MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a
SHA3-384 hash: 3aa46c73f291d48f115b889f5897f54702328d7c40255d2510eb039d6ed5c9a0d7ff96578c198f6c5be810fb1fea692f
SHA1 hash: 6a75c9f83affec7a73a4413a779fc48f8da808c6
MD5 hash: c25d23171d41933e7345dcdfb1788dc4
humanhash: march-massachusetts-jupiter-four
File name:Booking Confirmation 02222021951 - copy -PDF.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:220'672 bytes
First seen:2021-02-22 07:51:06 UTC
Last seen:2021-02-23 15:27:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:TJjJ/BxiunX8Gc9/JXAQi6u0zhj3z2zP8FmNIQOdW/p0NY:TN1BcwPcxJw56lE8FmNIQOdW/p0NY
Threatray 357 similar samples on MalwareBazaar
TLSH 3824F89D311039DFC857D476CA981EA6AA513C6B431FC22B9C1B37AD993C887DF940B2
Reporter abuse_ch
Tags:exe Maersk NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: smtpgw.hepsibulutta.com
Sending IP: 46.4.185.122
From: ''Maersk Booking Service'' <maerskbooking_dept3@protonmail.com>
Reply-To: ''Maersk Booking Service'' <maerskbooking_dept3@protonmail.com>
Subject: Re: Booking Confirmation.
Attachment: Booking Confirmation 02222021951 - copy -PDF.uu (contains "Booking Confirmation 02222021951 - copy -PDF.exe")

NetWire RAT C2:
winwin545456478456.awsmppl.com:1177

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118279/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %AppData% directory
Creating a file
DNS request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613769
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: NetWire
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355895 Sample: Booking Confirmation 022220... Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Detected unpacking (changes PE section rights) 2->36 38 4 other signatures 2->38 6 Booking Confirmation 02222021951 - copy -PDF.exe 1 3 2->6         started        10 file.exe 1 2->10         started        12 file.exe 2->12         started        process3 file4 24 C:\Users\user\AppData\Roaming\file.exe, PE32+ 6->24 dropped 26 C:\Users\user\...\file.exe:Zone.Identifier, ASCII 6->26 dropped 28 Booking Confirmati...- copy -PDF.exe.log, ASCII 6->28 dropped 40 Writes to foreign memory regions 6->40 42 Allocates memory in foreign processes 6->42 44 Injects a PE file into a foreign processes 6->44 14 svchost.exe 6->14         started        17 svchost.exe 2 6->17         started        46 Multi AV Scanner detection for dropped file 10->46 48 Detected unpacking (changes PE section rights) 10->48 20 svchost.exe 10->20         started        22 svchost.exe 12->22         started        signatures5 process6 dnsIp7 50 Contains functionality to steal Chrome passwords or cookies 14->50 30 winwin545456478456.awsmppl.com 87.98.245.48, 1177, 49722, 49725 OVHFR France 17->30 52 System process connects to network (likely due to code injection or exploit) 22->52 signatures8
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-22 07:02:59 UTC
AV detection:
4 of 47 (8.51%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sh2mz3vtxdir4jaixvzk5llvcp3qgerg4xv4s2lbcn43dpieevva._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2e54ae1fe78471492cc217d238fcd7f0158ae8f22a35e9576a91b3a6614c2d08
NetWire
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
NetWire
5f8cd119c7cc31eef0e66451fb05d5179c60850b2330ebcb76066dd289172a17
NetWire
6bcd9c589b51cbd1011942b2bdaeaab62748c7380a17336b35bf589c880553b8
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
abd18b2d7cfc702e56442f2549808b301f2e0fc214cdf2230d5fbefc9620fd42
NetWire
b4b073df62d2616baff7c0c48cc6a85e5f5211aa6979fb65ac6e9b328687cec1
NetWire
df2688f6f88ea0e66b46d856e514adf25f8456cb4e45c849233799e17b1171e3
NetWire
f53faac8d340d58a2e4916652372ccc1ec9be6a34da5332ee31072ed9c75c37a
NetWire
fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166
NetWire
+ 347 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210222-6qt3qvv87j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a
MD5 hash:
c25d23171d41933e7345dcdfb1788dc4
SHA1 hash:
6a75c9f83affec7a73a4413a779fc48f8da808c6
Link:
https://www.unpac.me/results/485bd740-f511-402a-ae5b-b491ccfa7c97/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar 7725164ebcdb419ce617cf674c4b2935a28be57c6882f4f54366114d3d1fd709

NetWire

Executable exe 91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a

(this sample)

  
Dropped by
MD5 081f90a1d6b73603da3bccde2ddd2d62
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118279/
  
Dropped by
SHA256 7725164ebcdb419ce617cf674c4b2935a28be57c6882f4f54366114d3d1fd709

Comments