MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2
SHA3-384 hash: 18163318b399bb56061f03ec981e89d22d0c9658245e9e15fb92a83f71afa3688df7318b346ffa8a8c0faa5808eadeb2
SHA1 hash: 7de72217b6b2517de22b101f176e18951dcad2ec
MD5 hash: a1fd8375e483f4a9d2be25dbb7d549b0
humanhash: ten-floor-golf-may
File name:a40c51565228f1fef2028b90fd49051372828871d8eeb.dll
Download: download sample
Signature NetWire
Create hunting rule
File size:57'348 bytes
First seen:2021-03-24 17:12:52 UTC
Last seen:2021-03-24 19:17:00 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 37dff82dbc0a01d6a9e596664712c05e (2 x NetWire)
ssdeep 768:EHmfSO1BZEEhr6x/mbYyp6CHUBRfOIjTPAubo+2Zrey8W1kEDdunKsrN4RPZc6:io9SkOx/OfYC0BRf7TrM+QrCrj4FZZ
Threatray 912 similar samples on MalwareBazaar
TLSH AB438D5073A1D07AE66A55342836E6A21E2F3980BBF0448B3FD516ED5FB11C0F97932B
Reporter abuse_ch
Tags:dll NetWire RAT


Avatar
abuse_ch
NetWire C2:
188.165.232.179:1970

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
188.165.232.179:1970 https://threatfox.abuse.ch/ioc/5137/

Intelligence

File Origin
# of uploads :
2
# of downloads :
388
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45934870.12645.4190.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/652696
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses tracert.exe to detect the network architecture
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 375293 Sample: a40c51565228f1fef2028b90fd4... Startdate: 24/03/2021 Architecture: WINDOWS Score: 72 63 ipv4.imgur.map.fastly.net 2->63 65 i.imgur.com 2->65 85 Multi AV Scanner detection for submitted file 2->85 87 Machine Learning detection for sample 2->87 11 loaddll32.exe 1 2->11         started        13 openvpn-gui.exe 1 2->13         started        15 openvpn-gui.exe 2->15         started        signatures3 process4 process5 17 rundll32.exe 11->17         started        20 cmd.exe 1 11->20         started        22 rundll32.exe 11->22         started        signatures6 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->75 77 Hijacks the control flow in another process 17->77 79 Uses tracert.exe to detect the network architecture 17->79 24 TRACERT.EXE 21 17->24         started        28 rundll32.exe 20->28         started        81 Writes to foreign memory regions 22->81 83 Allocates memory in foreign processes 22->83 31 TRACERT.EXE 16 22->31         started        process7 dnsIp8 71 i.ibb.co 146.59.152.166, 443, 49721, 49724 OVHFR Norway 24->71 61 C:\Users\user\AppData\Local\openvpn-gui.exe, PE32 24->61 dropped 33 cmd.exe 1 24->33         started        35 conhost.exe 24->35         started        89 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->89 91 Hijacks the control flow in another process 28->91 93 Writes to foreign memory regions 28->93 95 Allocates memory in foreign processes 28->95 37 TRACERT.EXE 17 28->37         started        73 192.168.2.1 unknown unknown 31->73 41 cmd.exe 1 31->41         started        43 conhost.exe 31->43         started        45 openvpn-gui.exe 31->45         started        file9 signatures10 process11 dnsIp12 47 conhost.exe 33->47         started        67 145.239.131.60, 443, 49722 OVHFR France 37->67 69 i.ibb.co 37->69 59 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 37->59 dropped 49 cmd.exe 1 37->49         started        51 conhost.exe 37->51         started        53 openvpn-gui.exe 37->53         started        55 conhost.exe 41->55         started        file13 process14 process15 57 conhost.exe 49->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2/
Threat name:
Win32.Dropper.Demp
Create hunting rule
Status:
Malicious
First seen:
2021-03-20 22:03:00 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uqgfcvssfdy754qcroip2sifcnzifcdr3dxllxyz4xmajhexp3ja._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
67b662f28ef6c6a148443ebece272e63e7eeb9d366032b4366fe459b7c5c41f8
NetWire
786e182e324b83c59ad1b095f7d520598a1b72cfce239b4274d462c7ba45bf18
NetWire
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
NetWire
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
NetWire
aa9692c1769e25297176b847f4274570c56c4d74f4577608bd036e72d82d5bdb
NetWire
b7d74de8e9514ca3fbfa4676be4433069bc913f86953a79d40c6272d5077242c
NetWire
b8ae844621bf21969ca7070937f91101ca4f7277917979ad9d4a4ac43d6e5fad
NetWire
d0b2bc00645de803a4e9df303539995ee8f781631684b04fe67ee7e01bcf9c21
NetWire
e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d
NetWire
f39b9e8c4a9aa6d8cd9f069e8a8ee81a3f666e07071f2b4673aa42633026736c
NetWire
+ 902 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210324-8167s48cjx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2
MD5 hash:
a1fd8375e483f4a9d2be25dbb7d549b0
SHA1 hash:
7de72217b6b2517de22b101f176e18951dcad2ec
Link:
https://www.unpac.me/results/4fa39885-fbd7-46cb-97c1-eff2808dbba4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments