MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c92d02053bbc026efd20c516d24e0ee8b43bc4106345eef365b212b320746b99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c92d02053bbc026efd20c516d24e0ee8b43bc4106345eef365b212b320746b99
SHA3-384 hash: 5e04b93c30a56737daff6bc1aa94e133b0a7e6ad1026b1b0387b3ab03aee1963f41e09b9de492a7566e5bcbb72f40e21
SHA1 hash: 1b9866e8f2f0e1e4a0bd13b95422b108a78fcfdd
MD5 hash: 9f192ca455657c3efc20d7f4d690a513
humanhash: arizona-lactose-hydrogen-spaghetti
File name:Shipping documents.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:632'304 bytes
First seen:2021-03-30 12:19:24 UTC
Last seen:2021-03-30 13:10:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1348df303efcafad50a6f5b8c3aa3e4b (3 x Loki, 3 x RemcosRAT, 1 x NetWire)
ssdeep 12288:bsO+MZAkQfZuFvTdtchSOgA9PBbe5pg+s9GgVe7Y:QRMdQfZuVTdafDZ0ODf
Threatray 456 similar samples on MalwareBazaar
TLSH 3CD48E72B2804477C1631A755C1BB7B9AE26FE613E68A88717FC2E0C4F396507E39193
Reporter abuse_ch
Tags:exe NetWire


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rpop02.hosting-srv.net
Sending IP: 210.152.143.212
From: Light-point a/s <info@light-point.com>
Reply-To: info@light-point.com
Subject: BOOKING FOR AIR SHIPMENT/booking ship for 20ft container /27cbm.
Attachment: Shipping documents.rar (contains "Shipping documents.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
402
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping documents.exe
Verdict:
Malicious activity
Analysis date:
2021-03-30 12:24:31 UTC
Tags:
installer rat netwire trojan
Link:
https://app.any.run/tasks/62512761-baa4-408e-add1-4258d803e7f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127995/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/658379
Signature
Contains functionality to steal Chrome passwords or cookies
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: NetWire
Sigma detected: Suspicious Program Location Process Starts
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c92d02053bbc026efd20c516d24e0ee8b43bc4106345eef365b212b320746b99/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 12:20:11 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zewqebj3xqbg57jayulnetqo5c2dxraqmnc6543fwijlgidunomq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
249e738650027df7635aa70373e2e2f936eb58e1a208fdc8df9ee2f66e4cb9e3
NetWire
2928d0d53b459f6b822fd781360a743b3548f31c31c012ba8a25b42235aff154
NetWire
482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7
NetWire
4d88027eea794c98e219904f2815eedca85a415a81bc1fb87268cabd5a098c51
NetWire
5105c1a352e0f0e2a54b08132d9d1e383f6505a7aa42b8aea411c85551c37175
NetWire
7511c244b32ec5bc59ff7173ee5aa83a764ea6607522b79cc99c5537907e50e7
NetWire
92c0d7be74bd55ea431d9f144b0938834c74764e87c39e8bcd640e05458c4adf
NetWire
cf3b59c22659d7931cf9d0338d57af01d63fbb8363ebc4c86be884194ef62e40
NetWire
dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f
NetWire
eff2bda9797c042cbae44c8aed29b31b853733c0676a687dc62676752197c05d
NetWire
+ 446 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210330-1jhmssgxqs/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
c92d02053bbc026efd20c516d24e0ee8b43bc4106345eef365b212b320746b99
MD5 hash:
9f192ca455657c3efc20d7f4d690a513
SHA1 hash:
1b9866e8f2f0e1e4a0bd13b95422b108a78fcfdd
Link:
https://www.unpac.me/results/091bacb2-45fa-439f-bebe-292edce97b03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c92d02053bbc026efd20c516d24e0ee8b43bc4106345eef365b212b320746b99

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar a75f5e21973b4548eff63522b630ebe4179a75b9a678504941899a33d8e704d0

NetWire

Executable exe c92d02053bbc026efd20c516d24e0ee8b43bc4106345eef365b212b320746b99

(this sample)

  
Dropped by
MD5 ebf9fe51c733806e6c5f386241a85101
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/127995/
  
Dropped by
SHA256 a75f5e21973b4548eff63522b630ebe4179a75b9a678504941899a33d8e704d0

Comments