MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570
SHA3-384 hash: ceba4515d256f6d661e296c3afee5053e133f1496af626e28dec56d77f334d1acd0705b08a754bae9de42fc7f2d59f38
SHA1 hash: 13ad5ae4e4df4b1349cb2f4c45ddbecc92b94602
MD5 hash: 223b07d0d0f8f545b660ee7198e27ba9
humanhash: london-indigo-bacon-ten
File name:NSC 070047YI6 GBO93680 JANUARY ORDER.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:684'032 bytes
First seen:2023-01-23 18:05:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:yduL66BBZ9/XT5npnRSU+L3IvaMzJ2JAtML7fYYsoefV:9LVP3r51wU+Qd1XMLL9shfV
Threatray 5'965 similar samples on MalwareBazaar
TLSH T124E412823298D349C9B803F88C7D058867B53D476922D36F1EEB20ED9B61F594F5271B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 2810f07110796900 (11 x AgentTesla, 2 x Formbook, 2 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
NSC 070047YI6 GBO93680 JANUARY ORDER.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 18:07:42 UTC
Tags:
netwire
Link:
https://app.any.run/tasks/f003b730-cc6a-4209-a2d5-f5d97b12ea75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355995/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63cecc8c89bd67c10fd983f9/reports/7fb22c9e-1d47-43ef-b14b-5265ed8ea509/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c9e94258-e0b0-4197-afbd-11173cf28626
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157266
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates autostart registry keys with suspicious names
Found evasive API chain (may stop execution after checking mutex)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790003 Sample: NSC 070047YI6 GBO93680 JANU... Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 Sigma detected: Scheduled temp file as task from temp location 2->81 83 13 other signatures 2->83 9 NSC 070047YI6 GBO93680 JANUARY ORDER.exe 7 2->9         started        13 AfzlbZsQnkpeF.exe 5 2->13         started        15 Host.exe 2->15         started        17 2 other processes 2->17 process3 file4 67 C:\Users\user\AppData\...\AfzlbZsQnkpeF.exe, PE32 9->67 dropped 69 C:\...\AfzlbZsQnkpeF.exe:Zone.Identifier, ASCII 9->69 dropped 71 C:\Users\user\AppData\Local\...\tmpAC05.tmp, XML 9->71 dropped 73 NSC 070047YI6 GBO9...NUARY ORDER.exe.log, ASCII 9->73 dropped 91 Adds a directory exclusion to Windows Defender 9->91 19 NSC 070047YI6 GBO93680 JANUARY ORDER.exe 3 9->19         started        22 powershell.exe 21 9->22         started        24 schtasks.exe 1 9->24         started        93 Multi AV Scanner detection for dropped file 13->93 95 Machine Learning detection for dropped file 13->95 26 schtasks.exe 13->26         started        37 3 other processes 13->37 28 Host.exe 15->28         started        31 schtasks.exe 15->31         started        33 schtasks.exe 17->33         started        35 Host.exe 17->35         started        signatures5 process6 file7 65 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 19->65 dropped 39 Host.exe 5 19->39         started        42 conhost.exe 22->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        97 Creates autostart registry keys with suspicious names 28->97 48 conhost.exe 31->48         started        50 conhost.exe 33->50         started        signatures8 process9 signatures10 85 Multi AV Scanner detection for dropped file 39->85 87 Machine Learning detection for dropped file 39->87 89 Adds a directory exclusion to Windows Defender 39->89 52 Host.exe 39->52         started        55 powershell.exe 39->55         started        57 schtasks.exe 39->57         started        59 Host.exe 39->59         started        process11 dnsIp12 75 212.193.30.230, 6063 SPD-NETTR Russian Federation 52->75 61 conhost.exe 55->61         started        63 conhost.exe 57->63         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 08:23:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udrpypn3fyegfe3l4mahxktnynkbikbmkgh5uuhfp4gq634yyvya._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
NetWire
5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
NetWire
99e8dfa23cef1d5d67c765df3de3bc6e750a2d8fa4628a9442d08fc40aaaa656
NetWire
b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e
NetWire
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
NetWire
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
NetWire
f81832eab926f0dfe31ac63017cb7f6d8fb933e31f6d8742f94a5cecf012bab1
NetWire
+ 5'955 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/230123-wpq28sga8y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
212.193.30.230:6063
Unpacked files
SH256 hash:
47671e7228459787f800299398fcb760125bd7a9950bf13e82ed868c94674431
MD5 hash:
6f3f16005586d93489853c13dfd6abae
SHA1 hash:
98cf6314fe463440ca8f423bd855a108b01fc752
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/b77fb629-019c-4293-8abd-2fefeada82c8/
Parent samples :
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
5a8b1edfe9a05b20ec2ec3891cbe298913e9c8e29fae4e94411bc3766c907be2
1801a874e23097185c396dfcc625bebae49577d65a9177332b8f791810054b4e
f81832eab926f0dfe31ac63017cb7f6d8fb933e31f6d8742f94a5cecf012bab1
a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570
SH256 hash:
d79d2f0e676a928af7dc90b08d6353b4cb4aa2843a0140bf9d7b46ed448f9e46
MD5 hash:
ab88c970159dd625c75a493395947644
SHA1 hash:
6a8d33a65d5cb8649a6782b3e1ecba9e8dc20e36
Link:
https://www.unpac.me/results/b77fb629-019c-4293-8abd-2fefeada82c8/
SH256 hash:
e4015219e35fbc58abf43d224dae7478d06190224797675f892f16b48f1fd563
MD5 hash:
b29bd91f80c91a58b2647700eb271580
SHA1 hash:
69cf49a12d9658335b8ba21d69a3a9989919819b
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/b77fb629-019c-4293-8abd-2fefeada82c8/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/b77fb629-019c-4293-8abd-2fefeada82c8/
SH256 hash:
20eda0a9b642a495ee216f13d2c37603ef860ff1aa1b8c89b2aa630a17574f71
MD5 hash:
d2dcd2d712c1f3c871e39fc27f889546
SHA1 hash:
167502f0388eb8c9525a048282600fa83d7254ad
Link:
https://www.unpac.me/results/b77fb629-019c-4293-8abd-2fefeada82c8/
SH256 hash:
a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570
MD5 hash:
223b07d0d0f8f545b660ee7198e27ba9
SHA1 hash:
13ad5ae4e4df4b1349cb2f4c45ddbecc92b94602
Link:
https://www.unpac.me/results/b77fb629-019c-4293-8abd-2fefeada82c8/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a0e2fc3dbb2e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/355995/

Comments