MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a40bd62eff582a81334bd53c21ea4ef288fca54d97c4ccff59dd8d607786ea78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	a40bd62eff582a81334bd53c21ea4ef288fca54d97c4ccff59dd8d607786ea78
SHA3-384 hash:	b7d27b44820cb2d9f38f2f1a86ca9ba9d479cad36042f96eaa158caa93ad47a61c4d5bb7e8791f6e38d5a29ac96b859c
SHA1 hash:	d9a9216d5baedf49feb868519b16f2e4743ee2ac
MD5 hash:	d49c3d68aa536102906b3ba830d19f24
humanhash:	hawaii-undress-yankee-artist
File name:	A40BD62EFF582A81334BD53C21EA4EF288FCA54D97C4C.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	788'480 bytes
First seen:	2022-06-09 00:39:25 UTC
Last seen:	2022-06-09 01:46:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	becc73f8456bb3f2c8a3dc4ff6957fbb (1 x NetWire)
ssdeep	12288:OEkI+1SCSypiomoHyuUuJiziuilYV988o/mRzL:Vp+4CSypiLoSuUuMza8ouz
Threatray	2'381 similar samples on MalwareBazaar
TLSH	T1C1F4CF25B2A404FDD5B6497CA826A441E2327C0E0351B7ABE3E6735B3E371D09E7EB11
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	d4ccace968ecccca (1 x RedLineStealer, 1 x AZORult, 1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
5.2.68.71:3360

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
5.2.68.71:3360	https://threatfox.abuse.ch/ioc/676409/

Intelligence

File Origin

# of uploads :

# of downloads :

450

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

A40BD62EFF582A81334BD53C21EA4EF288FCA54D97C4C.exe

Verdict:

No threats detected

Analysis date:

2022-06-09 00:40:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e24a52f5-3b6f-4269-adb5-2a69ba33ea29

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/277935/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.48956252.12993.20083.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Moving a recently created file

Launching a process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62a141425dc88d35716d47ce/reports/f166d940-5739-4ddb-9805-d1af6c00688c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/70450cac-3991-4a2f-a24f-57f1ecedf36f

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1009513

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a40bd62eff582a81334bd53c21ea4ef288fca54d97c4ccff59dd8d607786ea78/

Threat name:

Win64.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2022-05-15 13:44:00 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uqf5mlx7lavicm2l2u6cd2so6kepzjkns7cmz72z3wgwa54g5j4a._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet persistence rat stealer

Link:

https://tria.ge/reports/220609-az7xvahcfm/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

redlinea.top:3360

Unpacked files

SH256 hash:

a40bd62eff582a81334bd53c21ea4ef288fca54d97c4ccff59dd8d607786ea78

MD5 hash:

d49c3d68aa536102906b3ba830d19f24

SHA1 hash:

d9a9216d5baedf49feb868519b16f2e4743ee2ac

Link:

https://www.unpac.me/results/7fc4d8b8-c2fc-4906-9764-5f97dea2dddc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a40bd62eff582a81334bd53c21ea4ef288fca54d97c4ccff59dd8d607786ea78

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/277935/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample