MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c
SHA3-384 hash:	301392a7dea2d62c124a64e182f6f2110c2a7fc81705d1110a536f3aa56824c580fa33583f19b27fa96734041376e94b
SHA1 hash:	f19ca3a8fe8bad971fb4e7c560fc15b361a8ab2c
MD5 hash:	8db7cc0026eb895951250d6b83483c8f
humanhash:	saturn-yellow-aspen-five
File name:	950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c
Download:	download sample
Signature	NetWire Create hunting rule
File size:	700'160 bytes
First seen:	2021-09-14 06:36:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep	12288:uquErHF6xC9D6DmR1J98w4oknqOKwQAYBrt1F4Uy2Rmqb5BNrU5jNSHZaC9:jrl6kD68JmloO6B58NqmqbH5UfS0C9
Threatray	60 similar samples on MalwareBazaar
TLSH	T1F0E42391F7EDA585F4F78A73443D8C3049B67C9EACB8C24C12A4395E9C733914869F2A
dhash icon	9288ce8c2a868f92 (89 x Tinba, 7 x AsyncRAT, 6 x Dridex)
Reporter	JAMESWT_WT
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

683

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c

Verdict:

Malicious activity

Analysis date:

2021-09-14 07:17:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/22492722-9bf1-4ea5-9df9-a92b081b4ff9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/187674/

Detection(s):

PUA.Win.Packer.Upolyx-12

Win.Dropper.njRAT-6971317-0

Win.Malware.Azorult-6971822-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Launching a process

Query of malicious DNS domain

Enabling autorun

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

autoit overlay packed

Link:

https://www.filescan.io/uploads/61750ab4db358dd15ed92091/reports/b76e2fa0-8019-45c8-90e5-a152ca2eb6f4/overview

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a90ef522-5eef-4fe3-9fe3-ee97ba3b5cc2

Result

Threat name:

Netwire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/850638

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2021-09-08 23:50:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 45 (80.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sufocw2xxenraxxzfeiiyu4ufaarljnqnat45dabp6b4isdp2wga._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

2a2c98c65ef497baf7ebfa7ecca3b177869eaa2f73a9dc9b438990fa9e42250e

NetWire

4300bf267e8d21ee9c7b0d906b2da7545cb5b670bc2506edc6ea97132eefe10e

NetWire

623ae88bce9d510aafbbeb7a65d3eb39510b563231e0e22108fe04c77be90a29

NetWire

6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33

NetWire

a665187e18e7f9666da6e401c3c09093db2a404912f3e69984fc39bd6ee1cd90

NetWire

bfd31ef9134e969fad9aee0e29b31c57e8d94f459d91bfe740cfa82e455cb5e5

NetWire

e216062353c8bafbbed3e1fa3cd7d154aae43eec2011234f4e20ceb578237f69

NetWire

+ 50 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer upx

Link:

https://tria.ge/reports/210914-hdg4asfbb5/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

7e51a6e3578f7c8d272d4a3f33969d375b9b2b0f10ec9dfc13e401324f19131a

MD5 hash:

298e690ec104ab3019f04bbe1793a724

SHA1 hash:

f69714be9ceab9c49fdd2ac33a9c7b237e653231

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/b4b8e140-9b1d-457a-a422-ceb7cc3e12a4/

Parent samples :

950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c
aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc

SH256 hash:

950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c

MD5 hash:

8db7cc0026eb895951250d6b83483c8f

SHA1 hash:

f19ca3a8fe8bad971fb4e7c560fc15b361a8ab2c

Link:

https://www.unpac.me/results/b4b8e140-9b1d-457a-a422-ceb7cc3e12a4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Malicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	MAL_unspecified_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	MAL_unspecified_Jan18_1_RID2F4A Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	netwire Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect netwire in memory
Reference:	internal research

Rule name:	Suspicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/187674/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample