MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
SHA3-384 hash: 9bc82c29968786ab164a20234c47e96601cf752b58bd6929f3e272279c6d60191582bd52ecc3a524b6319465ff1bc29d
SHA1 hash: 5c3282c4b919fb7d5a84a8026233fe358de5a022
MD5 hash: 14a8ed4f4d833c20f775d254eb751f2d
humanhash: sierra-robert-north-cold
File name:SecuriteInfo.com.Win32.RATX-gen.8711.15068
Download: download sample
Signature NetWire
Create hunting rule
File size:732'672 bytes
First seen:2023-01-05 08:36:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:9zJs9gjEzcfWT+9FOcfx1HsAYaZAtpuxHJNp7lbheaiA/yQRq9CLQrx99s2z:U35Mx3Ya8ApbPeoyN9CWTs2
Threatray 5'200 similar samples on MalwareBazaar
TLSH T118F4DF7D317A5CA7CAAC04FE40124001C7F2618AB28FDAD89DCF60EB95F6FA5194196F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e7c7cccecce448b4 (3 x AgentTesla, 1 x NetWire)
Reporter SecuriteInfoCom
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.RATX-gen.8711.15068
Verdict:
Malicious activity
Analysis date:
2023-01-05 08:42:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/867e1347-08e2-4bca-90eb-ff56f2d37234

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349584/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.8711.15068.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63b68c30a70bef46551d2754/reports/abd83128-81a2-4f51-bd5c-4bb397e74659/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0eb24746-69f8-4d38-9ffd-d62572dca50e
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145518
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778250 Sample: SecuriteInfo.com.Win32.RATX... Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 6 other signatures 2->57 8 SecuriteInfo.com.Win32.RATX-gen.8711.15068.exe 7 2->8         started        12 abmJUJB.exe 5 2->12         started        process3 file4 41 C:\Users\user\AppData\Roaming\abmJUJB.exe, PE32 8->41 dropped 43 C:\Users\user\...\abmJUJB.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmpF6B9.tmp, XML 8->45 dropped 47 SecuriteInfo.com.W....8711.15068.exe.log, ASCII 8->47 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 61 Adds a directory exclusion to Windows Defender 8->61 14 RegSvcs.exe 3 8->14         started        17 powershell.exe 21 8->17         started        19 schtasks.exe 1 8->19         started        63 Multi AV Scanner detection for dropped file 12->63 65 Machine Learning detection for dropped file 12->65 21 RegSvcs.exe 2 12->21         started        23 schtasks.exe 1 12->23         started        25 RegSvcs.exe 12->25         started        signatures5 process6 file7 49 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 14->49 dropped 27 Host.exe 2 14->27         started        29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 Host.exe 21->33         started        35 conhost.exe 23->35         started        process8 process9 37 conhost.exe 27->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c/
Threat name:
ByteCode-MSIL.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 06:29:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpgrvag7plqwktnapibqaz4bzazebakn23mz3mt7c4z63athmyoa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
09355d5564e1cdd59ac0285e586ba2b0e2c7b4c5c9efa17cb8fb1fc4b8c3c19a
NetWire
1bb72419895796c3a394f4b55f0c31959c992111803764d8167dcb6c7af3088c
NetWire
1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc
NetWire
22a7c02eac7f7940eba9afa9ca51a179789e22257ffe87cbab02c15360a9fded
NetWire
63c76b6d8a6c83e113d4a72361c8df64d493339fe94503522b3f666b19aacfa2
NetWire
98949b9cd7eb063eb4a2970136d3483b29891bd8c1c2ec6104e45b76f838ddf9
NetWire
99e8dfa23cef1d5d67c765df3de3bc6e750a2d8fa4628a9442d08fc40aaaa656
NetWire
a317414343c80367a0b5cdc91b77f1948f229fda4dbaea75b07258a2cd6a4ecd
NetWire
b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e
NetWire
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
NetWire
+ 5'190 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/230105-kh522abd69/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
212.193.30.230:7324
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f0a17846-d57d-4a3b-a605-579e2ef8ac28
Unpacked files
SH256 hash:
7b64942a72a55fcbc488e25679ad8e46ba79b61f6f448dba7ece8c6b7a7ea383
MD5 hash:
33285335800a96e0be03e9c8662c0c35
SHA1 hash:
e0a3bd68abc0dcde8b6676cc514ee9a34b4ece14
Link:
https://www.unpac.me/results/12007816-2a72-4126-b3e1-c08acd6bf5d2/
SH256 hash:
e0977b1c5a15c04d30f09db5775a0e0bd4ba6dcc434cbcbf35051ec11b26f22a
MD5 hash:
8e0236147f436164137fbc702159670c
SHA1 hash:
7027afe6def27cb7f5e16f992a458982459baccc
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/12007816-2a72-4126-b3e1-c08acd6bf5d2/
Parent samples :
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
SH256 hash:
2685994d9d90acec56b84e090339a17a6e53c2df7f7e6c42e5d81ed0ec4dba34
MD5 hash:
36cf85d829bf14dbe6004dbce0d2eee4
SHA1 hash:
6e6c73586c06de984743b047f5c82295f4de4bbc
Link:
https://www.unpac.me/results/12007816-2a72-4126-b3e1-c08acd6bf5d2/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/12007816-2a72-4126-b3e1-c08acd6bf5d2/
SH256 hash:
6383c137b41cf511255a80df349317df6465d3a1b6852319ea3f93bcdd2391e7
MD5 hash:
b70b2d2b1b1e4ff216c07ece1781e6a8
SHA1 hash:
0607c176d45977367f0931dfb1937f1ea4d88d7b
Link:
https://www.unpac.me/results/12007816-2a72-4126-b3e1-c08acd6bf5d2/
SH256 hash:
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
MD5 hash:
14a8ed4f4d833c20f775d254eb751f2d
SHA1 hash:
5c3282c4b919fb7d5a84a8026233fe358de5a022
Link:
https://www.unpac.me/results/12007816-2a72-4126-b3e1-c08acd6bf5d2/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b3cd1a80df7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349584/

Comments