MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8dd40f09de4d85fa155fab0b763b1cba2d8381617eee03932d0edd221c33fef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8dd40f09de4d85fa155fab0b763b1cba2d8381617eee03932d0edd221c33fef
SHA3-384 hash: 4cce00f16ed6be2aadd0d248135df99b9825aa3174594b29725f28ac8d6a18e47bf24617c9cb4ca52d356547e1da1598
SHA1 hash: 2d10ce9d6635ba0bc7787bc25e83f91e6c138a38
MD5 hash: b09c19f4d896b873476bce03ff91207f
humanhash: hawaii-bacon-lactose-violet
File name:Proof Of Payment.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'468'928 bytes
First seen:2021-01-19 07:36:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 24576:D3CQMzoPch3KaivCfozUQ193mbF5kP6i6HJ:Du9NKzKwzN93Gli6H
Threatray 344 similar samples on MalwareBazaar
TLSH C665D6AC722071EFC857D4B2CA981DA8AA547C7B431B4503E46736ADDA3C997CF244F2
Reporter abuse_ch
Tags:exe geo NetWire nVpn RAT ZAF


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mail.getemails.website
Sending IP: 5.189.220.185
From: Nedbank <Notification@nedbank.co.za>
Reply-To: No-reply@nedbank.co.za
Subject: Proof Of Payment
Attachment: Proof Of Payment.img (contains "Proof Of Payment.exe")

NetWire RAT C2:
194.5.97.99:3382

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proof Of Payment.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 08:23:09 UTC
Tags:
rat netwire trojan
Link:
https://app.any.run/tasks/2a2d4f94-123e-443c-a873-97fca787fa96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112805/
Detection(s):
Win.Packed.Genkryptik-9822492-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584662
Signature
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c8dd40f09de4d85fa155fab0b763b1cba2d8381617eee03932d0edd221c33fef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 07:37:18 UTC
AV detection:
17 of 44 (38.64%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdoub4e54tmf7ikv7kyloy5rzornqoawc7xoaojs2dw5eiodh7xq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
060ef35b985d05b93d0e647a68cdbb83d651a8b5fb36b234c94f3181d2d30aa3
NetWire
1ac8944d42d3a594940bbd74613193bc47430b6c6c958caf9a5b4521bd9efb91
NetWire
1c646687e4988d451dedfe0d30dc1b6d42bc757dd69f3c638e972169d0278d2a
NetWire
249e738650027df7635aa70373e2e2f936eb58e1a208fdc8df9ee2f66e4cb9e3
NetWire
482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7
NetWire
4d88027eea794c98e219904f2815eedca85a415a81bc1fb87268cabd5a098c51
NetWire
7511c244b32ec5bc59ff7173ee5aa83a764ea6607522b79cc99c5537907e50e7
NetWire
9119946bcfe8c01ea4bfe6ab3222c17146a04b7321b8094f2de58a7f9a5e1840
NetWire
ccd667e3a1a0577ed841968990cb37790e1e6f0fb4ceb1a2f947ef391d68dd4d
NetWire
eff2bda9797c042cbae44c8aed29b31b853733c0676a687dc62676752197c05d
NetWire
+ 334 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210119-23avatdwdj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
c547928e7cb3c6a64dcf8a8304cd5a8f2b8f228c2f2659beaf213d5912b7d32e
MD5 hash:
b14f81bd78e45ae3cc51e508c1ca95cd
SHA1 hash:
f03e3d3b8db24213f0e844678c42c0d0c3283615
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/906b65f7-3fb7-4478-9a2a-18ac292bce78/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/906b65f7-3fb7-4478-9a2a-18ac292bce78/
SH256 hash:
5cd81aab5b5ade9659585b491884457b69930ed2fb09d3f3d08942c8f68c3a36
MD5 hash:
5a68b586f2cd51e94bf0c8fb87400c50
SHA1 hash:
4fcbd7d707b3e8af781fa3afbd7044adfa75b21b
Link:
https://www.unpac.me/results/906b65f7-3fb7-4478-9a2a-18ac292bce78/
SH256 hash:
c8dd40f09de4d85fa155fab0b763b1cba2d8381617eee03932d0edd221c33fef
MD5 hash:
b09c19f4d896b873476bce03ff91207f
SHA1 hash:
2d10ce9d6635ba0bc7787bc25e83f91e6c138a38
Link:
https://www.unpac.me/results/906b65f7-3fb7-4478-9a2a-18ac292bce78/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8dd40f09de4d85fa155fab0b763b1cba2d8381617eee03932d0edd221c33fef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img e9b175b0235f0f3afeab71d30588de2ce6f8efb1a96711e6c113750519b0ccdb

NetWire

Executable exe c8dd40f09de4d85fa155fab0b763b1cba2d8381617eee03932d0edd221c33fef

(this sample)

  
Dropped by
MD5 06d43291a25d9edf2372dd2326fa935f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112805/
  
Dropped by
SHA256 e9b175b0235f0f3afeab71d30588de2ce6f8efb1a96711e6c113750519b0ccdb

Comments