MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0bb5c54bfd9cf2ca6805612446724b90c433fca894cb97ce1252e700c0f6ac0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	b0bb5c54bfd9cf2ca6805612446724b90c433fca894cb97ce1252e700c0f6ac0
SHA3-384 hash:	9b23987607d64b57f11288a486e4cbecfb56e3493796dcff1c5685cab10b848fdd49a153ee198b5d8edbabda00e777e5
SHA1 hash:	65be5556aaa31694a869c6fa46d16889e16ee6c9
MD5 hash:	72c6e57d7911e55d1a6fd3e574af8ee7
humanhash:	massachusetts-tennis-robert-diet
File name:	SecuriteInfo.com.W32.AIDetectNet.01.24746.17925
Download:	download sample
Signature	NetWire Create hunting rule
File size:	694'784 bytes
First seen:	2022-08-31 06:42:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:SSqg5SBF75er2IVoYKGeP7OU6EJgklHlOvEhRwAJAc/Fm:kBZ5+MgeP7OU6ETcEZA4o
TLSH	T1ABE4012E95E84B31E97E1B7951F0A212433A7F195833E39E4C80F0F56DE6762861BB07
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	a261f4b2bacc7192 (15 x Formbook, 10 x AgentTesla, 8 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/306670/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.24746.17925.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Changing a file

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/630f040f116a699e028e173c/reports/aeb98319-7482-4d01-ad6d-e65c1c952bdd/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1061327

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0bb5c54bfd9cf2ca6805612446724b90c433fca894cb97ce1252e700c0f6ac0/

Threat name:

ByteCode-MSIL.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2022-08-31 06:43:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wc5vyvf73hhszjuakyjeizzexegegp6krfgls7hbeuxhadapnlaa._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220831-hgwqvsachp/

Behaviour

Creates scheduled task(s)

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

212.193.30.230:3345

Unpacked files

SH256 hash:

c45a3dae97e5e635a567df02635fe941af384f35cc993d4e52a57fa4f4026b3e

MD5 hash:

966c65a2893f62df72494272d810448f

SHA1 hash:

de82f765123b6ed954996603b663e9bac36acfb6

Link:

https://www.unpac.me/results/defe3e05-17f7-4e39-92b5-2bcdb13715ad/

SH256 hash:

d559f276d4f4a4dfd801e8506ea586fa5f28e3d8ebdf7f34399de7516282d3be

MD5 hash:

85c9c4721a0dc23b56927bf45db7bdfc

SHA1 hash:

8efc4a7dded11b79f941f26fa799de3ec2de28ce

Link:

https://www.unpac.me/results/defe3e05-17f7-4e39-92b5-2bcdb13715ad/

SH256 hash:

3fbbab19515a8895243a2589bf057238f3e228a4b43d424ed6e0c72829d964da

MD5 hash:

a16a48a7c22bc300d6359c2ee98f1510

SHA1 hash:

7e3a20f5dc0381b4116666cfd26d2ba86d81e435

Link:

https://www.unpac.me/results/defe3e05-17f7-4e39-92b5-2bcdb13715ad/

SH256 hash:

dd789861d66793eb5c3bd68f200a571cf51d2d3db6ecf8ec670f4f82f7416d4f

MD5 hash:

19643806577ac4e072b5b61b69cab04f

SHA1 hash:

2298066d99e6f19f564c9100f183109674ab3a2e

Detections:

win_netwire_g1

win_netwire_auto

Netwire

Link:

https://www.unpac.me/results/defe3e05-17f7-4e39-92b5-2bcdb13715ad/

Parent samples :

ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d
84530ed1bbd58c38b85fc93e447d14251cda335b3de5fe9216cf3386758cb0ee
40374376894492fb4f8aa245a8197df99859e2f98b786c344f877813a1a3f224
791667a955fb3cb2833edfc35880b557cf53f9ecba41ac96172606b934e982ba
beb979ea6eb528afbb51885caa428ddfda08172e26bcb1671296b40036ca9ff6
dea08975e4dfcf09c0a223ce08f787cfc0eeaba0ac6f692b3f4c10b7d1cce5d6
b0bb5c54bfd9cf2ca6805612446724b90c433fca894cb97ce1252e700c0f6ac0
9e90590b4333c2a963369cabf3c7671037039829c6d42a51f824356e621dff86
b57ed5956f300093ccca133cf806845cfaf4e11c067188cde5dd484be77a26c3
3c63068f0ff7610cbe73267e9d3c8a4adc977c9fae26f39808d2880f9c79e204
4c504c1ac1adf30de4604cba7720dd35ff80c629f4afd06bbb6cb36c11c05423

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/defe3e05-17f7-4e39-92b5-2bcdb13715ad/

SH256 hash:

b0bb5c54bfd9cf2ca6805612446724b90c433fca894cb97ce1252e700c0f6ac0

MD5 hash:

72c6e57d7911e55d1a6fd3e574af8ee7

SHA1 hash:

65be5556aaa31694a869c6fa46d16889e16ee6c9

Link:

https://www.unpac.me/results/defe3e05-17f7-4e39-92b5-2bcdb13715ad/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b0bb5c54bfd9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/306670/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample