MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
SHA3-384 hash: ad68b045fc74f8e93a3bd337993b06b857c6f4f85be442124a576e69134a0d5888998d606a656cb5479affc193bb6b44
SHA1 hash: cf69d346d7d95e1387d64c4025af617272d4dc38
MD5 hash: 07c71b43ca45df4d5fb8b4a8cb90a3c1
humanhash: single-ten-dakota-fix
File name:FedEx TRACKING DETAILS.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:281'600 bytes
First seen:2021-01-08 17:25:11 UTC
Last seen:2021-01-08 18:39:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e557fdc16569ce4b99f222b14421cdf (1 x NetWire, 1 x Formbook, 1 x Loki)
ssdeep 6144:FmJEZ+2dhK1ZnmbA9u+K01cAeGC49BHSCECCBUTy+ATxFVkzKQpiDU:FmJT2dcmk9u+KUFXXXKr+AdFuzKQUDU
Threatray 358 similar samples on MalwareBazaar
TLSH 2854D021B791E47AE08240FD781CDBA684193931A9B4C017B7C46F4F78B22EADD19F1B
Reporter abuse_ch
Tags:exe FedEx NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: server.vertyuoop.ml
Sending IP: 188.225.77.16
From: FeDEx OFFICE <fedex@vertyuoop.ml>
Subject: FedEx ONLINE SHIPPING PARCEL ARRIVAL NOTIFICATION DATED 8TH JAN 2021
Attachment: FedEx TRACKING DETAILS.PDF.z (contains "FedEx TRACKING DETAILS.exe")

NetWire RAT C2:
185.150.24.55:5594

Intelligence

File Origin
# of uploads :
2
# of downloads :
435
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FedEx TRACKING DETAILS.exe
Verdict:
Malicious activity
Analysis date:
2021-01-08 12:17:23 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/9740369b-01a5-4e38-817d-29a352f778f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111057/
Detection(s):
SecuriteInfo.com.BackDoor.Wirenet.557.26052.21206.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Unauthorized injection to a recently created process
DNS request
Creating a window
Launching a process
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/576964
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337535 Sample: FedEx TRACKING DETAILS.exe Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 29 ceo2021.duckdns.org 2->29 35 Antivirus detection for dropped file 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 8 other signatures 2->41 8 FedEx TRACKING DETAILS.exe 3 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\bluerites.exe, PE32 8->25 dropped 27 C:\...\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml, XML 8->27 dropped 11 FedEx TRACKING DETAILS.exe 1 8->11         started        14 cmd.exe 1 8->14         started        16 FedEx TRACKING DETAILS.exe 8->16         started        process6 signatures7 43 Maps a DLL or memory area into another process 11->43 18 FedEx TRACKING DETAILS.exe 2 11->18         started        21 conhost.exe 14->21         started        23 schtasks.exe 1 14->23         started        process8 dnsIp9 31 ceo2021.duckdns.org 185.150.24.55, 49723, 49724, 49725 SKYLINKNL Netherlands 18->31 33 192.168.2.1 unknown unknown 18->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-01-08 10:37:08 UTC
AV detection:
28 of 46 (60.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3scw22tfdvdkmbflgt4xczyjhr3tjsgmsfjxyffawxiykvfjega._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
2388b2c1717d5f5741c2730b205a04d627d2cb6a1d4f781fb2f5fae3fa508e76
NetWire
2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90
NetWire
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
NetWire
b50a0ea3d467e25e9c1917668e10f70e67434e468fcecbb1d3a927a3f105dbfa
NetWire
d98e919482d344212e9e79e1154ee7015bba50d90107fe122a59cae38484eb84
NetWire
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
NetWire
f52c73e9a148074ad2d20b27874e0c183a461f0e21ed09874ef706e464757e2e
NetWire
f5d88ee96cd5fbdda828c9ec267600fb6308a11318f8290d6d15d34f64070f05
NetWire
fefea87ebfbd43c789033d46905fd2a11b8ea9d4c6b57691f23a89e8f8687992
NetWire
ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d
NetWire
+ 348 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210108-9jbrwg978a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
MD5 hash:
07c71b43ca45df4d5fb8b4a8cb90a3c1
SHA1 hash:
cf69d346d7d95e1387d64c4025af617272d4dc38
Link:
https://www.unpac.me/results/ed6e2ad3-9d33-436c-b93f-7dd17ec1322a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

z 8aa86bb68707e12295acbc8e53da782ed59c9bb89bb9d6c2e287d00da01e47ee

NetWire

Executable exe c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c

(this sample)

  
Dropped by
MD5 56849263e0c3c8949799e7d2daaf6a48
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8aa86bb68707e12295acbc8e53da782ed59c9bb89bb9d6c2e287d00da01e47ee
Cape
Cape
https://www.capesandbox.com/analysis/111057/

Comments