MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbaa4d9ea4ecb2daeb67d06f2a7a168394ee602a9af19ac88b5e4fe44018f999. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbaa4d9ea4ecb2daeb67d06f2a7a168394ee602a9af19ac88b5e4fe44018f999
SHA3-384 hash: 70fed174a393357b477a730a455afea17ed5c7d0b43f34722ba5384fe77b1f3ab0dad175c0c19ff3cf4ecfb5fb4ca513
SHA1 hash: e5362e2f0a0cc94f29ee48ae583a34a3530767de
MD5 hash: 5c4ebff7354cbe3e81dca6588a93aa17
humanhash: montana-winner-arkansas-fish
File name:SecuriteInfo.com.Trojan.Win32.Injector.4a808221.25904.26381
Download: download sample
Signature NetWire
Create hunting rule
File size:990'720 bytes
First seen:2022-06-08 17:39:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c2e2698247bc76cf8ea24c335c2f1e5e (1 x RemcosRAT, 1 x BitRAT, 1 x NetWire)
ssdeep 12288:mUdrBgUSaYsGytw7zQKKV0FlnOcf/GkMTgIGuURWCXCEUaW+6LHckdQ:mceazGytwXmWPn/fekMsTW+udQ
Threatray 474 similar samples on MalwareBazaar
TLSH T15825AE22E1E11933D5662F399D0F7A15A9AABE913D34B8861BF83C4CDF343827539193
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8770d8d4d4d87087 (7 x RemcosRAT, 5 x Formbook, 1 x Loki)
Reporter SecuriteInfoCom
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
421
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.Win32.Injector.4a808221.25904.26381
Verdict:
Malicious activity
Analysis date:
2022-06-08 17:55:25 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/695460ad-714b-4686-a4ac-7f3050e37f35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277870/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Injector.4a808221.25904.26381.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Fareit-FDBIAE4488FF40E4.19282.30704.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit keylogger packed replace.exe wacatac
Link:
https://www.filescan.io/uploads/62a0df361fdbb8e83148d4c0/reports/95ea9402-75e3-4610-a3bd-190c5abe54ec/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98bc6389-7b6c-4745-8508-3f305ee7ac9c
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009292
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 641785 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 08/06/2022 Architecture: WINDOWS Score: 100 29 recoveryonpoint.duckdns.org 2->29 31 onedrive.live.com 2->31 33 2 other IPs or domains 2->33 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 4 other signatures 2->55 7 SecuriteInfo.com.Trojan.Win32.Injector.4a808221.25904.exe 1 17 2->7         started        12 Tvvxomlbpt.exe 2->12         started        14 Tvvxomlbpt.exe 2->14         started        signatures3 process4 dnsIp5 35 192.168.2.1 unknown unknown 7->35 37 onedrive.live.com 7->37 39 2 other IPs or domains 7->39 23 C:\Users\Public\Libraries\Tvvxomlbpt.exe, PE32 7->23 dropped 25 C:\Users\...\Tvvxomlbpt.exe:Zone.Identifier, ASCII 7->25 dropped 57 Writes to foreign memory regions 7->57 59 Creates a thread in another existing process (thread injection) 7->59 61 Injects a PE file into a foreign processes 7->61 16 DpiScaling.exe 2 2 7->16         started        63 Multi AV Scanner detection for dropped file 12->63 65 Machine Learning detection for dropped file 12->65 file6 signatures7 process8 dnsIp9 27 recoveryonpoint.duckdns.org 51.161.104.138, 49781, 49808, 49809 OVHFR Canada 16->27 21 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 16->21 dropped 41 Found evasive API chain (may stop execution after checking mutex) 16->41 43 Found stalling execution ending in API Sleep call 16->43 45 Contains functionality to steal Internet Explorer form passwords 16->45 47 Contains functionality to steal Chrome passwords or cookies 16->47 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbaa4d9ea4ecb2daeb67d06f2a7a168394ee602a9af19ac88b5e4fe44018f999/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 17:40:15 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zove3hve5sznv23h2bxsu6qwqoko4ybktlyzvsellzh6iqay7gmq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
09c5712ccf983f5013d3cd1157a15050b909b9f5f6318334e9f7da2174385015
NetWire
1e1598cc98aed52a46c1e28d2bf775232d01d6698eec3d3eadbc3a039167ed8b
NetWire
3a01de5d3ac9d4bc94221c451ab5fb25d154b032c7b7e8d20f5cbb380434beed
NetWire
869fa23919d381e4af0d8c04881d65ad842cb96020da5c1e16f65c48190d3eef
NetWire
a5140fceb2803eef7a1c8081c3428310baaa0dea404ef86e5d2d4a96b80fe538
NetWire
afd47bb332ef06bf7c4f7c4a4470cf5b6e2acb6c4db3b3e6f453ff0dfc4a63f7
NetWire
b9ae250f46ca4265b6b0ac9707b2684cc0c52d375734fa96826df03d1ca3f6f7
NetWire
f44a73e6b77e302b6b0f4c2a2f93860dd7d69a01219b2aa5d0a0fb3937ea5f70
NetWire
fa735b49ef95640d075e0fd7cc1c796a5d511a9daf87571b13243364a97daf18
NetWire
+ 464 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence rat stealer trojan
Link:
https://tria.ge/reports/220608-v8vdbsdgg7/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
recoveryonpoint.duckdns.org:5005
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/a4994872-0866-44c8-be9e-a4573e85c89c/
SH256 hash:
cbaa4d9ea4ecb2daeb67d06f2a7a168394ee602a9af19ac88b5e4fe44018f999
MD5 hash:
5c4ebff7354cbe3e81dca6588a93aa17
SHA1 hash:
e5362e2f0a0cc94f29ee48ae583a34a3530767de
Link:
https://www.unpac.me/results/a4994872-0866-44c8-be9e-a4573e85c89c/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbaa4d9ea4ec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbaa4d9ea4ecb2daeb67d06f2a7a168394ee602a9af19ac88b5e4fe44018f999

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:MAL_unspecified_Jan18_1_RID2F4A
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277870/

Comments