MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e90590b4333c2a963369cabf3c7671037039829c6d42a51f824356e621dff86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	9e90590b4333c2a963369cabf3c7671037039829c6d42a51f824356e621dff86
SHA3-384 hash:	1054d8083aad9c06b0e1b8895161ffafd4533714d48086424e3534fe95f9a90f5931925c89f74cdb3911fef69410821a
SHA1 hash:	85f0703fd663c0fb491cfb71ebe5609f78312a73
MD5 hash:	bdac02fde5e13cb5c08b10df39cfe445
humanhash:	five-carolina-vermont-maine
File name:	F02EVEOU.EXE
Download:	download sample
Signature	NetWire Create hunting rule
File size:	963'584 bytes
First seen:	2022-09-01 09:26:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:ZZ5+XY+mzo3bvrn23nt+uK6ogSOY2OKP1:D5YlmzMjcocoOYR
TLSH	T11425028966C4C3B5F4260B7011B1F12986BD7E15D2B1C2C9AFDFF2EC45B8B169217A07
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	exe INVOICE NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

F02EVEOU.EXE

Verdict:

Malicious activity

Analysis date:

2022-09-01 09:36:41 UTC

Tags:

trojan rat netwire

Link:

https://app.any.run/tasks/1b477a24-53ed-4a07-9bf9-c0cf5a7feac2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/307157/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1427-2.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63107b623e9e50b1baf3b69b/reports/813159b8-3be9-4742-8377-ca032ec77b60/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2a7a0feb-3c35-4803-97f6-1587b9ac29aa

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1062622

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NetWire

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9e90590b4333c2a963369cabf3c7671037039829c6d42a51f824356e621dff86/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-01 09:27:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t2ifsc2dgpbksyzwtsv7hr3hca3qhgbjy3kcuupyeq2w4yq576da._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220901-leq95sded7/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

212.193.30.230:3345

Unpacked files

SH256 hash:

c45a3dae97e5e635a567df02635fe941af384f35cc993d4e52a57fa4f4026b3e

MD5 hash:

966c65a2893f62df72494272d810448f

SHA1 hash:

de82f765123b6ed954996603b663e9bac36acfb6

Link:

https://www.unpac.me/results/39af8af9-dde9-4115-8cf2-87571767ea60/

SH256 hash:

ce32a627e1f1c0313f748ab50200c1c69ee560a136093ae7b0db9808eac1e5ee

MD5 hash:

b424d1dd1419ba340b653acfe272774f

SHA1 hash:

d856bf033a7a7f8fa1e394935e5bd537ef94a3ac

Detections:

win_netwire_g1

Netwire

Link:

https://www.unpac.me/results/39af8af9-dde9-4115-8cf2-87571767ea60/

SH256 hash:

bd5074e887758dd41f07d9d39460cdd0d0a4087247c0bebe286724ae58468b0e

MD5 hash:

5c59e5d5a7f6e9dc4f798084eeae22e5

SHA1 hash:

83388feb164f82d59ff547da24dcfbc00189e2a2

Link:

https://www.unpac.me/results/39af8af9-dde9-4115-8cf2-87571767ea60/

SH256 hash:

dd789861d66793eb5c3bd68f200a571cf51d2d3db6ecf8ec670f4f82f7416d4f

MD5 hash:

19643806577ac4e072b5b61b69cab04f

SHA1 hash:

2298066d99e6f19f564c9100f183109674ab3a2e

Detections:

win_netwire_g1

win_netwire_auto

Netwire

Link:

https://www.unpac.me/results/39af8af9-dde9-4115-8cf2-87571767ea60/

Parent samples :

ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d
84530ed1bbd58c38b85fc93e447d14251cda335b3de5fe9216cf3386758cb0ee
40374376894492fb4f8aa245a8197df99859e2f98b786c344f877813a1a3f224
791667a955fb3cb2833edfc35880b557cf53f9ecba41ac96172606b934e982ba
beb979ea6eb528afbb51885caa428ddfda08172e26bcb1671296b40036ca9ff6
dea08975e4dfcf09c0a223ce08f787cfc0eeaba0ac6f692b3f4c10b7d1cce5d6
b0bb5c54bfd9cf2ca6805612446724b90c433fca894cb97ce1252e700c0f6ac0
9e90590b4333c2a963369cabf3c7671037039829c6d42a51f824356e621dff86
b57ed5956f300093ccca133cf806845cfaf4e11c067188cde5dd484be77a26c3
3c63068f0ff7610cbe73267e9d3c8a4adc977c9fae26f39808d2880f9c79e204
4c504c1ac1adf30de4604cba7720dd35ff80c629f4afd06bbb6cb36c11c05423

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/39af8af9-dde9-4115-8cf2-87571767ea60/

SH256 hash:

9e90590b4333c2a963369cabf3c7671037039829c6d42a51f824356e621dff86

MD5 hash:

bdac02fde5e13cb5c08b10df39cfe445

SHA1 hash:

85f0703fd663c0fb491cfb71ebe5609f78312a73

Link:

https://www.unpac.me/results/39af8af9-dde9-4115-8cf2-87571767ea60/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9e90590b4333/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9e90590b4333c2a963369cabf3c7671037039829c6d42a51f824356e621dff86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.