MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6924bd1eede3eef4831175fe7a6144576b8378801d5c229e7a9b56e27f3a2e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6924bd1eede3eef4831175fe7a6144576b8378801d5c229e7a9b56e27f3a2e2
SHA3-384 hash: 0891e1fe14b732e015cd2eb9b4b04cde2e1b37915e029903e94f1da3c784419eef94231217efe751dc2d9ad5241138ac
SHA1 hash: f0bf3cddf3e0bda90b9e3f8e9d6d4d2ac1834694
MD5 hash: c10f46ff6caff363d5352d805cb9aeb6
humanhash: dakota-carolina-foxtrot-alabama
File name:مستند الدفع 71F5246.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:961'024 bytes
First seen:2020-10-18 17:14:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 30bcd8b78b734935c5e80cfbc7777835 (2 x NetWire, 2 x ModiLoader)
ssdeep 12288:Qx7VDvuMNzsF9H84exmnccguaBc+LfxKM0GVzYZo+Nw2AYJpQ:QxRoFa4ex7cg/3OwFG6
Threatray 594 similar samples on MalwareBazaar
TLSH 79158D36A3D24833D573163D9D1B67B8AD3ABE112A28B9463BF41C4C5F39641383A397
Reporter abuse_ch
Tags:exe NetWire


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gas0.billaccountant.com
Sending IP: 45.84.196.88
From: السيدة خضيره سليمان <officers@billaccountant.com>
Subject: رد: مستند الدفع 7184926
Attachment: مستند الدفع 71F5246.7z (contains "مستند الدفع 71F5246.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72682/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Fareit-FZO64E1AB7B5131.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494690
Signature
Allocates memory in foreign processes
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: NetWire
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299795 Sample: #U0645#U0633#U062a#U0646#U0... Startdate: 18/10/2020 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected NetWire RAT 2->49 51 Sigma detected: NetWire 2->51 53 4 other signatures 2->53 8 #U0645#U0633#U062a#U0646#U062f #U0627#U0644#U062f#U0641#U0639 71F5246.exe 1 15 2->8         started        13 Crrhdrv.exe 13 2->13         started        15 Crrhdrv.exe 13 2->15         started        process3 dnsIp4 43 cdn.discordapp.com 162.159.135.233, 443, 49735, 49748 CLOUDFLARENETUS United States 8->43 39 C:\Users\user\AppData\Local\...\Crrhdrv.exe, PE32 8->39 dropped 55 Writes to foreign memory regions 8->55 57 Allocates memory in foreign processes 8->57 59 Creates a thread in another existing process (thread injection) 8->59 17 notepad.exe 4 8->17         started        20 ieinstal.exe 2 8->20         started        45 162.159.130.233, 443, 49745 CLOUDFLARENETUS United States 13->45 61 Multi AV Scanner detection for dropped file 13->61 63 Injects a PE file into a foreign processes 13->63 23 ieinstal.exe 13->23         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 17->37 dropped 25 cmd.exe 1 17->25         started        27 cmd.exe 1 17->27         started        41 79.134.225.100, 3434, 49751 FINK-TELECOM-SERVICESCH Switzerland 20->41 file9 process10 process11 29 conhost.exe 25->29         started        31 reg.exe 1 1 25->31         started        33 ieinstal.exe 27->33         started        35 conhost.exe 27->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6924bd1eede3eef4831175fe7a6144576b8378801d5c229e7a9b56e27f3a2e2/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 14:19:34 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2jexupo3y7o6sbrc5p6pjquiv3lqn4iahk4ekphvg2w4j7tulra._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
01fcf0e844ec177aa8e07cbdc1cd0bd5bbd7ef38b8335b58a2eb383b83885f1c
NetWire
07e5cda497f958cd565e20bf94c41bb5b5efe39425be7a17bfcc7f9cd977655d
NetWire
42808813b67b34a144d03a26fb5a9cf6cd59e185e58d73750585654c09242e5b
NetWire
43f14fe4f9c4e617842b497b17c1e2884562466bb832d673d987760d1fc4b682
NetWire
74bfe12181435ac80211c35fb1aa7955965d252ea6db5d12576a21d2590f7596
NetWire
85c2475f5bb564338727b25d030019e2ec0f08a9892df26024e45339ef3c0792
NetWire
8e3dd0c0c4913e5eb7de42a42bea5c3ff396542ee47737ed9eeb3b5439e95c6b
NetWire
bb06b854327139dfb8b3ecacff60c3dc13dc485ee74eba0e71afe575299fc252
NetWire
cac8aa8905e94aea2c6de8ca8d3a15d3eccbcd66c03008c54fde952551fc5ca6
NetWire
e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
NetWire
+ 584 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201018-3f95rx9ab2/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
190279d708f5b0bcdf40f09a1bb9e051176464503ebd1d601ed28a008aa2f0cf
MD5 hash:
a446c1f27bc5e8ac185555c565d278ad
SHA1 hash:
d9004e3292136fb51c6fc71066506857ecaa1ee5
Link:
https://www.unpac.me/results/102fddd6-8274-41f5-85c7-3647ab64c12f/
SH256 hash:
c6924bd1eede3eef4831175fe7a6144576b8378801d5c229e7a9b56e27f3a2e2
MD5 hash:
c10f46ff6caff363d5352d805cb9aeb6
SHA1 hash:
f0bf3cddf3e0bda90b9e3f8e9d6d4d2ac1834694
Link:
https://www.unpac.me/results/102fddd6-8274-41f5-85c7-3647ab64c12f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6924bd1eede3eef4831175fe7a6144576b8378801d5c229e7a9b56e27f3a2e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip aa9ce363e6ac2aac5368e24051de46a603234baf60c2aaef35c17361382ba09e

NetWire

Executable exe c6924bd1eede3eef4831175fe7a6144576b8378801d5c229e7a9b56e27f3a2e2

(this sample)

  
Dropped by
MD5 c52be5d1786b5b8b5faa9c8117a0f21a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72682/
  
Dropped by
SHA256 aa9ce363e6ac2aac5368e24051de46a603234baf60c2aaef35c17361382ba09e

Comments