MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a664d6a9ca31c3769df8098758e284ee9f5771c65fc9cbe223867ac979c2787a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a664d6a9ca31c3769df8098758e284ee9f5771c65fc9cbe223867ac979c2787a
SHA3-384 hash: 915b1e446f50cfcb2b0dc93394f3a33263a17b4a2f0dc2a08ac614b7ee4e951f74c8cc2c130e5e2ac1ca8d50aa776650
SHA1 hash: d99fa9ca1b1c859bb0d96e33b716f09fecc67c50
MD5 hash: 0a6a25cfacfd3b719895d74ce7e4df3f
humanhash: whiskey-eight-saturn-pip
File name:a664d6a9ca31c3769df8098758e284ee9f5771c65fc9cbe223867ac979c2787a
Download: download sample
Signature NetWire
Create hunting rule
File size:850'912 bytes
First seen:2021-09-21 08:37:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:maP5uW22/dKAqKHeq9yWNVrHrGPVvosA0GZ8jeyPPtZBnxp74:xhD2SqKHqWNJCk0GZEegj4
Threatray 1'026 similar samples on MalwareBazaar
TLSH T19205DF4CF285EA55D916463288B7D8910233BC1AFD62DB8F31C9737B19737D2291B84B
File icon (PE):PE icon
dhash icon e4d4d4ccccf0d4c4 (1 x NetWire)
Reporter JAMESWT_WT
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
606
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a664d6a9ca31c3769df8098758e284ee9f5771c65fc9cbe223867ac979c2787a
Verdict:
Malicious activity
Analysis date:
2021-09-21 09:09:41 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/53a3beb8-f3e9-4d47-95ea-fe69ebe84ce6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189783/
Detection(s):
Win.Dropper.NetWire-8183508-0
Create hunting rule

Win.Packed.Generic-9805835-0
Create hunting rule

Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94be9c49-ca71-40e4-a8aa-2cee610a1ecd
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854720
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487152 Sample: MgD0vDXOog Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 52 bright1.awsmppl.com 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 7 other signatures 2->60 8 MgD0vDXOog.exe 8 2->8         started        12 name.exe 4 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\...\MgD0vDXOog.exe.log, ASCII 8->38 dropped 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Injects a PE file into a foreign processes 8->66 14 cmd.exe 3 8->14         started        17 svhost.exe 2 8->17         started        20 cmd.exe 1 8->20         started        40 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 12->40 dropped 68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 22 cmd.exe 1 12->22         started        24 svhost.exe 12->24         started        26 cmd.exe 1 12->26         started        signatures6 process7 dnsIp8 42 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 14->42 dropped 28 conhost.exe 14->28         started        46 bright1.awsmppl.com 17->46 48 192.168.2.1, 49807 unknown unknown 17->48 30 conhost.exe 20->30         started        44 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 22->44 dropped 32 conhost.exe 22->32         started        50 bright1.awsmppl.com 24->50 34 conhost.exe 26->34         started        file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a664d6a9ca31c3769df8098758e284ee9f5771c65fc9cbe223867ac979c2787a/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 02:58:27 UTC
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzsnnkokghbxnhpybgdvryue52pvo4ogl7e4xyrdqz5ms6ocpb5a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a
NetWire
73cc33d200ce22012733ea7c3fa8d03ef3ea65164497314d7d05b2992892d4e0
NetWire
754fdfd0924f05f11304a3131e908eb9189b31a2d30d50be50420853290bf709
NetWire
894061c993db2acb055ccd2f85468e1f18af0dff041c48c6f0851bf072efb31f
NetWire
af3c8597b7f874293c5b1fe53c4d1c476c7fdf06df678ba31d75c8f126ae90a0
NetWire
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
NetWire
d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72
NetWire
+ 1'016 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210921-kjqnqsghf6/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
bright1.awsmppl.com:4770
Unpacked files
SH256 hash:
8ad1958cab9891b55761a3e185a01d56e917dc3f1cc94372feae2911fd120cb1
MD5 hash:
8749e7cfbba58edafd6a2f4a53b113d9
SHA1 hash:
8b5b29c9928e761f7358a829d07efde26f3ee297
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/002c5353-fbbc-4c23-ac52-0e5865a26da2/
SH256 hash:
a664d6a9ca31c3769df8098758e284ee9f5771c65fc9cbe223867ac979c2787a
MD5 hash:
0a6a25cfacfd3b719895d74ce7e4df3f
SHA1 hash:
d99fa9ca1b1c859bb0d96e33b716f09fecc67c50
Link:
https://www.unpac.me/results/002c5353-fbbc-4c23-ac52-0e5865a26da2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a664d6a9ca31c3769df8098758e284ee9f5771c65fc9cbe223867ac979c2787a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:MAL_unspecified_Jan18_1_RID2F4A
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189783/

Comments