        process11 40 wscript.exe 36->40         started        42 ghjn.pif 38->42         started        process12 44 ghjn.pif 40->44         started        47 wscript.exe 42->47         started        file13 55 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 44->55 dropped 49 wscript.exe 44->49         started        51 ghjn.pif 47->51         started        process14 process15 53 ghjn.pif 49->53         started       
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b/
Threat name:
Win32.Backdoor.NetWired
Create hunting rule
Status:
Malicious
First seen:
2020-08-28 06:34:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sc5rk744kja7kz7lk27dry52t5i2b3c2rwr4o763dpwr6ievyonq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1678611ad4996f718c0a8998ce194dfe117bf47529c4ccad51a6816ecf4f1bb4
NetWire
1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923
NetWire
28d1ce2d141fcfc52b6b8a81f5424920ba2818a14e8ac201446697ff977082de
NetWire
2df93867afcfa816f19559f8afdc82701ff580a9c72906d2fb34b9ad9e6fb9ea
NetWire
3a61804bb8302d42eb46c25a884cf50e7e6e383a9a48bfbfb1cfbe78ed2ed389
NetWire
4d13350ebf3d38475a0a4a8c223fe6c06e00af3585eb499f60e29639b3944d3f
NetWire
6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f
NetWire
7cb987616a272b3f90faa060b9671d72cdb3c2fecd398b9c50fac1449379282b
NetWire
9d1f32d9806bafd63451a59e1768502f31cf9dc746c9e92f62b978c1ed259497
NetWire
e34ce3660cbabe945aadb571016cbd7e73ca4a7baa6e9cd64a3615b6474ccdc8
NetWire
+ 478 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat persistence keylogger trojan stealer spyware family:nanocore botnet family:netwire
Link:
https://tria.ge/reports/200828-86appddf8j/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
NanoCore
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip 811227a58fc1bf2bc0bd43ce924c363e3efcae6c7a466f2617793d9d2d4ca942

NetWire

Executable exe 90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b

(this sample)

  
Dropped by
MD5 4666415fc65e06af2d44c98fe5784983
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/52198/
  
Dropped by
SHA256 811227a58fc1bf2bc0bd43ce924c363e3efcae6c7a466f2617793d9d2d4ca942

Comments