MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5
SHA3-384 hash: 1c753fa3b85b2563fa0bd1a7fc267602133ae065d83cf7dab317938751ccd37ede93fdb16e0cc7b87346b33e59dccc60
SHA1 hash: 91bb096d730ca536a0f18534acdec271bdd0eefa
MD5 hash: e792eb4a972110714df6761ef60284c6
humanhash: oklahoma-queen-lamp-floor
File name:15-08-2020 - SOFT COPY_PAYMENT SLIP.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:239'616 bytes
First seen:2020-08-15 17:28:14 UTC
Last seen:2020-08-15 18:33:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:20oKIXs24n9ST9cjHl2yw5MQ15vUX1jV:20oV4kcjw5MgvU
Threatray 243 similar samples on MalwareBazaar
TLSH FB34C056679F1623C7090A391CC2A37002306FAB7EEBBF8716CE750526B97AD187D583
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: WIN-TPNQQ41KAUA.home
Sending IP: 66.7.148.55
From: support <riya.psharma12@gmail.com>
Subject: Regarding late payment
Attachment: 15-08-2020 - SOFT COPY_PAYMENT SLIP.rar (contains "15-08-2020 - SOFT COPY_PAYMENT SLIP.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
333
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46342/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.276.28581.15573.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Creating a window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file
Moving of the original file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432085
Signature
Allocates memory in foreign processes
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Sigma detected: NetWire
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 268456 Sample: 15-08-2020 - SOFT COPY_PAYM... Startdate: 17/08/2020 Architecture: WINDOWS Score: 100 40 Yara detected NetWire RAT 2->40 42 Sigma detected: NetWire 2->42 44 Executable has a suspicious name (potential lure to open the executable) 2->44 46 3 other signatures 2->46 7 15-08-2020 - SOFT COPY_PAYMENT SLIP.exe 9 2->7         started        process3 file4 32 C:\Users\user\AppData\Local\Temp\tmp.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 7->34 dropped 36 15-08-2020 - SOFT ...AYMENT SLIP.exe.log, ASCII 7->36 dropped 50 Moves itself to temp directory 7->50 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Injects a PE file into a foreign processes 7->56 11 tmp.exe 2 7->11         started        15 svhost.exe 7->15         started        17 cmd.exe 1 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 38 iphanyi.duckdns.org 150.242.14.61, 3360 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 11->38 58 Contains functionality to log keystrokes 11->58 60 Machine Learning detection for dropped file 11->60 62 Contains functionality to steal Chrome passwords or cookies 15->62 21 reg.exe 1 1 17->21         started        24 conhost.exe 17->24         started        64 Creates files in alternative data streams (ADS) 19->64 26 conhost.exe 19->26         started        28 conhost.exe 19->28         started        30 timeout.exe 1 19->30         started        signatures8 process9 signatures10 48 Creates an undocumented autostart registry key 21->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2020-08-15 17:30:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w322fcnli63zbqn4k6s2hm2yoh6jndngn25t7xlwnhpbrqv2hxkq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0c34d4763fc968ccbe9f33dec2ae9e3e132a61b40ffc93cc22f337a0758c0279
NetWire
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
NetWire
573f11821c72786131d82bcdb3744b83d01615c25489f4cf2c46181ae6143226
NetWire
73cc33d200ce22012733ea7c3fa8d03ef3ea65164497314d7d05b2992892d4e0
NetWire
934609a4e6bbf6eda68c1a09fbd0d5e331229f974148c21aa99add9f94171ec1
NetWire
b0a98ae8b1dadc3b181f6252abef59940ceeb5019cd4ae2f0feadb0a520063cd
NetWire
c1ffaaa3fad1741534ca46e6eb19dbafebc46932eecccef600f69a615d8e57ea
NetWire
df2688f6f88ea0e66b46d856e514adf25f8456cb4e45c849233799e17b1171e3
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
f2535caecce2737920213eb3f84ad8f9cb783d4562303bfad9bcdbb7749d1c01
NetWire
+ 233 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/200815-ac3k2389xs/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar af5f5520e428ff03c99d655b7d8968a659f788a6a93284e0121ce0814ebb38d8

NetWire

Executable exe b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5

(this sample)

  
Dropped by
MD5 a919abd1954ba7fbc64698888c51b109
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46342/
  
Dropped by
SHA256 af5f5520e428ff03c99d655b7d8968a659f788a6a93284e0121ce0814ebb38d8

Comments