MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9b8ec8ccbe3b0ab195d0c472e3f8d6b6a00dc66eb8ab0bff71eb44ad4abd39d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9b8ec8ccbe3b0ab195d0c472e3f8d6b6a00dc66eb8ab0bff71eb44ad4abd39d
SHA3-384 hash: a3a4be27eae8b34055369a1fb6f6b1aa81e21e9ab86539f1e294b709b6d8455450fbd2406bff1c5ec7f7c98e5d7a5a79
SHA1 hash: d954fbb609b07cca612438e2e808b523aeb75cc8
MD5 hash: 685c4a8465d76048c6aa5118b56f5951
humanhash: carpet-wisconsin-sad-chicken
File name:685c4a8465d76048c6aa5118b56f5951.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:320'544 bytes
First seen:2021-04-12 12:36:01 UTC
Last seen:2021-04-12 13:45:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e13866414f4ebd95471c7c78ee916de (3 x Amadey, 2 x NetWire)
ssdeep 3072:1HnjG68ArDryinkLel3EpvAtzVt3YyESmDWViKVOD7VVbD043XJO56op7V+DSDDQ:1HjG6vTkIiAft3YyESmDKe7VVbgg5mcn
Threatray 1'224 similar samples on MalwareBazaar
TLSH 90649D1E62E470A3D0762F70D571B7E04339B8645EC665CE9F802A3D2DB17C5E8B2AC6
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
188.127.230.199:888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
188.127.230.199:888 https://threatfox.abuse.ch/ioc/7794/

Intelligence

File Origin
# of uploads :
2
# of downloads :
379
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
685c4a8465d76048c6aa5118b56f5951.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 12:41:52 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/6e61506a-35ff-489c-a482-b95be95b023d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133756/
Detection(s):
SecuriteInfo.com.Variant.Graftor.938687.19613.27637.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/673006
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides threads from debuggers
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Potential malicious icon found
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385447 Sample: Thq0FVrAAZ.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 47 Potential malicious icon found 2->47 49 Found malware configuration 2->49 51 Yara detected NetWire RAT 2->51 53 2 other signatures 2->53 8 Thq0FVrAAZ.exe 2->8         started        11 broker.exe 2->11         started        13 broker.exe 2->13         started        process3 signatures4 55 Detected unpacking (changes PE section rights) 8->55 57 Detected unpacking (overwrites its own PE header) 8->57 59 Contains functionality to log keystrokes 8->59 63 2 other signatures 8->63 15 Thq0FVrAAZ.exe 2 8->15         started        61 Maps a DLL or memory area into another process 11->61 19 broker.exe 11->19         started        22 broker.exe 13->22         started        process5 dnsIp6 31 C:\Users\user\AppData\Local\broker.exe, PE32 15->31 dropped 45 Hides threads from debuggers 15->45 24 broker.exe 15->24         started        33 cdn12-web-security.com 19->33 35 75weweht564g.hopto.org 19->35 37 cdn12-web-security.com 22->37 39 75weweht564g.hopto.org 22->39 file7 signatures8 process9 signatures10 65 Multi AV Scanner detection for dropped file 24->65 67 Detected unpacking (changes PE section rights) 24->67 69 Detected unpacking (overwrites its own PE header) 24->69 71 4 other signatures 24->71 27 broker.exe 3 24->27         started        process11 dnsIp12 41 cdn12-web-security.com 212.27.48.10, 28770, 33434, 49721 PROXADFR France 27->41 43 75weweht564g.hopto.org 188.127.230.199, 49724, 49735, 49739 DHUBRU Russian Federation 27->43 73 Hides threads from debuggers 27->73 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9b8ec8ccbe3b0ab195d0c472e3f8d6b6a00dc66eb8ab0bff71eb44ad4abd39d/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 12:36:08 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zg4ozdgl4oykwgk5brds4p4nnnvabxdg5oflbp7xd22evvfl2ooq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821
NetWire
3cbf0aeafec688023948cad7bf7475270ba9cb1acb0078cf1a9d6288f2751a20
NetWire
59dfc2ac190104ed3eff9c2c77f80e9e6ca18f84e7c4845ac713a30a8668280e
NetWire
5dfa632fd080886a0b7a3c236e15081a41929e3d617f0aeb02c06d1c5d583b67
NetWire
71f9ec40a29963c0e4948e565b2832dbe8b879143b74b432c2087b700a982dae
NetWire
7c0d31bca17487efc3f743bb9cb5cf56b5f2fae638cf3681fdc692a5809c94be
NetWire
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
NetWire
8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58
NetWire
a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2
NetWire
eaa2ffea97ff065ac6270e67d8d96664360ea8cde77b78a4cc19949a63ed3563
NetWire
+ 1'214 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210412-wpr3jfcrg6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
ccd4da4c4bf80ee423855bf9368c4f6b1e0edc538af439d170a62f0740ae7db4
MD5 hash:
83adc903675978b8be90179238da0a5a
SHA1 hash:
eb8e2421c519ff253bb9a6748abe6c6754b6fad1
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/5ffea264-ffa6-4ef5-b196-4e5b825ee22d/
SH256 hash:
c9b8ec8ccbe3b0ab195d0c472e3f8d6b6a00dc66eb8ab0bff71eb44ad4abd39d
MD5 hash:
685c4a8465d76048c6aa5118b56f5951
SHA1 hash:
d954fbb609b07cca612438e2e808b523aeb75cc8
Link:
https://www.unpac.me/results/5ffea264-ffa6-4ef5-b196-4e5b825ee22d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/c9b8ec8ccbe3b0ab195d0c472e3f8d6b6a00dc66eb8ab0bff71eb44ad4abd39d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe c9b8ec8ccbe3b0ab195d0c472e3f8d6b6a00dc66eb8ab0bff71eb44ad4abd39d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1057558/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133756/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 14:41:19 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.035] Anti-Behavioral Analysis::Process Environment Block BeingDebugged
1) [B0001.036] Anti-Behavioral Analysis::Process Environment Block NtGlobalFlag
2) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
3) [C0024] Data Micro-objective::Compress Data
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0052] File System Micro-objective::Writes File
7) [C0007] Memory Micro-objective::Allocate Memory
8) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
9) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry