MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e
SHA3-384 hash: ef402f406cd1a29cf0112eff7c025339fb38f9084949ddbe5cfd7f9305d2295d729256a25a7844ac7dcb6e3c3d51bef0
SHA1 hash: 883f3efb1f538bc9142722d4450dcde43bacc29d
MD5 hash: e969f65aaed47276c22e8d5a85d09ca1
humanhash: neptune-oxygen-finch-oklahoma
File name:Proof_of _Payment.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:914'432 bytes
First seen:2020-10-19 07:23:30 UTC
Last seen:2020-10-19 08:24:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Z8B5yMQNt1rRpOa23BKQ1lP9CLf7G9A1GKZHNYPzodGT/P:RxrRcLsiPIfOA1GUKzodGT/
Threatray 266 similar samples on MalwareBazaar
TLSH 8515691423F80B19F47B97F1962850418BB67A9A553ED24C7DCD31EE9FB2B010A63B27
Reporter abuse_ch
Tags:exe geo NedBank NetWire RAT ZAF


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mail.genoxyl.ga
Sending IP: 168.235.67.97
From: NedBank <Notification@nedbank.co.za>
Reply-To: Notification@nedbank.co.za
Subject: Payment Notification
Attachment: Proof_of _Payment.img (contains "Proof_of _Payment.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72779/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.6524.21044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494993
Signature
.NET source code contains potential unpacker
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 03:50:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u33iwylydrcqhldnxrvxturnhixw46mvynpil4embukt4blnn4ha._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
19307b5746bbedc1461d2fdde14bb9b61da5b76af0f2dff6295e05e9ea855f24
NetWire
3b97909b8cc676b840fd25680d29f211efcc6c71a0234f33365dd0fec17e8438
NetWire
58bd9279e5ef2a3c1a55c9257c276f8203b69c79e29008399c6629eaf8ca6d56
NetWire
6490275833a54ddb21377ef003cacd595697c7659c1b7c6fc24a285fec1946ee
NetWire
7bcfd6304cf50881a7f42942fe80cdc0d26bd2f0934c6e2bc8df904a414fae4c
NetWire
a8327d7e2395ea7fb71062275b3a7f24ce586d7ccd0301ed2a1df1699e2d9b9b
NetWire
b69b9b6a6a6ddfcf0705b42fbf85f39534bef23b4a10a1b916ad105b6ac0ff62
NetWire
ba5cf0e14767afbaf1ef4310a5a7a55e152b7c54507a1b567133cdf42493629d
NetWire
d18f27370f8ee9d89c588980241ef2757a4a5d6cc70a357c7a45fae186c7e84b
NetWire
d4288c3aa0a21e8b20e37255358a04546708892d1cba5a93707a3c3586c6eae5
NetWire
+ 256 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/201019-s84lg1qmf6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e
MD5 hash:
e969f65aaed47276c22e8d5a85d09ca1
SHA1 hash:
883f3efb1f538bc9142722d4450dcde43bacc29d
Link:
https://www.unpac.me/results/57a7c972-ab2b-4d18-8942-38ecb78f5e1a/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/57a7c972-ab2b-4d18-8942-38ecb78f5e1a/
SH256 hash:
d291538230b436f8301daa527310f720ec8335c23b469673cd19c2a5a122fb77
MD5 hash:
70c0ceee60fb7d8bdfc4ac3367b1507f
SHA1 hash:
8248b135c715c93807cc676c49f6cd5022d557ab
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/57a7c972-ab2b-4d18-8942-38ecb78f5e1a/
Parent samples :
f036a3590c0eb7c197849f42beae2a60473ec875a9e97cadc598f1010d416d23
a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e
SH256 hash:
c95f6f9d655c28a620fc6595e4485286913bbf8bff0e38f17378889c8006ac49
MD5 hash:
34a8cb80bbbd64ed0e6710dc1c7919ca
SHA1 hash:
972600314658f039df285e3f2d58e6dae1cf13b6
Link:
https://www.unpac.me/results/57a7c972-ab2b-4d18-8942-38ecb78f5e1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img cc80da42d0a79006379f0ceb6cba541293f0343f2fe82159ea4c794acfecfe3b

NetWire

Executable exe a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e

(this sample)

  
Dropped by
MD5 26e704da6e0d3e7c37c765aba4bddcde
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72779/
  
Dropped by
SHA256 cc80da42d0a79006379f0ceb6cba541293f0343f2fe82159ea4c794acfecfe3b

Comments