MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de
SHA3-384 hash: f04270b3eba770c6cc769d0f02ea8526b6fa65d81324e596b0bad6fea3de00750bf317051019f1d136fad46330b1b3ad
SHA1 hash: 5e3a464ce7ebaf297438e52dd6c9eaf374217eed
MD5 hash: 20e5be824638df2b4f86520d5a5a0cad
humanhash: aspen-jersey-oranges-arkansas
File name:FedEx Shipment.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:756'224 bytes
First seen:2021-03-05 07:16:30 UTC
Last seen:2021-03-05 08:50:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:65g3ZRp9hYYNq6z/U+HZ5RzDiN7gv+UuQnTi+5vcmx+qywcnHG7Q/+hGZcS:+0ZRp9Rq6z/7XWN5UuQbvc7G8/+hGZ5
Threatray 377 similar samples on MalwareBazaar
TLSH ABF4F1C8B34036EEC929FE715B6E6DB067633CFADA123503501B762E8D7E2528921CD5
Reporter abuse_ch
Tags:exe FedEx NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: vps38947.servconfig.com
Sending IP: 144.208.66.19
From: FedEx <rvfwd@avalonjobs.net>
Subject: Your Parcel Delivery
Attachment: FedEx Shipment.img (contains "FedEx Shipment.exe")

NetWire RAT C2:
severdops.ddns.net:7390

Intelligence

File Origin
# of uploads :
2
# of downloads :
399
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FedEx Shipment.exe
Verdict:
Malicious activity
Analysis date:
2021-03-04 17:42:14 UTC
Tags:
rat netwire trojan
Link:
https://app.any.run/tasks/c54bb689-fd72-497b-8e2a-4fb163bde1b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122409/
Detection(s):
SecuriteInfo.com.Artemis20E5BE824638.30848.17776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
DNS request
Creating a window
Sending a custom TCP request
Sending a UDP request
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/629478
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 363709 Sample: FedEx Shipment.exe Startdate: 05/03/2021 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Detected unpacking (changes PE section rights) 2->34 36 3 other signatures 2->36 6 FedEx Shipment.exe 1 4 2->6         started        10 cwd.exe 1 2->10         started        12 cwd.exe 2->12         started        process3 file4 22 C:\Users\user\AppData\Roaming\cwds\cwd.exe, PE32+ 6->22 dropped 24 C:\Users\user\...\cwd.exe:Zone.Identifier, ASCII 6->24 dropped 26 C:\Users\user\...\FedEx Shipment.exe.log, ASCII 6->26 dropped 38 Injects code into the Windows Explorer (explorer.exe) 6->38 40 Writes to foreign memory regions 6->40 42 Allocates memory in foreign processes 6->42 14 explorer.exe 2 6->14         started        44 Multi AV Scanner detection for dropped file 10->44 46 Detected unpacking (changes PE section rights) 10->46 48 Injects a PE file into a foreign processes 10->48 18 explorer.exe 10->18         started        20 explorer.exe 12->20         started        signatures5 process6 dnsIp7 28 severdops.ddns.net 103.151.123.132, 49734, 49753, 49756 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 14->28 50 Contains functionality to steal Chrome passwords or cookies 14->50 52 System process connects to network (likely due to code injection or exploit) 20->52 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-05 01:10:19 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
18
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3zpo55uyknfz3iyoobohqfa5zq5jryuoh6f2ealpcsord2detpa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0179848cfc3414a2799af814eada847b33e5492f5824bf0b2418137dc4c02d47
NetWire
249e738650027df7635aa70373e2e2f936eb58e1a208fdc8df9ee2f66e4cb9e3
NetWire
4d88027eea794c98e219904f2815eedca85a415a81bc1fb87268cabd5a098c51
NetWire
4fea6e355cf21e8c42cde98a6ee6f03e8ea24ec6df6a5711b9a31cb43eb93fc6
NetWire
58e859630e2c6bf67159e3749ab71038fcbcfb32ba0bbf3162d58a7fac6311eb
NetWire
62e8d80b582bb90531dd63743d085910e20cdc35494bea3209fd80e22cff13bd
NetWire
73429ed369e556843e28f21b233a49aa9cc7b55d36c5be69f3745a75d17eaf1f
NetWire
91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a
NetWire
aae45a77eeaca2d69630e035293e25a47f81d5b7612bace059d1678154485b85
NetWire
d88b21c1b67f0aee44019a8b54a72d1662ae3c2939ff593fe0d1844cf17a5c53
NetWire
+ 367 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210305-znfhyn4yqn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de
MD5 hash:
20e5be824638df2b4f86520d5a5a0cad
SHA1 hash:
5e3a464ce7ebaf297438e52dd6c9eaf374217eed
Link:
https://www.unpac.me/results/e420ab96-9618-4778-93ee-0588601b9cd0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img b2f7884c85f66ce15f8df27016c1eb2e3d27370f77bc443e8df964c155a63677

NetWire

Executable exe cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de

(this sample)

  
Dropped by
MD5 cfebabd96a12be964c6c51049d8db989
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122409/
  
Dropped by
SHA256 b2f7884c85f66ce15f8df27016c1eb2e3d27370f77bc443e8df964c155a63677

Comments