MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1ffaaa3fad1741534ca46e6eb19dbafebc46932eecccef600f69a615d8e57ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1ffaaa3fad1741534ca46e6eb19dbafebc46932eecccef600f69a615d8e57ea
SHA3-384 hash: 4927c8b889bb70b8e66f4655a566b8f5fb52c2d596423d814e07d989e32f7a038f6f011da47dbfb32e72014ba8b04ce5
SHA1 hash: 761ef1c41595b6bd29d96e793f24b43daf9ef0e6
MD5 hash: fb28d6d9db65cc77da00452e9c8064ba
humanhash: louisiana-table-jupiter-india
File name:okay.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:830'976 bytes
First seen:2020-08-29 08:35:13 UTC
Last seen:2020-08-29 09:35:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:6ZwiWrTebYhz/4WhnAIDPBZWVQzB6fx2CxwXL/P8VKc1RGb98t5snLS:6Z6rTJR/4opZWVQzUYP8VKc1RGbtnW
Threatray 245 similar samples on MalwareBazaar
TLSH 45057B16B638D047E45A0434D907C7FC7A12FCA24EA51D4336E23F2FB83A6A45526E9F
Reporter cocaman
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/52847/
Detection(s):
SecuriteInfo.com.Fareit-FYYFB28D6D9DB65.30010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a window
DNS request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454244
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Creates executable files without a name
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 279495 Sample: okay.exe Startdate: 29/08/2020 Architecture: WINDOWS Score: 100 71 kline2255.linkpc.net 2->71 75 Antivirus detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected NetWire RAT 2->79 81 3 other signatures 2->81 8 okay.exe 11 2->8         started        12 notepad.exe 5 2->12         started        signatures3 process4 file5 59 C:\Users\user\AppData\Roaming\tmp.exe, PE32 8->59 dropped 61 C:\Users\user\AppData\...\notepad.exe.bat, ASCII 8->61 dropped 63 C:\Users\user\AppData\Local\...\okay.exe.log, ASCII 8->63 dropped 83 Creates executable files without a name 8->83 85 Injects a PE file into a foreign processes 8->85 14 tmp.exe 2 8->14         started        18 okay.exe 8->18         started        20 cmd.exe 3 8->20         started        29 3 other processes 8->29 65 C:\Users\user\AppData\Local\Temp\.exe, PE32 12->65 dropped 67 C:\Users\user\AppData\...\notepad.exe.lnk, MS 12->67 dropped 87 Multi AV Scanner detection for dropped file 12->87 89 Machine Learning detection for dropped file 12->89 91 Contains functionality to steal Chrome passwords or cookies 12->91 93 Injects files into Windows application 12->93 23 cmd.exe 12->23         started        25 cmd.exe 12->25         started        27 cmd.exe 12->27         started        31 2 other processes 12->31 signatures6 process7 dnsIp8 73 kline2255.linkpc.net 79.134.225.75, 2017, 49719, 49720 FINK-TELECOM-SERVICESCH Switzerland 14->73 95 Antivirus detection for dropped file 14->95 97 Contains functionality to log keystrokes 14->97 99 Machine Learning detection for dropped file 14->99 33 WerFault.exe 23 9 18->33         started        55 C:\Users\user\AppData\Roaming\...\notepad.exe, PE32 20->55 dropped 37 conhost.exe 20->37         started        57 C:\Users\user\...\notepad.exe:Zone.Identifier, ASCII 23->57 dropped 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 29->47         started        49 conhost.exe 29->49         started        51 timeout.exe 1 29->51         started        file9 signatures10 process11 dnsIp12 69 192.168.2.1 unknown unknown 33->69 53 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 33->53 dropped file13
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1ffaaa3fad1741534ca46e6eb19dbafebc46932eecccef600f69a615d8e57ea/
Threat name:
ByteCode-MSIL.Backdoor.NetWired
Create hunting rule
Status:
Malicious
First seen:
2020-08-29 08:37:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
277
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yh72vi722f2bkngki3towgo3v7v4i2js53gm55qa62ngcxmok7va._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
NetWire
23fd501c884e2f46d38af81b0d6e423ea0bff8c5eee615227806faf7b2833827
NetWire
5336d0fb346782de19c1a549e7ced6ca5c73fbcf897ac78d645219ec2033bdb5
NetWire
54e95ef949e6f817b50144b1f8ae37a609d5ab3bc07567699a642a339566d555
NetWire
9de5e8e2d7733dfcf568e5b11a95d2468ef905e90169d7a4c93e1909a0372f04
NetWire
b156f7eea25bfef26649faaeec108d9956479396f3f684fc257e379f305ccbdc
NetWire
b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f
NetWire
cb54cd1dc1efb943d5308d6681f36ecaec957f0a70f9683f1da3e7e1188b9748
NetWire
ccd667e3a1a0577ed841968990cb37790e1e6f0fb4ceb1a2f947ef391d68dd4d
NetWire
f5041ea07d530c171a670d71769deb2185c8620462b4e26c59a923784f3bd17a
NetWire
+ 235 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat botnet stealer family:netwire
Link:
https://tria.ge/reports/200829-xnakkrtmcx/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1ffaaa3fad1741534ca46e6eb19dbafebc46932eecccef600f69a615d8e57ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_netwire_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/52847/
  
URLhaus
https://urlhaus.abuse.ch/url/446501/

Comments