MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e
SHA3-384 hash: 52d19fceee09fc48098387f38fba7d886591fd452fa3367e9c545c8a6016f9d648f35abd20d64584e7be72b7fdfc58e2
SHA1 hash: fe779db3e12a96b6c7ed72ccb803b610180f64a6
MD5 hash: 44e57ffe7df36c98a6577f620ca10b03
humanhash: north-table-idaho-july
File name:RE-ORDER 0738073583 2022.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:791'552 bytes
First seen:2022-11-16 08:42:31 UTC
Last seen:2022-11-16 11:01:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:kAdq9V5fIv6ALGXzOx/Ps7fdCg8gg7Xgv0VIngcpCYrN:kAs9HIv6UGjOZPm89Lgv0VIgICQ
Threatray 4'922 similar samples on MalwareBazaar
TLSH T1F9F44B2D79BCF412EF3BA9A70EE6AA4BCC701241161A91070D2937DEE935C7B3D4D14A
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
RE-ORDER 0738073583 2022.exe
Verdict:
Malicious activity
Analysis date:
2022-11-16 08:45:14 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/93f84187-6747-446e-bebe-0db4d2fec59d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334703/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2872.26625.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6374a2986fda73cab64e0657/reports/509c8095-68fe-493a-9b02-e07aad31bb26/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9324d772-7ca6-459e-9c47-392d3c4fb83d
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114640
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 747336 Sample: RE-ORDER 0738073583 2022.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 11 other signatures 2->69 9 RE-ORDER 0738073583 2022.exe 7 2->9         started        13 DrWzPThQJoNCrH.exe 5 2->13         started        process3 file4 51 C:\Users\user\AppData\...\DrWzPThQJoNCrH.exe, PE32 9->51 dropped 53 C:\...\DrWzPThQJoNCrH.exe:Zone.Identifier, ASCII 9->53 dropped 55 C:\Users\user\AppData\Local\...\tmpB6D6.tmp, XML 9->55 dropped 57 C:\Users\...\RE-ORDER 0738073583 2022.exe.log, ASCII 9->57 dropped 71 Adds a directory exclusion to Windows Defender 9->71 15 RE-ORDER 0738073583 2022.exe 3 9->15         started        18 powershell.exe 21 9->18         started        20 schtasks.exe 1 9->20         started        73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 22 schtasks.exe 13->22         started        24 DrWzPThQJoNCrH.exe 13->24         started        26 DrWzPThQJoNCrH.exe 13->26         started        signatures5 process6 file7 59 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 15->59 dropped 28 Host.exe 5 15->28         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        process8 signatures9 77 Multi AV Scanner detection for dropped file 28->77 79 Machine Learning detection for dropped file 28->79 81 Adds a directory exclusion to Windows Defender 28->81 37 Host.exe 28->37         started        41 powershell.exe 28->41         started        43 schtasks.exe 28->43         started        process10 dnsIp11 61 79.134.225.121, 2210, 49699, 49704 FINK-TELECOM-SERVICESCH Switzerland 37->61 49 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 37->49 dropped 45 conhost.exe 41->45         started        47 conhost.exe 43->47         started        file12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 06:58:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
15 of 39 (38.46%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whbweqhp7twtaakqbiiv44jsr6xqcnsjb5tvndwdqlgns4suifpa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
17a3a47fee308ff270af546a193a78a7328f43a1fa3bdaee5fdbd96f4bf6cbd4
NetWire
1a406441ee9a05e405e81cdf76e727826fc647fc6aa1bd531abb94ff3a6c0b3e
NetWire
1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc
NetWire
791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544
NetWire
9754284c45e7c6b119c5d377df3679f88ec3e753390d0f43980b22673302b059
NetWire
d49ae415cb86861a5dda7254a78dc8a2f68b4976e92cb3c5a62584c33375bdeb
NetWire
db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0
NetWire
e9cc0af19d1d8bafdef3ffb9dae747c83cce8b83718ca9d6ef95c80d6e66b344
NetWire
+ 4'912 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/221116-kmklwshh33/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
79.134.225.121:2210
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d03dfbda-7124-4669-8153-9bf3c6c6e028
Unpacked files
SH256 hash:
9f849f41859a480ac2425030db23ae7df105249a176ccc4b8d6bbd2a93ea3c3e
MD5 hash:
c93c7d37bc9b50c240a50aefbf4e97f5
SHA1 hash:
eba66d8b24c7c187d0e98f9aa70a90ac284d737d
Link:
https://www.unpac.me/results/ad630306-002a-4c66-885f-48f2bc127fac/
SH256 hash:
fa897a690c448dff29264f652e65c96c8b95cf9a044df62557d43a1ac5b2526c
MD5 hash:
f5fe09a06621dfba7692f7891cb89a1b
SHA1 hash:
ca87a300b043b145ce9a24ef63387199cc66dad9
Link:
https://www.unpac.me/results/ad630306-002a-4c66-885f-48f2bc127fac/
SH256 hash:
676d6777db561564654148992be96c0b6eb1c2614df87bb873cabe6d4acc6b2e
MD5 hash:
29cbc70b99a1c54e0dc1ff83dc656f64
SHA1 hash:
4d3e7216c4e7a04d9521ac6ebb4a4bb48923a69f
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/ad630306-002a-4c66-885f-48f2bc127fac/
SH256 hash:
ab19f28c700d64814b0c55df868c30dfb94e0a1f9fb6f7bca05bac6eb78a4e52
MD5 hash:
1f2a6c02dcf9aa00a28a5039fb5b8ce0
SHA1 hash:
1ef480867d39b98368af7586a8e6ba38c0c3893a
Link:
https://www.unpac.me/results/ad630306-002a-4c66-885f-48f2bc127fac/
SH256 hash:
f9d4fb4e446af7925d214fb8a2002db2341289a9337cf1b39d731c2e584682e3
MD5 hash:
20493beeefe6d7f58d0b85db704fcf50
SHA1 hash:
1edd1a57f428e7379647b4dfbc9682d7a28fa615
Link:
https://www.unpac.me/results/ad630306-002a-4c66-885f-48f2bc127fac/
SH256 hash:
b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e
MD5 hash:
44e57ffe7df36c98a6577f620ca10b03
SHA1 hash:
fe779db3e12a96b6c7ed72ccb803b610180f64a6
Link:
https://www.unpac.me/results/ad630306-002a-4c66-885f-48f2bc127fac/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1c36240effc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/334703/

Comments