MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb9713e99535b6589f62d352c0a22488ae19d4b02df7f33e3fc052e9c8414481. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb9713e99535b6589f62d352c0a22488ae19d4b02df7f33e3fc052e9c8414481
SHA3-384 hash: 8161aab4dc5218336edf792ee6823313f0082cae5b1d023a4223b0f880cafd1d4584e4af3b4f3922847bd2e722bbffa2
SHA1 hash: 41fbeffbc5853d803a64b3a00b2b95fce72d0bbc
MD5 hash: 8768f782c4b33518acab30685d3106dc
humanhash: uranus-potato-shade-arizona
File name:OrderNo-202000125.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:856'336 bytes
First seen:2021-01-18 18:12:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dc63884fd11920a617a7dccbce258fe (3 x RemcosRAT, 1 x NetWire)
ssdeep 12288:Ps3/7rrM09fj4J5ybH/dGesLNDH+rFaqFV681o:PsnreJ5alkVS8So
Threatray 561 similar samples on MalwareBazaar
TLSH 32056C22E5994773C1221ABD5C27E6696834BF4C7928540F37E43D088F762B2392DE6F
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: albarka.com.pk
Sending IP: 37.46.150.215
From: Farhan Bashir <farhan.bashir@albarka.com.pk>
Subject: Order No.202000125
Attachment: OrderNo-202000125.cab (contains "OrderNo-202000125.exe")

NetWire RAT C2:
193.239.147.44:8760

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OrderNo-202000125.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 18:17:50 UTC
Tags:
rat netwire trojan
Link:
https://app.any.run/tasks/22da3338-edb6-4e5a-9843-a92c58ec9027

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112631/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Searching for the window
DNS request
Sending a custom TCP request
Deleting a recently created file
Launching a process
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584079
Signature
Allocates memory in foreign processes
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb9713e99535b6589f62d352c0a22488ae19d4b02df7f33e3fc052e9c8414481/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 13:06:08 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zolrh2mvgw3frh3c2njmbirercxbtvfqfx37gpr7ybjotscbisaq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
151f57078e89aa2f81fcb307bf88fe23e9f2437a4df1e37def5d0b78797e12f8
NetWire
5f8cd119c7cc31eef0e66451fb05d5179c60850b2330ebcb76066dd289172a17
NetWire
6bcd9c589b51cbd1011942b2bdaeaab62748c7380a17336b35bf589c880553b8
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
934609a4e6bbf6eda68c1a09fbd0d5e331229f974148c21aa99add9f94171ec1
NetWire
abd18b2d7cfc702e56442f2549808b301f2e0fc214cdf2230d5fbefc9620fd42
NetWire
df2688f6f88ea0e66b46d856e514adf25f8456cb4e45c849233799e17b1171e3
NetWire
dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
f53faac8d340d58a2e4916652372ccc1ec9be6a34da5332ee31072ed9c75c37a
NetWire
+ 551 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210118-xe5lt3trcn/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Script User-Agent
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
cb9713e99535b6589f62d352c0a22488ae19d4b02df7f33e3fc052e9c8414481
MD5 hash:
8768f782c4b33518acab30685d3106dc
SHA1 hash:
41fbeffbc5853d803a64b3a00b2b95fce72d0bbc
Link:
https://www.unpac.me/results/0d006d62-a08d-4db6-bedf-9ece491c171b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb9713e99535b6589f62d352c0a22488ae19d4b02df7f33e3fc052e9c8414481

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

cab f1bd62c1c1ffac9649f072ceeaedcd9df805b50be71745020bf69e22bfaddf91

NetWire

Executable exe cb9713e99535b6589f62d352c0a22488ae19d4b02df7f33e3fc052e9c8414481

(this sample)

  
Dropped by
MD5 c9abc12b2e250c3b024eb1d49dec2e7e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112631/
  
Dropped by
SHA256 f1bd62c1c1ffac9649f072ceeaedcd9df805b50be71745020bf69e22bfaddf91

Comments