MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc
SHA3-384 hash:	f42f5b0e4b874c3128a1117f7cf7b60527cb2934c61bd890226181521e8e1bb6eac7f0a2a6b866e8b3d47a67131ec134
SHA1 hash:	b0f4b1d430eb2fa41a33d1ba5a757d4f052cc624
MD5 hash:	205519e07ea99c49da0872313c858237
humanhash:	solar-oscar-montana-east
File name:	aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc
Download:	download sample
Signature	NetWire Create hunting rule
File size:	699'160 bytes
First seen:	2021-09-21 08:36:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep	12288:uquErHF6xC9D6DmR1J98w4oknqOKwQAYBrt1F4Uy2Rmqb5BNrU5jNSHZaCz:jrl6kD68JmloO6B58NqmqbH5UfS0Cz
Threatray	75 similar samples on MalwareBazaar
TLSH	T1E8E42391F7EDA595F4F78A73443D8C3049B67C9EACB8C20C12A4395D9C733914869F2A
File icon (PE):
dhash icon	9288ce8c2a868f92 (89 x Tinba, 7 x AsyncRAT, 6 x Dridex)
Reporter	JAMESWT_WT
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

603

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc

Verdict:

Malicious activity

Analysis date:

2021-09-21 09:22:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/07c5ed74-146f-4ae2-bbc9-a27c678fd3e5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/189799/

Detection(s):

PUA.Win.Packer.Upolyx-12

Win.Dropper.njRAT-6971317-0

Win.Malware.Azorult-6971822-0

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27b02713-febb-4515-bd0d-3ca0d4342011

Result

Threat name:

Netwire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/854731

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2021-09-20 01:22:00 UTC

AV detection:

39 of 45 (86.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vlwh2kdzlqsnzyrxzq5oieticud5arkeotkj66yhpsrqcn4j4o6a._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

56439f2c3a02075273e7ec8cad208e231d9576bf4f9dce25905d18a888b3b92e

NetWire

5cb7c3eaf9d64f5f34c530b50786571ddb8884f7abf6690774c419bea9eeba54

NetWire

623ae88bce9d510aafbbeb7a65d3eb39510b563231e0e22108fe04c77be90a29

NetWire

950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c

NetWire

a5e7773e86e1f8feacc75ced3053ac3d44af73d5b2ec72005c7ba2cd465f1ef3

NetWire

a665187e18e7f9666da6e401c3c09093db2a404912f3e69984fc39bd6ee1cd90

NetWire

d1ad9e3f121122403fc66c234aa21cab45b74556a641c3c62d418c2306754c44

NetWire

+ 65 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer upx

Link:

https://tria.ge/reports/210921-kh5q9sbegn/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

7e51a6e3578f7c8d272d4a3f33969d375b9b2b0f10ec9dfc13e401324f19131a

MD5 hash:

298e690ec104ab3019f04bbe1793a724

SHA1 hash:

f69714be9ceab9c49fdd2ac33a9c7b237e653231

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/6dbfc536-b935-41cb-b7a4-b0157106105b/

Parent samples :

950ae15b57b91b105ef929108c5394280115a5b06827ce8c017f83c4486fd58c
aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc

SH256 hash:

11720209cc8fc420eb9c222560ea262d60ef348d7ba61a799ad9dd8203e90e84

MD5 hash:

5ada53d4f247098c0b71f350f3b27b80

SHA1 hash:

bf59d5a2f8a5a1ac06fccd6d844ddf0343fc51f1

Link:

https://www.unpac.me/results/6dbfc536-b935-41cb-b7a4-b0157106105b/

SH256 hash:

aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc

MD5 hash:

205519e07ea99c49da0872313c858237

SHA1 hash:

b0f4b1d430eb2fa41a33d1ba5a757d4f052cc624

Link:

https://www.unpac.me/results/6dbfc536-b935-41cb-b7a4-b0157106105b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aaec7d28795c24dce237cc3ae412681507d0454474d49f7b077ca3013789e3bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Malicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	MAL_unspecified_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	MAL_unspecified_Jan18_1_RID2F4A Create hunting rule
Author:	Florian Roth
Description:	Detects unspecified malware sample
Reference:	Internal Research

Rule name:	netwire Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect netwire in memory
Reference:	internal research

Rule name:	Suspicious_BAT_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects a string also used in Netwire RAT auxilliary
Reference:	https://pastebin.com/8qaiyPxs

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.netwire.

Rule name:	win_netwire_w0 Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/189799/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample