MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9efc0aec4d264375125ea4d1a43bec1120178fe73221609db5bb5a900e77aae7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9efc0aec4d264375125ea4d1a43bec1120178fe73221609db5bb5a900e77aae7
SHA3-384 hash: da4ac0bd62f34d2d18f73b5a0057ef204626916b914d881445b320fb2de68a3bc3313df4da16882fad9a2ff0e8055591
SHA1 hash: b773320c17ddc2b3ed1b0cfabd126bc4815c1c2b
MD5 hash: 14925819afe594fd71f2b4999a71e8fa
humanhash: tango-hawaii-pluto-virginia
File name:DOCUMENT.EXE
Download: download sample
Signature NetWire
Create hunting rule
File size:849'920 bytes
First seen:2021-10-04 08:39:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8276363bcf2f383c8cd04fac30801161 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
ssdeep 12288:0w6jlNSq3W9F1Sa+tiDWIyNbYAycjL7YiEFXXXB:Naeq3gF1Sf+WIy6AyAdSXXXB
Threatray 1'263 similar samples on MalwareBazaar
TLSH T19E05061221405B6DF5123735EC4705A4ABD5AA3E2E018B77F1A8179B4B6F381BEE183F
File icon (PE):PE icon
dhash icon 1432694969516806 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
Reporter cocaman
Tags:DHL exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOCUMENT.EXE
Verdict:
Malicious activity
Analysis date:
2021-10-04 08:42:06 UTC
Tags:
installer trojan rat netwire
Link:
https://app.any.run/tasks/9c60bad4-0a62-47e5-89c0-25486837e5a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194472/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/615c0eeeb95458900cdc5fd2/reports/0b806d44-63a8-4b6c-be62-c29c7e939933/overview
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e91890b-c81a-4a7c-b239-f627a089eaf5
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863728
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496156 Sample: DOCUMENT.EXE Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 4 other signatures 2->67 8 DOCUMENT.EXE 1 22 2->8         started        13 Qboqlku.exe 15 2->13         started        15 Qboqlku.exe 15 2->15         started        process3 dnsIp4 47 qq3x1a.dm.files.1drv.com 8->47 49 onedrive.live.com 8->49 51 dm-files.fe.1drv.com 8->51 41 C:\Users\Public\Libraries\...\Qboqlku.exe, PE32 8->41 dropped 75 Writes to foreign memory regions 8->75 77 Creates a thread in another existing process (thread injection) 8->77 79 Injects a PE file into a foreign processes 8->79 17 secinit.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        53 qq3x1a.dm.files.1drv.com 13->53 57 2 other IPs or domains 13->57 81 Allocates memory in foreign processes 13->81 25 mobsync.exe 13->25         started        55 qq3x1a.dm.files.1drv.com 15->55 59 2 other IPs or domains 15->59 27 secinit.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 liquor01.ddns.net 185.236.203.119, 49781, 49877, 49878 M247GB Romania 17->43 69 Contains functionality to log keystrokes 17->69 71 Contains functionality to steal Internet Explorer form passwords 17->71 73 Contains functionality to steal Chrome passwords or cookies 17->73 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        45 192.168.2.1 unknown unknown 25->45 signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9efc0aec4d264375125ea4d1a43bec1120178fe73221609db5bb5a900e77aae7/
Threat name:
Win32.Downloader.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 07:40:04 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t36av3cnezbxkes6uti2io7mceqbpd7hgiqwbhnvxnnjadtxvltq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2f3c9eec055b5c11f8bbd794fde194e68a7c27cad4112d131ae999b953759ac0
NetWire
3ffc5daa049116311ac1363623b7a8960b7aabb4b874d1126a358b8d483e33cd
NetWire
4eb3eb429cc68448b279c9375ac72e8cefbb0e7765569bf4ba416777cd2a4ead
NetWire
56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58
NetWire
5d9d8df653e49a9bda60668f00988aa638e3825b8c4153363f689422a8396e3b
NetWire
8fb001ff8eff89d8c472579c21683a55aff13ff9599bef6a3e5571b2c919691b
NetWire
98f868900b27ba82ac18f919dc551ea15dc310813eb1538ebf2d0ab3afaa8328
NetWire
deabb312ade9d16c64ea491e5cf9477e1b98f2c5cda72ab2cb1b8b75af558d31
NetWire
f3ad47ca842225f405e277f5f2b0521266fe65a90bf746ac39a67990835ddf14
NetWire
f862eb253778c7b1c35349d798736124d7ee97db446217b2e5962fe2431d1e46
NetWire
+ 1'253 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence stealer
Link:
https://tria.ge/reports/211004-kkwldagbbn/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Adds Run key to start application
Netwire
Unpacked files
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/2510951a-b6b8-4a25-b335-986daa222aea/
SH256 hash:
f047398b5c875e6012d10aaa576c65d01080661e2e1621c81523267e968fb538
MD5 hash:
fd5a9ca4d262e210aa8ab6942c386a7f
SHA1 hash:
2e8c0ccfb426dd40082549a74ace1ea5975bf552
Link:
https://www.unpac.me/results/2510951a-b6b8-4a25-b335-986daa222aea/
SH256 hash:
9efc0aec4d264375125ea4d1a43bec1120178fe73221609db5bb5a900e77aae7
MD5 hash:
14925819afe594fd71f2b4999a71e8fa
SHA1 hash:
b773320c17ddc2b3ed1b0cfabd126bc4815c1c2b
Link:
https://www.unpac.me/results/2510951a-b6b8-4a25-b335-986daa222aea/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9efc0aec4d26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9efc0aec4d264375125ea4d1a43bec1120178fe73221609db5bb5a900e77aae7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

iso 4ade82c3e018beaca2eac5abd9b43266dfe8d3f9ce7d2e66e1f06afe47221ce3

NetWire

Executable exe 9efc0aec4d264375125ea4d1a43bec1120178fe73221609db5bb5a900e77aae7

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4ade82c3e018beaca2eac5abd9b43266dfe8d3f9ce7d2e66e1f06afe47221ce3
Cape
Cape
https://www.capesandbox.com/analysis/194472/

Comments