MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash:	ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d
SHA3-384 hash:	a15cf998edb40797f7030b168e190d02bd6952377faa62da72029e785ff3a66cb7f29c0068d11869604c9ba4af23deba
SHA1 hash:	95bd5bd63a3ee48a8b54e53c441d0dd2c896dfce
MD5 hash:	dfb8147fe8e22fb63d4953cbe8d6742d
humanhash:	mockingbird-twenty-india-four
File name:	INVOICE00543.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	682'496 bytes
First seen:	2022-08-12 08:16:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:RR6Updvpc++I2iNBt/kgtzSyC7RSmYdXwxNqRD4ssiVM/thSvQJY/0:CUpRpSI1bZfC7QwxN64neM/thSOL
Threatray	3'190 similar samples on MalwareBazaar
TLSH	T1BBE4C0EFA758441FCD608B76E94C917A4FA9DC223422CDFFBE637875962029C641ED02
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
212.193.30.230:3345

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
212.193.30.230:3345	https://threatfox.abuse.ch/ioc/842704/

Intelligence

File Origin

# of uploads :

# of downloads :

441

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

INVOICE00543.exe

Verdict:

Malicious activity

Analysis date:

2022-08-12 08:19:39 UTC

Tags:

trojan netwire

Link:

https://app.any.run/tasks/ccba3f09-80e2-44dd-8f4e-09e20b56cce0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/298188/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62f60c88c8022caa1abb798e/reports/2a7b6d95-f7b1-4db5-836e-8b2babc96a8e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b058e102-715f-4b2b-8c88-73b8a893a8db

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1050449

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d/

Threat name:

ByteCode-MSIL.Trojan.NetWiredRc

Status:

Malicious

First seen:

2022-08-12 08:17:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vyxwlxdtxh3ji3hns46f3wmy2uysgeikrr5evvwyrz6mk3m6hvwq._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

4ce80bb4169f81656f9f5a2833aad35378d7e26fe9fcce2da3e5628a8d4693e0

NetWire

5712e0a231e705d4438c09a5aacfdb9b753f9a2cc8a110c2b13606cdac708d42

NetWire

62e10c7d7f2136172cfef4c1679edbe3a9f013fb81c17b33d252180e0087ea05

NetWire

7d43cddf5679f4233ebf701f89050ec267f892165a4c34084ad65963af7ebc36

NetWire

811690717824917911f152507cf4232df4aec5f198a57a638a3a9e0a738e84b8

NetWire

f3ba07ea43adc68f25d26028ec31b752001be473d77b69d5c89e1ef393d37812

NetWire

+ 3'180 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220812-j6pjhsagfr/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

212.193.30.230:3345

Unpacked files

SH256 hash:

18eb60c0eb3e1c610526d9f4b42684ac36a2ebb521514a8770dca2f2afd7f471

MD5 hash:

7ca239778f9f46d28b08876564dba525

SHA1 hash:

973b0d0d98a83b7dfcf1bfce04a179b0f070b98c

Link:

https://www.unpac.me/results/a1f8ddd5-7cea-4cf7-a66f-7e58f27ff2e9/

SH256 hash:

5360427047ab7836ec60caec86b31f97a9a90886db75313f6676791ad77d62cb

MD5 hash:

de6c4ebbc3ef25f88d8a0e7ff10ad5e1

SHA1 hash:

3230fccd2e6c7c2eea9d95f929943a63868cad78

Link:

https://www.unpac.me/results/a1f8ddd5-7cea-4cf7-a66f-7e58f27ff2e9/

SH256 hash:

78e5c78a11414d10ad782a7d6eaccb895f64d6746d29130a2721cbcf02404711

MD5 hash:

10b440a445d7d6b0105c2cff81e60525

SHA1 hash:

2fcea325259e8bd864e2436f808f65b1e777ade2

Link:

https://www.unpac.me/results/a1f8ddd5-7cea-4cf7-a66f-7e58f27ff2e9/

SH256 hash:

dd789861d66793eb5c3bd68f200a571cf51d2d3db6ecf8ec670f4f82f7416d4f

MD5 hash:

19643806577ac4e072b5b61b69cab04f

SHA1 hash:

2298066d99e6f19f564c9100f183109674ab3a2e

Detections:

win_netwire_g1

win_netwire_auto

Netwire

Link:

https://www.unpac.me/results/a1f8ddd5-7cea-4cf7-a66f-7e58f27ff2e9/

Parent samples :

ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d
84530ed1bbd58c38b85fc93e447d14251cda335b3de5fe9216cf3386758cb0ee
40374376894492fb4f8aa245a8197df99859e2f98b786c344f877813a1a3f224
791667a955fb3cb2833edfc35880b557cf53f9ecba41ac96172606b934e982ba
beb979ea6eb528afbb51885caa428ddfda08172e26bcb1671296b40036ca9ff6
dea08975e4dfcf09c0a223ce08f787cfc0eeaba0ac6f692b3f4c10b7d1cce5d6
b0bb5c54bfd9cf2ca6805612446724b90c433fca894cb97ce1252e700c0f6ac0
9e90590b4333c2a963369cabf3c7671037039829c6d42a51f824356e621dff86
b57ed5956f300093ccca133cf806845cfaf4e11c067188cde5dd484be77a26c3
3c63068f0ff7610cbe73267e9d3c8a4adc977c9fae26f39808d2880f9c79e204
4c504c1ac1adf30de4604cba7720dd35ff80c629f4afd06bbb6cb36c11c05423

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/a1f8ddd5-7cea-4cf7-a66f-7e58f27ff2e9/

SH256 hash:

ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d

MD5 hash:

dfb8147fe8e22fb63d4953cbe8d6742d

SHA1 hash:

95bd5bd63a3ee48a8b54e53c441d0dd2c896dfce

Link:

https://www.unpac.me/results/a1f8ddd5-7cea-4cf7-a66f-7e58f27ff2e9/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ae2f65dc73b9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/298188/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample