MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa
SHA3-384 hash: 4541aa3a40b1a32e9bbf5904d05ae12a72f05f21c94690a9efbb81c9c9cb5bd98f308705ac9459488840d7fa21b487fa
SHA1 hash: 828bcdd3d1e32d2ed0b0660fc92f41a562d4d466
MD5 hash: 07591af2349f8ebc5789fcb0b60c7c91
humanhash: butter-moon-blossom-comet
File name:detail-information.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:505'856 bytes
First seen:2020-08-30 14:03:55 UTC
Last seen:2020-08-30 14:41:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:LWA2IkZdzYvhJMSIJmYBv4fshVcSeobWbUsNbwR0+:LW53YvH8mYBA00SlCbR1wm+
Threatray 246 similar samples on MalwareBazaar
TLSH 3BB4135063DC8A7FCBE70335746A49400BB1A6B3388BEB49A8D0D4C66A537C516E25FB
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: server1.domainrevive.com
Sending IP: 209.188.7.162
From: mrdaan@dallisonwed.com
Subject: COOPERATION OFFER
Attachment: detail-information.rar (contains "detail-information.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53135/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.29693.14318.7736.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Launching a process
DNS request
Running batch commands
Creating a process with a hidden window
Connection attempt
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454660
Signature
Contains functionality to steal Chrome passwords or cookies
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Sigma detected: NetWire
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279702 Sample: detail-information.exe Startdate: 30/08/2020 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Yara detected NetWire RAT 2->55 57 3 other signatures 2->57 8 detail-information.exe 4 2->8         started        process3 file4 39 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\Temp\java.exe, PE32 8->41 dropped 43 C:\Users\user\...\java.exe:Zone.Identifier, ASCII 8->43 dropped 59 Drops PE files to the startup folder 8->59 61 Writes to foreign memory regions 8->61 63 Maps a DLL or memory area into another process 8->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->65 12 detail-information.exe 1 8->12         started        15 RegAsm.exe 8->15         started        17 RegAsm.exe 2 8->17         started        20 cmd.exe 1 8->20         started        signatures5 process6 dnsIp7 67 Writes to foreign memory regions 12->67 69 Maps a DLL or memory area into another process 12->69 22 RegAsm.exe 12->22         started        25 cmd.exe 1 12->25         started        27 RegAsm.exe 12->27         started        33 2 other processes 12->33 71 Contains functionality to steal Chrome passwords or cookies 15->71 45 djohn-fax.home-webserver.de 103.207.39.83, 1020, 49715, 49716 VNPT-AS-VNVNPTCorpVN Viet Nam 17->45 47 192.168.2.1 unknown unknown 17->47 29 conhost.exe 20->29         started        31 choice.exe 1 20->31         started        signatures8 process9 dnsIp10 49 djohn-fax.home-webserver.de 22->49 35 conhost.exe 25->35         started        37 choice.exe 1 25->37         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-30 13:50:22 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wufa5i6um7rf5hazc5ti4ehxbztugtsgr7hmxmotvet2h4if3p5a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1254f2a5cf88750e22a29c78e1e316cd034d3763302bfafaea0ceac3fec49e1e
NetWire
1c1035301c27d73a161ca96f9732f5024eb924798ce95d76d274b751ff87aa2f
NetWire
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
NetWire
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
NetWire
940ca9e10bfa12f912ed6d60e827f89726fd036eadafa77eff33a7168b59839a
NetWire
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
NetWire
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
NetWire
e5b32b4bb73f9bf50a9e4e3236ea3bf54577675b46d98deb142d668e7ea1653a
NetWire
f52c73e9a148074ad2d20b27874e0c183a461f0e21ed09874ef706e464757e2e
NetWire
ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d
NetWire
+ 236 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/200830-dtzdp61c5e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar 1c61c1b5a0420e288ba79646b6008774fefa4ba11399485637cb9bc7afcb9cc9

NetWire

Executable exe b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa

(this sample)

  
Dropped by
MD5 61fd67760b27ff651d40edd85da49e00
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53135/
  
Dropped by
SHA256 1c61c1b5a0420e288ba79646b6008774fefa4ba11399485637cb9bc7afcb9cc9

Comments