MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b
SHA3-384 hash: 35195879c170ed2766b1149ab431ad53b3cdf43662809b51f6b0bfbfd3fe500a209ab45820f5884afc9a6673bca3728c
SHA1 hash: 7a8bd630f48663b96df871c0cd41c4a794b4f003
MD5 hash: dcec53dd51b44f7c4584a5c96cf2f918
humanhash: lima-orange-burger-magnesium
File name:Receipt.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:578'048 bytes
First seen:2022-06-30 22:06:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:3+PUsL2iNOevNow+e8cbvw2UKyWbNLQc0ERkiF928CSdA:3A/13vNoMN5NLQ3yb1CS
Threatray 1'990 similar samples on MalwareBazaar
TLSH T1ACC4DF80A3A3BF36F12A63F77542808863B1656D95E2D2398E8CB1DE35B574108F4F27
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
185.140.53.61:3363

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.61:3363 https://threatfox.abuse.ch/ioc/743829/

Intelligence

File Origin
# of uploads :
1
# of downloads :
411
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b.zip
Verdict:
Malicious activity
Analysis date:
2022-07-01 08:59:49 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/0ced50e8-759e-4874-928d-890c9eb5c742

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284689/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62be1e876ad95faf97e31dac/reports/3189fd28-f3be-4503-ae72-8c85b0ea65d5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3ffd274-8165-4092-86a9-4dc9aa1b02ab
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022859
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-30 22:07:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
15 of 41 (36.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=twpvhr6uaqetnqgos3r2spcvdy7qqi7lfmipol22pxxsran6grvq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
00a2b2d1c4e99e23efb28284bf3980f98fa40b8f7e372d94d8993157c8df77ce
NetWire
52eeb7fb08557b2a14fb725589df7a02a0018b41ba16cd9ab383e6dfb2a43dbf
NetWire
6d683bd3a2a79763dfa70a69655ce558e947d4a455b26dc9de747b1d7ebb5921
NetWire
73dd28b5d2f8c9bf0cd6a3b14b660429ea13146457d1307fb9d8b2eccdb1c589
NetWire
85f8a2cc8a2d02d949678f8e92a9226ed443a1a59353915eb22c7eb9f15c1597
NetWire
a445c5a7219f02d53032566eeda84c273ff01d6184f476daf78b29fc57603e9a
NetWire
c21fb3b78e63dc303da89cce5458e70d8e991529c0c15d3170b079182af7e529
NetWire
d4288199640c45ee4a9937574f6c5141840ccb3e72510028ceb69622700d416e
NetWire
e7e42b827ea6f98942ce0c2c53c58846d7e705e6f4a64f242ce2d8b51ba1aa53
NetWire
+ 1'980 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220630-11mamsdcd8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
185.140.53.61:3363
185.140.53.61:3365
Unpacked files
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/f05f7ef7-d6d5-4900-b8de-a3998fd820c0/
SH256 hash:
6bdb0dcc4924ea8e6b78d5f55472dc8cd0b2060043a14963f15e8139129131c0
MD5 hash:
784d0772ac2f7406c185a8fac4edd33b
SHA1 hash:
962748ed94a65cdf1912971c37f3839631491356
Link:
https://www.unpac.me/results/f05f7ef7-d6d5-4900-b8de-a3998fd820c0/
SH256 hash:
58c7c0cf6f19d08b4a6c72bff9e4cc289f08716bcb6b155f3d9f6b778c0bd560
MD5 hash:
b27b7b27b9942cda2ee366115c614130
SHA1 hash:
664472563b4d078d7d3df318dd356baa0fe3e6ff
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/f05f7ef7-d6d5-4900-b8de-a3998fd820c0/
Parent samples :
9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b
229ff184991f195905eccc593bdf566ceccc8631155e86b0f16b7c0d07adc221
81a3622df2a114ee18f9f869fcaadb38d0cc21f2abed2cad7a5b41acb5a084ee
e1a77fa5285413469295dae451a81e68613360acbd05c127701e6e289279acfd
8d14cdd3d37291e30726d6a54012503a974d8b3a7107173f71b839cb4e679ebe
2000ada5b57a380a1b64080683830a5e8cb8b6a1a0e3859216090d01748b7b7c
97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3
a19b2cd3ea8c79684ba85dfe7167c5afa9a739cfceac75f79a9c0132ae0bc7b3
SH256 hash:
01e218dd6029c76af0fbfb6665853af1dda7a477a4e0b4dd580e8a4bce5f4767
MD5 hash:
740c943afdecf54468fe201c32148dca
SHA1 hash:
5cbecfc577e5497462dbc6b63bb9278747fec742
Link:
https://www.unpac.me/results/f05f7ef7-d6d5-4900-b8de-a3998fd820c0/
SH256 hash:
16b9fc4700292684bae0ef2da4a4f4b393103771e93c0b48747df8a24af40d59
MD5 hash:
12ae0e4078e6e9da25181468d72b7ef4
SHA1 hash:
3f88feb096debc12d2f72bac4dfe7e799c7bbf36
Link:
https://www.unpac.me/results/f05f7ef7-d6d5-4900-b8de-a3998fd820c0/
SH256 hash:
9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b
MD5 hash:
dcec53dd51b44f7c4584a5c96cf2f918
SHA1 hash:
7a8bd630f48663b96df871c0cd41c4a794b4f003
Link:
https://www.unpac.me/results/f05f7ef7-d6d5-4900-b8de-a3998fd820c0/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d9f53c7d404/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d9f53c7d4040936c0ce96e3a93c551e3f0823eb2b10f72f5a7def2881be346b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284689/

Comments