MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fe290fed627fb78a5f4f92a4e479c63a6b8a2d614fa173bb37d474300c102e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	9fe290fed627fb78a5f4f92a4e479c63a6b8a2d614fa173bb37d474300c102e6
SHA3-384 hash:	b3b26746413b43ba9be23abc0b28fe8d8268a97d48811c032de316ece114cfe95f58867a46fbf8e8434855afc31f8cab
SHA1 hash:	9137bd3415377d3e77b0dc8d4e69b22ea4b473a1
MD5 hash:	e48d3684ab9ae8701aa591397b5d333c
humanhash:	idaho-lactose-oscar-violet
File name:	SecuriteInfo.com.Trojan.Siggen9.48175.17546.28131
Download:	download sample
Signature	NetWire Create hunting rule
File size:	1'062'400 bytes
First seen:	2022-09-08 10:58:45 UTC
Last seen:	2022-09-20 05:43:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:TkNjmlx1fDFztKfCWxWrFoT5VPBDwvTgnRcPLHWO4Tyw4N9ER5pzh9K/BUW:TkxmlXDFgsOlDa0R6HWOscSR3P8UW
Threatray	900 similar samples on MalwareBazaar
TLSH	T1E9351A0621950BA5D07253FC20CCC1728BBA9E45E53FD945BFC99CEFF592F2846D22A2
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

SecuriteInfo.com.Trojan.Siggen9.48175.17546.28131

Verdict:

Malicious activity

Analysis date:

2022-09-08 10:59:55 UTC

Tags:

trojan rat netwire

Link:

https://app.any.run/tasks/a0846802-49b9-4a91-9772-c9d9d40e4f35

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/308754/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.48175.17546.28131.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6319cb8be73fb79b7a00b176/reports/29ee7420-1ec6-48ea-885b-52ec763a6abc/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ff24d6c7-5ef2-4315-a007-1518b3e860c9

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1067058

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NetWire

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

netwire

Link:

https://mwdb.cert.pl/sample/9fe290fed627fb78a5f4f92a4e479c63a6b8a2d614fa173bb37d474300c102e6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-08 10:59:23 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t7rjb7wwe75xrjpu7eve4r44motlriwwct5boo5tpvdugagbalta._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220908-m3d56abegq/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

8b533ffaed24e0351e489b14aaac6960b731db189ce7ed0c0c02d4a546af8e63

MD5 hash:

dbc7be56e6e32349315170599c8b333f

SHA1 hash:

d8e5840e3574b87d435e55a65ac648e040871aee

Link:

https://www.unpac.me/results/2b52845e-06a9-4dc5-bc50-d3f856437eac/

SH256 hash:

502e5484d60c51b1bf1b598489ec47900787cb716aa3d7d3752e894a60c41f27

MD5 hash:

8e2fd9645044c6fc0169b203240a7d4f

SHA1 hash:

9c2dccf63e30bb8fa63d294fa496612dcf6147eb

Link:

https://www.unpac.me/results/2b52845e-06a9-4dc5-bc50-d3f856437eac/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/2b52845e-06a9-4dc5-bc50-d3f856437eac/

SH256 hash:

dead07b518c5dcf7a643cd9e7c49f21d506c9e6265471ca65ca029b1e56ceee0

MD5 hash:

5ce39d1693784694a2bff30c83e9d5e2

SHA1 hash:

1ae228bef662135a881b0c763e1066592b10cd1c

Detections:

Netwire

win_netwire_g1

Link:

https://www.unpac.me/results/2b52845e-06a9-4dc5-bc50-d3f856437eac/

Parent samples :

584cbae08a96d4288bc0a6f0f12cdebaac0cdf9fc401cfac823686072070bfdb
9fe290fed627fb78a5f4f92a4e479c63a6b8a2d614fa173bb37d474300c102e6
0b069c7e87aeb1802c8a83bf595bdf68040faf36bb5f607f4d1a20b8b8f45403

SH256 hash:

a15569aaf3b2e9aeae16f58b2bc05a55a45f4c7b8136c5dcf30d13739854d8ac

MD5 hash:

7cbc71ce84cd44bc7744c4fe93552ea1

SHA1 hash:

025f946abec239f7d6ff1fae9b93edaf4ad2127b

Link:

https://www.unpac.me/results/2b52845e-06a9-4dc5-bc50-d3f856437eac/

SH256 hash:

9fe290fed627fb78a5f4f92a4e479c63a6b8a2d614fa173bb37d474300c102e6

MD5 hash:

e48d3684ab9ae8701aa591397b5d333c

SHA1 hash:

9137bd3415377d3e77b0dc8d4e69b22ea4b473a1

Link:

https://www.unpac.me/results/2b52845e-06a9-4dc5-bc50-d3f856437eac/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9fe290fed627/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9fe290fed627fb78a5f4f92a4e479c63a6b8a2d614fa173bb37d474300c102e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.