MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c31467e8064155268806cbf3361acfa3667eb9bee6dabca19f7ed58c373c586a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 4 File information Comments

SHA256 hash:	c31467e8064155268806cbf3361acfa3667eb9bee6dabca19f7ed58c373c586a
SHA3-384 hash:	139d47193664415979e022a769836739978c598668e4d4c49ef0224b62be108016c349f0b40b55d1b7d93ce56fdce59a
SHA1 hash:	a2f5d438cda387db0f54b6d59614994802673666
MD5 hash:	7ff698ca826e0f2ebf03a8d81c0d31a0
humanhash:	juliet-winner-emma-maine
File name:	Document.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	1'133'568 bytes
First seen:	2021-09-22 00:55:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bc8cc1eea5c25ce2056d7da92bd98134 (9 x RemcosRAT, 3 x NetWire, 1 x AveMariaRAT)
ssdeep	12288:lIspEfnP8N/seflQTshT8aqeTW39KqGeoAdrL7SUbDz5Zp:320N/seflZhTmiW3AerPzz5Z
Threatray	13 similar samples on MalwareBazaar
TLSH	T178354CE2B385ECF0EC203A3EDC8A7191262C7BF538035D4D8DE87A4E5964592F56D48B
File icon (PE):
dhash icon	8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
193.187.91.95:6655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.187.91.95:6655	https://threatfox.abuse.ch/ioc/224512/

Intelligence

File Origin

# of uploads :

# of downloads :

660

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Document.exe

Verdict:

Malicious activity

Analysis date:

2021-09-22 00:57:18 UTC

Tags:

installer trojan rat netwire

Link:

https://app.any.run/tasks/bf8701c0-8ded-47d5-a2c7-c56e6b0aab5e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/190018/

Detection(s):

SecuriteInfo.com.ArtemisB8815A518089.2641.23959.UNOFFICIAL

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9e7816d5-4bef-4649-be5b-47f214c58c95

Result

Threat name:

DBatLoader NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/855275

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c31467e8064155268806cbf3361acfa3667eb9bee6dabca19f7ed58c373c586a/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-09-22 00:56:07 UTC

AV detection:

14 of 45 (31.11%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ymkgp2agifksncagzpztmgwpunth5on643nlzim7p3kyynz4lbva._file

Verdict:

malicious

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet persistence rat stealer

Link:

https://tria.ge/reports/210922-bac7lsaha3/

Behaviour

Suspicious use of WriteProcessMemory

Adds Run key to start application

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

NETW22.DDNS.NET:6655
NETW11.DDNS.NET:6655
NETW33.DDNS.NET:6655
NETW44.DDNS.NET:6655
NETW55.DDNS.NET:6655
NETW66.DDNS.NET:6655
NETW77.DDNS.NET:6655
NETW88.DDNS.NET:6655

Unpacked files

SH256 hash:

8af0b1d0dd47bb390af4256646d4b07c56d811fc8d59ddd0caaae17e4fb8963c

MD5 hash:

bf6f925b0d88b4605d61d5a251e8ca6d

SHA1 hash:

c016fd257edfa231f52e43022fc6d403c5064485

Link:

https://www.unpac.me/results/1488f013-4ede-4fa6-8ec6-f144c9f43257/

SH256 hash:

c31467e8064155268806cbf3361acfa3667eb9bee6dabca19f7ed58c373c586a

MD5 hash:

7ff698ca826e0f2ebf03a8d81c0d31a0

SHA1 hash:

a2f5d438cda387db0f54b6d59614994802673666

Link:

https://www.unpac.me/results/1488f013-4ede-4fa6-8ec6-f144c9f43257/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.64

Link:

https://yomi.yoroi.company/submissions/c31467e8064155268806cbf3361acfa3667eb9bee6dabca19f7ed58c373c586a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.netwire.

Rule name:	win_netwire_w0 Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/190018/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample