MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7f42f93e5c2dfcb4620859c74593f1090dcca50dbf14d7665e31832b3ff0313. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7f42f93e5c2dfcb4620859c74593f1090dcca50dbf14d7665e31832b3ff0313
SHA3-384 hash: d4d167cf5426cdaa76700c8219911c19b0dae098be60ae1de8ea86c9c5e173b7418e211ff106d169253b2a299cd9d570
SHA1 hash: 8b5dd2f2d271b5503a865bd6641e7a761ee9c520
MD5 hash: 24c8b4647f7cdef7524055129030454f
humanhash: social-louisiana-sink-virginia
File name:24C8B4647F7CDEF7524055129030454F.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:24'117'248 bytes
First seen:2021-07-19 21:41:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (864 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 393216:gQGG8FeEfdQqWR8BTnCjXqwzyUDVVugHDsJW9nXVnFr:gjFeAQ0BUXNuDJanlnF
Threatray 816 similar samples on MalwareBazaar
TLSH T1A63733823AE15EA2D05A6C337B75BA015EB97C201F398489DBD84F449FB4453B07E7B2
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
213.152.186.35:3650

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
213.152.186.35:3650 https://threatfox.abuse.ch/ioc/161226/

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
24C8B4647F7CDEF7524055129030454F.exe
Verdict:
Malicious activity
Analysis date:
2021-07-19 21:43:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d396808-f685-4567-a2fd-88b7f75d54e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Result
Threat name:
Netwire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
62 / 100
Link:
https://www.joesandbox.com/analysis/818555
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450966 Sample: jZ5m8kkAC7.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 62 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for dropped file 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 4 other signatures 2->98 10 jZ5m8kkAC7.exe 9 2->10         started        13 kingencord.exe 2->13         started        process3 file4 70 C:\Users\user\AppData\...\WinDriversQt.exe, PE32 10->70 dropped 72 C:\Users\user\AppData\...\Hostforced12.exe, PE32 10->72 dropped 74 C:\Users\user\AppData\...\nb672-full.exe, PE32 10->74 dropped 16 Hostforced12.exe 5 10->16         started        19 WinDriversQt.exe 8 10->19         started        21 nb672-full.exe 33 10->21         started        114 Writes to foreign memory regions 13->114 116 Allocates memory in foreign processes 13->116 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->118 120 Injects a PE file into a foreign processes 13->120 24 mscorsvw.exe 13->24         started        signatures5 process6 dnsIp7 84 Antivirus detection for dropped file 16->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->86 27 cmd.exe 1 16->27         started        29 cmd.exe 2 16->29         started        88 Machine Learning detection for dropped file 19->88 33 cmd.exe 1 19->33         started        35 conhost.exe 19->35         started        62 C:\Users\user\AppData\Local\Temp\...\sc.exe, PE32 21->62 dropped 64 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 21->64 dropped 66 C:\Users\user\AppData\Local\...\cpudesc.dll, PE32 21->66 dropped 68 4 other files (none is malicious) 21->68 dropped 90 Tries to detect virtualization through RDTSC time measurements 21->90 82 maelus.mine.nu 24->82 file8 signatures9 process10 file11 37 kingencord.exe 4 27->37         started        40 conhost.exe 27->40         started        76 C:\Users\user\AppData\...\kingencord.exe, PE32 29->76 dropped 42 conhost.exe 29->42         started        122 Uses cmd line tools excessively to alter registry or file data 33->122 124 Uses schtasks.exe or at.exe to add and modify task schedules 33->124 44 reg.exe 1 1 33->44         started        46 reg.exe 33->46         started        48 reg.exe 1 33->48         started        50 23 other processes 33->50 signatures12 process13 signatures14 102 Writes to foreign memory regions 37->102 104 Allocates memory in foreign processes 37->104 106 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->106 108 Injects a PE file into a foreign processes 37->108 52 cmd.exe 37->52         started        55 mscorsvw.exe 37->55         started        110 Disables Windows Defender (deletes autostart) 44->110 112 Disable Windows Defender real time protection (registry) 46->112 process15 dnsIp16 100 Uses cmd line tools excessively to alter registry or file data 52->100 58 conhost.exe 52->58         started        60 reg.exe 52->60         started        78 maelus.mine.nu 213.152.186.35, 3650, 49742, 49748 GLOBALLAYERNL Netherlands 55->78 80 192.168.2.1 unknown unknown 55->80 signatures17 process18
Gathering data
Threat name:
Win32.Spyware.Loyeetro
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 09:38:22 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w72c7e7fylp4wrraqwohiwj7ccinzssq3pyu25tf4mmdfm77amjq._file
Verdict:
malicious
Similar samples:
3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89
NetWire
61640080e5604b1f88734d5d6d4dc118a79f3670053d5b297e0353dce9fa60bb
NetWire
61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b
NetWire
6d5307f8ae9c15be09190b6ff1f2c557d7a0519b765b6ef020ac3e7343fb190c
NetWire
6fc307063c376b8be2d3a9545959e068884d9cf7f819b176adf676fc4addef7d
NetWire
85043eafa7e9aadbb9ce3ad5450306dba8acd602408998e7becacfea4e236c93
NetWire
8ba72a391fb653b2cc1e5caa6f927efdf46568638bb4fc25e6f01dc36a96533b
NetWire
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
NetWire
b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b
NetWire
de17e583a4d112ce513efd4b7cb575d272dcceef229f81360ebdfa5a1e083f11
NetWire
+ 806 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet evasion persistence rat stealer trojan
Link:
https://tria.ge/reports/210719-kcfg7vcjf6/
Behaviour
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Modifies security service
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
maelus.mine.nu:3650
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7f42f93e5c2dfcb4620859c74593f1090dcca50dbf14d7665e31832b3ff0313

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments