MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfae4bc772025d9c3b68f74230a937a1bf062c4bb22994ce2606aa785577c2b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfae4bc772025d9c3b68f74230a937a1bf062c4bb22994ce2606aa785577c2b4
SHA3-384 hash: 95cfcd10794b9d7c24900bb7d7e9e0e1fee58829a35a33884f76f3b94153c2665c8dc1b448070c4ef199052f18b60aa6
SHA1 hash: 6dec342aa4d0e5196fc53571b6974065bb69151b
MD5 hash: 075da9731dfb7e9bba1c36b3f023e42a
humanhash: connecticut-utah-carbon-oranges
File name:bfae4bc772025d9c3b68f74230a937a1bf062c4bb22994ce2606aa785577c2b4
Download: download sample
Signature NetWire
Create hunting rule
File size:18'874'368 bytes
First seen:2020-11-11 11:12:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 393216:0mc8QZa8QKA4TIFgUQI6QOHsFVUQmtIMdI7xDw7Uhr15:0OQs8QKjTIiqvUttbStDwQr15
Threatray 39 similar samples on MalwareBazaar
TLSH 65173320FCD28831C6600471BA5DA59AFF38FD751AAC48C7ABDC038D19725E195BA7E3
Reporter seifreed
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Forced system process termination
Deleting a recently created file
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfae4bc772025d9c3b68f74230a937a1bf062c4bb22994ce2606aa785577c2b4/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 11:14:21 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6xexr3sajozyo3i65bdbkjxug7qmlclwiuzjtrga2vhqvlxyk2a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
NetWire
076dfc0a55afc36cdfd6dff84cfd0feae23029843e745b7f122980b341f7b710
NetWire
07d34ae6bb632f04345eb39f5b4221f9a7e37145c55350222fcf191778a28d5e
NetWire
238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb
NetWire
28d1ce2d141fcfc52b6b8a81f5424920ba2818a14e8ac201446697ff977082de
NetWire
47470dc6911824b1a903197f0d06acedeba47415ebf3d212dd6514a14eec0ded
NetWire
76299e863b71caed1b9950d904d1b52a8174b9077c9d4bc896276881caa46fad
NetWire
8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0
NetWire
bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080
NetWire
e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16
NetWire
+ 29 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet evasion persistence rat stealer trojan
Link:
https://tria.ge/reports/201111-gt8vh1aeha/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
NSIS installer
Modifies service
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Modifies security service
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
bfae4bc772025d9c3b68f74230a937a1bf062c4bb22994ce2606aa785577c2b4
MD5 hash:
075da9731dfb7e9bba1c36b3f023e42a
SHA1 hash:
6dec342aa4d0e5196fc53571b6974065bb69151b
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
SH256 hash:
ffddefc402051b1e42ce1ecef8244264f94162070bdbd15acbe49a88178cf1e6
MD5 hash:
2db3d5c992b0f1992e119099233de1bc
SHA1 hash:
981c899426d323815947d74db2cde4951b715407
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
SH256 hash:
bbd1f754730d6b8b5b590b47f0fdc6635c341581b36f605cfed21237aa72c170
MD5 hash:
6dea6ec0e5abc4f39a8183d26865db0c
SHA1 hash:
a050068c396b2f2b3fee79ad8b4558f57505b58e
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
SH256 hash:
ffa9ca6fabcb1d9dcd2961949223bf179c85f697f7146ebc58b9b88596e9d896
MD5 hash:
07905522647a16815aad1b6de89f88e5
SHA1 hash:
6c06fc48bdfc5a7c70cb8342b738afbc574b329e
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
SH256 hash:
d5f893fea3cdc98314c6528619b12d6b1e1830b74f0704f35b052cf3c38c8686
MD5 hash:
bbe71e3878d61da08998af88a5f53eff
SHA1 hash:
afa529cd240a027b9da345f630268586c28f2bc4
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
SH256 hash:
c6dbc2c4a260a739da534fda74a083e6ee18132913392ac7a09a0434db707b69
MD5 hash:
ffa8561c93051072ecd13139f3098885
SHA1 hash:
cb22c112a389001a939c327a6f48102d91f93733
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
SH256 hash:
5886dbc91ebc7a1e9d6b72794eb0bed7403d060a322aec65a9269f52deb4ff46
MD5 hash:
773658b99d7e72b3b75b404c4afc1dec
SHA1 hash:
3938e9d73cdedf65c4a2ee321d6b6a35f62ddb3a
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
SH256 hash:
02869b76936e3c3102bb36e34b41bc989770bf81dca09f31c561bb6be52285ee
MD5 hash:
70d4c5f9acc5ddf934b73fa311ade7d8
SHA1 hash:
6962e84782b0e1fe798cdce1d7447211228ca85b
Link:
https://www.unpac.me/results/a8fddf9b-13d1-416d-9dbc-16af91c72092/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments