MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be2073e4f262c4e72167e22c77958fa4e7b4fb08c63c213e2cfdd5b9a3b30f50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be2073e4f262c4e72167e22c77958fa4e7b4fb08c63c213e2cfdd5b9a3b30f50
SHA3-384 hash: ae452d621dea873aea8f4ced98bb5015f2a8d4b868913fbcb1b2de12c3f6c65e3cfd7efe4697c69325baf83e6acbbdb2
SHA1 hash: d488fa350b1f3d9deceaac9209a74782f250876b
MD5 hash: 0bbccb6e1385c562f8f79a0096d4b1f8
humanhash: robert-failed-finch-west
File name:HT0536CF.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:590'336 bytes
First seen:2021-09-21 08:05:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:jFpLIbw8eGGmtiK5okiDgHPEcJTwZdwDF:r8bw8eGG+FopcsAcZdi
Threatray 10'571 similar samples on MalwareBazaar
TLSH T18BC4015171AE4268CB9E3B72206197903B73FC769973920D2ACC70CD5B376428F76B26
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
194.5.98.25:5345

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.25:5345 https://threatfox.abuse.ch/ioc/223788/

Intelligence

File Origin
# of uploads :
1
# of downloads :
525
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HT0536CF.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 08:07:35 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/d4220a87-f728-48d4-aa11-e61dc6570fab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189694/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL
Create hunting rule

Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86055cd5-bbdc-4265-9dea-a8f338dcc5e4
Result
Threat name:
AgentTesla NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854654
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Contains functionality to steal Chrome passwords or cookies
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected NetWire RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487085 Sample: HT0536CF.exe Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 40 betterday.duckdns.org 194.5.98.25, 49749, 49750, 49759 DANILENKODE Netherlands 2->40 42 162.159.135.233, 443, 49809 CLOUDFLARENETUS United States 2->42 44 cdn.discordapp.com 2->44 54 Antivirus detection for dropped file 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 Yara detected AgentTesla 2->58 60 8 other signatures 2->60 8 HT0536CF.exe 15 7 2->8         started        signatures3 process4 dnsIp5 50 cdn.discordapp.com 162.159.133.233, 443, 49741, 49752 CLOUDFLARENETUS United States 8->50 52 192.168.2.1 unknown unknown 8->52 30 C:\Users\user\AppData\...\HT0536CF.exe.log, ASCII 8->30 dropped 74 Contains functionality to steal Chrome passwords or cookies 8->74 76 Injects a PE file into a foreign processes 8->76 13 hdf.exe 7 8->13         started        17 HT0536CF.exe 3 8->17         started        file6 signatures7 process8 file9 32 C:\Users\user\AppData\Local\Temp\maur.exe, PE32 13->32 dropped 34 C:\Users\user\AppData\Local\Temp\49.exe, PE32 13->34 dropped 36 C:\Users\user\AppData\Local\Temp\22.exe, PE32 13->36 dropped 78 Antivirus detection for dropped file 13->78 80 Multi AV Scanner detection for dropped file 13->80 82 Machine Learning detection for dropped file 13->82 19 49.exe 2 4 13->19         started        38 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 17->38 dropped 23 Host.exe 14 6 17->23         started        signatures10 process11 dnsIp12 26 C:\Users\user\AppData\Local\Temp\...\uyp.exe, PE32 19->26 dropped 62 Antivirus detection for dropped file 19->62 64 Multi AV Scanner detection for dropped file 19->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->66 72 5 other signatures 19->72 46 162.159.129.233, 443, 49748 CLOUDFLARENETUS United States 23->46 48 cdn.discordapp.com 23->48 28 C:\Users\user\AppData\Local\Temp\hdf.exe, PE32 23->28 dropped 68 Machine Learning detection for dropped file 23->68 70 Injects a PE file into a foreign processes 23->70 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be2073e4f262c4e72167e22c77958fa4e7b4fb08c63c213e2cfdd5b9a3b30f50/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 08:06:26 UTC
AV detection:
9 of 44 (20.45%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xyqhhzhsmlcooilh4iwhpfmputt3j6yiyy6ccprm7xk3ti5tb5ia._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0538554b73f98f395950af81f30e4fc99407e991babdce510bb61f9f9b56f23e
NetWire
06835e2c284ded66ca44497caf918d1ce6f216e68af866e85ac6fb79332b75f7
NetWire
1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216
NetWire
2cda176ce221ab580e6d9bbebc4333fa2156c33c9d4e3666c38eba656e13ef6b
NetWire
3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2
NetWire
482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7
NetWire
760c5c96174d0f5f899970f3b35da290b831f4c85221b1e274a5491fcf08b264
NetWire
8c940846bd45f30de0358c90c8caef670b5e15bc9468452418d215c40ed62a20
NetWire
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa
NetWire
bcdc3a6d1789655987f5d907b4448d4cf1f5c862b6f24b91ae7b73dcaca65b2a
NetWire
+ 10'561 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:netwire botnet keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210921-jzgkbsbdhj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
AgentTesla
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
betterday.duckdns.org:5345
https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument
Unpacked files
SH256 hash:
4006f784abcbfd870449851236aebed29c996a46bb453640b04e1ea47b81c9c3
MD5 hash:
402c96c0760452fd5a9e88a8f1ba59e4
SHA1 hash:
c115e82b34e13f6cef14bb2225f85cac2171a888
Link:
https://www.unpac.me/results/8afc5e1f-8bbd-488d-8263-92f3ed805d2b/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/8afc5e1f-8bbd-488d-8263-92f3ed805d2b/
SH256 hash:
0d46fa6b67893cdfa116756b67b4f342aa093ac2e4e9574fd2e9b60ada66b5fe
MD5 hash:
2f04be5ed8911b97868e8b859ff9072a
SHA1 hash:
20cd1daa8a424579316faf62026806587a70578e
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/8afc5e1f-8bbd-488d-8263-92f3ed805d2b/
Parent samples :
d55aa6bea84dd9982c908b020d9529679c6219f9da29a794af64894eb9f092dc
23f943791b5757309e0fa0531c4f347ecba3d45d568cd1aae3f6828af0c0ea1d
be2073e4f262c4e72167e22c77958fa4e7b4fb08c63c213e2cfdd5b9a3b30f50
SH256 hash:
cf264f7a1b9099d772a31cb0534ef9edc5886e9816559e5fdac63c03c8a910a6
MD5 hash:
4f7ff6eac3be00c6558dfd2c1c4c0bd8
SHA1 hash:
14a62b8967204f83525cd6d6826bb7d19677d037
Link:
https://www.unpac.me/results/8afc5e1f-8bbd-488d-8263-92f3ed805d2b/
SH256 hash:
be2073e4f262c4e72167e22c77958fa4e7b4fb08c63c213e2cfdd5b9a3b30f50
MD5 hash:
0bbccb6e1385c562f8f79a0096d4b1f8
SHA1 hash:
d488fa350b1f3d9deceaac9209a74782f250876b
Link:
https://www.unpac.me/results/8afc5e1f-8bbd-488d-8263-92f3ed805d2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be2073e4f262c4e72167e22c77958fa4e7b4fb08c63c213e2cfdd5b9a3b30f50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189694/

Comments