MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c
SHA3-384 hash: 3a893f96b1b5e01c83714207e0c95590e8780dce7dd5b94610b9ce5d3715f535e219c7ad3c7569c1716b350a824ffdc6
SHA1 hash: 5e87cdd7a939828fb9772cf5e9baef6184549bea
MD5 hash: cb35b37456ce49e77239d5225900686b
humanhash: music-high-blue-bravo
File name:TNT TRACKING DETAILS.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:305'664 bytes
First seen:2021-01-07 17:37:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1143274c3ea7cc84e7f9011d1bbd4699 (2 x NetWire, 2 x Formbook)
ssdeep 6144:i2dhK1ZnmbbvsQg6BGXKmZnnFxv64saO8SwMRgcTqZQf:i2dcmHEB4sZnnFxC4sa3Swmg7Qf
Threatray 211 similar samples on MalwareBazaar
TLSH 0454D0A1A741F549E0818CF9B90EEBA990047D355965D04377C2EF1F34323EAD86AF1B
Reporter abuse_ch
Tags:exe NetWire TNT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.amandianaeze.ga
Sending IP: 37.77.106.252
From: TNT EXPRESS INC <tnt@amandianaeze.ga>
Subject: Consignment Notification: You have A Package With Us
Attachment: TNT TRACKING DETAILS.PDF.z (contains "TNT TRACKING DETAILS.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT TRACKING DETAILS.exe
Verdict:
Malicious activity
Analysis date:
2021-01-07 17:39:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2adbb244-4c64-429b-9c8a-5722b4e2505f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110864/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Modifying a system executable file
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/576079
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337094 Sample: TNT TRACKING DETAILS.exe Startdate: 07/01/2021 Architecture: WINDOWS Score: 80 30 Antivirus detection for dropped file 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Yara detected NetWire RAT 2->34 36 3 other signatures 2->36 8 TNT TRACKING DETAILS.exe 3 2->8         started        process3 file4 26 C:\Users\user\AppData\Local\...\downtown.exe, PE32 8->26 dropped 28 C:\...\c1a133fccadb406da6f53c1c76d4b61d.xml, XML 8->28 dropped 11 TNT TRACKING DETAILS.exe 1 8->11         started        14 cmd.exe 1 8->14         started        16 TNT TRACKING DETAILS.exe 8->16         started        process5 signatures6 38 Maps a DLL or memory area into another process 11->38 18 TNT TRACKING DETAILS.exe 11->18         started        20 conhost.exe 14->20         started        22 schtasks.exe 1 14->22         started        process7 process8 24 WerFault.exe 23 9 18->24         started       
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2021-01-07 17:38:07 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=twcldvilsmow55nawrokgp7jsxnlsc6akga3fuwnl6mw7iv4pqoa._file
Verdict:
unknown
Similar samples:
00b65900131d5d5cac9d48c65ff2e53677418d7c50f0c09480af43e80845bef3
NetWire
1a6757ed0fa8dfc6a0ecc4dcfecc7dacb2b4ff435c15eefeb9edde8b913e1811
NetWire
3ce969a94f4bc8dec526e3551626d7e3639bae986304deba85e8f29f039fe345
NetWire
4c56e5f1863de0fa8fa4f2104de8d14a695eaa7e61158a71aeabef051cc025b1
NetWire
816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9
NetWire
8cdb536378c7a12bb65333b52664cb99cd74a8b14afbc1b74ae73111b8edfc57
NetWire
984c95ea87e7b059a566bc304bd8bd9cdfc041c3fa03e66c70e16765c22676b2
NetWire
b67361c9d7c2bcbe7e94b698f4d5abd1e6ffd96429d2c66dcfd92a573303e4f0
NetWire
d1a93b2f673410959bebb9d53e2ef09520d8a84cf1c104eda7542762ba06ab0a
NetWire
ff250126dfd7ff3a392a93375d08db10968ff1332a591d709714c48bac438499
NetWire
+ 201 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210107-dybvyenltj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
ServiceHost packer
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c
MD5 hash:
cb35b37456ce49e77239d5225900686b
SHA1 hash:
5e87cdd7a939828fb9772cf5e9baef6184549bea
Link:
https://www.unpac.me/results/439bf9bb-df69-49d8-b465-e97347843046/
SH256 hash:
d55dea2605e0ca2b750ddf91bbb646d66edc59f5843059555182fb6861af68fe
MD5 hash:
cef334539bf969770372cbc4cafff62f
SHA1 hash:
465fe4deaf84d0fa8a7619f96ad21cb3855e6d0d
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/439bf9bb-df69-49d8-b465-e97347843046/
SH256 hash:
919af0adfe09d636d7161881ec502922a218ee59b94ea2f27a9ca71e42cd2453
MD5 hash:
b3669fcd573a6a0af0700354b8c71ef5
SHA1 hash:
72e420b0b92bc2712cfa89cb33910c3406e33ab0
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/439bf9bb-df69-49d8-b465-e97347843046/
Parent samples :
9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c
f5d88ee96cd5fbdda828c9ec267600fb6308a11318f8290d6d15d34f64070f05
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

z 7d4a8179d8424f6a0c4ed80cd491857d9b284aa2f9b3d33b0991d2573d39d376

NetWire

Executable exe 9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c

(this sample)

  
Dropped by
MD5 f1c8f74d3a0d2a4a489aecb059767683
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110864/
  
Dropped by
SHA256 7d4a8179d8424f6a0c4ed80cd491857d9b284aa2f9b3d33b0991d2573d39d376

Comments