MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7813261c3c899e29185faee49f8a63d4e81a2da6acccb4cc57add4c5646e37d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7813261c3c899e29185faee49f8a63d4e81a2da6acccb4cc57add4c5646e37d
SHA3-384 hash: 60fc18ec1aea2ae8a86752135a260437055cd555d99d1149980aa0d57660633b25973a1167cabae40f28eefd7eabdadc
SHA1 hash: 8f6211f205370504d7a5178d4ccab9bd153a2f26
MD5 hash: 0292ee96deb8fbe4c3bc279de12dde93
humanhash: angel-colorado-music-nuts
File name:FeDEx TRACKING DETAILS.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:323'584 bytes
First seen:2021-01-14 06:13:10 UTC
Last seen:2021-01-14 08:19:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a3dd289e085cdb130e7e60c52ab293af (3 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 6144:gF0f3MHOmVYAO3YANcNCzqZj2/ZlSX+xK0mChnVIxT+:g2f4fWAC+ZESX+xbmM8+
Threatray 361 similar samples on MalwareBazaar
TLSH 7764F1AA72E3C432C0B211B486944B73D579BD36137884B7FBE88D5E5BB06C01672A5F
Reporter abuse_ch
Tags:exe FedEx NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: server.growtying.tk
Sending IP: 188.225.75.181
From: FedEX OFFICE <fedex@growtying.tk>
Subject: FedEx ONLINE SHIPPING PARCEL ARRIVAL NOTIFICATION DATED 13TH JAN 2021
Attachment: FeDEx TRACKING DETAILS.PDF.z (contains "FeDEx TRACKING DETAILS.exe")

NetWire RAT C2:
ceo2021.duckdns.org

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FeDEx TRACKING DETAILS.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 06:16:06 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/d6777286-290b-4276-9828-ada538b062ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111909/
Detection(s):
SecuriteInfo.com.Variant.Symmi.17697.2281.10560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a window
Launching a process
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/580858
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: NetWire
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339463 Sample: FeDEx TRACKING DETAILS.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 96 25 g.msn.com 2->25 29 Antivirus detection for dropped file 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 Yara detected NetWire RAT 2->33 35 6 other signatures 2->35 8 FeDEx TRACKING DETAILS.exe 4 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\...\whitemanthings.exe, PE32 8->21 dropped 23 C:\...\43722a7fc0724ad481a05a46ed9e754b.xml, XML 8->23 dropped 37 Maps a DLL or memory area into another process 8->37 12 FeDEx TRACKING DETAILS.exe 2 8->12         started        15 cmd.exe 1 8->15         started        signatures6 process7 dnsIp8 27 ceo2021.duckdns.org 185.150.24.55, 49734, 5594 SKYLINKNL Netherlands 12->27 17 conhost.exe 15->17         started        19 schtasks.exe 1 15->19         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7813261c3c899e29185faee49f8a63d4e81a2da6acccb4cc57add4c5646e37d/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 06:14:12 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6ateyodzcm6femf7lxet6fghvhidiw2nlgmwtgfplouyvsg4n6q._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1c1035301c27d73a161ca96f9732f5024eb924798ce95d76d274b751ff87aa2f
NetWire
2388b2c1717d5f5741c2730b205a04d627d2cb6a1d4f781fb2f5fae3fa508e76
NetWire
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
NetWire
40d8ba1b4ae578829ce958a356395307e27eda0512bc78021ccb93e4b26134f7
NetWire
87c89f29aaa5dd79839585af00f1d29fa406e18ee341b23aa08f471b8c096f8b
NetWire
90dbd6dce0e0e7013656333f1cd8a9b7660e0e40e782a622856800c52e980d3e
NetWire
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
NetWire
c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc
NetWire
e5b32b4bb73f9bf50a9e4e3236ea3bf54577675b46d98deb142d668e7ea1653a
NetWire
f5c3a4c6e9a672d984b794977cac7cc5ce38b6ab3c76bb79227217cc432a6ad9
NetWire
+ 351 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210114-4adxdcey96/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
a7813261c3c899e29185faee49f8a63d4e81a2da6acccb4cc57add4c5646e37d
MD5 hash:
0292ee96deb8fbe4c3bc279de12dde93
SHA1 hash:
8f6211f205370504d7a5178d4ccab9bd153a2f26
Link:
https://www.unpac.me/results/dc3926cc-86ad-4f94-8251-c6e953c0e5e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7813261c3c899e29185faee49f8a63d4e81a2da6acccb4cc57add4c5646e37d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

z 011f584f48494d54c55ca6da7d2aabf64a983a9f5b5a0f4d1f6c1c6a986eb78b

NetWire

Executable exe a7813261c3c899e29185faee49f8a63d4e81a2da6acccb4cc57add4c5646e37d

(this sample)

  
Dropped by
MD5 9d292b1575ee0e13ca1ab54735f1aa27
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 011f584f48494d54c55ca6da7d2aabf64a983a9f5b5a0f4d1f6c1c6a986eb78b
Cape
Cape
https://www.capesandbox.com/analysis/111909/

Comments