MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
SHA3-384 hash: c7f65837f45e4e92d292f87629f262be204d5244e3f60b0347f04abd0c232b56eed3bc1e8587357d96ade5ca3ac402a1
SHA1 hash: 6636511ae14abb0f2554199b4ed8977def1d9b8a
MD5 hash: 467e17b8d44626b7456716680e3d043d
humanhash: mexico-berlin-kitten-cat
File name:467e17b8d44626b7456716680e3d043d.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:357'888 bytes
First seen:2021-06-30 18:51:14 UTC
Last seen:2021-06-30 19:33:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9be290f2eaaedf4c0e2cb2f062e8f8a6 (1 x NetWire)
ssdeep 6144:lWnWCHqxhNmocNLztFvQy5dAOwQxM3QLylFzk8x2dQ32SY/XDzZXa:lOqxhNmoAb/NxM3+yHY84dQmrzz1a
Threatray 662 similar samples on MalwareBazaar
TLSH CA74DF2474D1C073D4B6003509F8DBB89A3EBD250B259AEB77C447BE4F242D1AB356BA
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
66.154.103.106:13374

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
66.154.103.106:13374 https://threatfox.abuse.ch/ioc/156454/

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
timer.exe
Verdict:
Malicious activity
Analysis date:
2021-06-28 08:59:21 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/8d3ab5cc-6bb1-4477-9be7-5d25eaf3638a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168968/
Detection(s):
SecuriteInfo.com.Variant.Razy.872590.1458.9363.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db1e38f3-3f5c-4690-8bc9-5349c2de1d77
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810167
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442578 Sample: wostUd6Q0y.exe Startdate: 30/06/2021 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 5 other signatures 2->68 7 Adobe Reader.exe 7 2->7         started        11 Adobe Reader.exe 9 2->11         started        13 wostUd6Q0y.exe 11 2->13         started        15 Calculator.exe 6 2->15         started        process3 dnsIp4 48 asioasjdioasjdaiaoisjdjasdioasjd.yahoo.com 7->48 70 Writes to foreign memory regions 7->70 72 Allocates memory in foreign processes 7->72 74 Injects a PE file into a foreign processes 7->74 17 cmd.exe 1 7->17         started        20 calc.exe 7->20         started        22 conhost.exe 7->22         started        50 asioasjdioasjdaiaoisjdjasdioasjd.yahoo.com 11->50 24 cmd.exe 1 11->24         started        26 calc.exe 2 11->26         started        29 conhost.exe 11->29         started        52 asioasjdioasjdaiaoisjdjasdioasjd.yahoo.com 13->52 31 cmd.exe 3 13->31         started        34 calc.exe 12 13->34         started        36 conhost.exe 13->36         started        signatures5 process6 dnsIp7 38 reg.exe 1 17->38         started        56 System process connects to network (likely due to code injection or exploit) 20->56 40 reg.exe 1 24->40         started        54 66.154.103.106, 13374, 49736, 49737 ASN-QUADRANET-GLOBALUS Canada 26->54 44 C:\Users\user\AppData\...\Adobe Reader.exe, PE32 31->44 dropped 46 C:\Users\...\Adobe Reader.exe:Zone.Identifier, ASCII 31->46 dropped 58 Uses cmd line tools excessively to alter registry or file data 31->58 42 reg.exe 1 1 31->42         started        60 Contains functionality to steal Chrome passwords or cookies 34->60 file8 signatures9 process10
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42/
Threat name:
Win32.Trojan.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 19:59:55 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4voykljgu64tgt7ofnmqgbbfnblrt7xuwgjcckef4wgl73c3zba._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0c34d4763fc968ccbe9f33dec2ae9e3e132a61b40ffc93cc22f337a0758c0279
NetWire
27fc1cbcf702e483b8eec78bc2605e0d45dda7f0dae2c0adcd6f90b396a1151e
NetWire
2e54ae1fe78471492cc217d238fcd7f0158ae8f22a35e9576a91b3a6614c2d08
NetWire
557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244
NetWire
6bcd9c589b51cbd1011942b2bdaeaab62748c7380a17336b35bf589c880553b8
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a
NetWire
abd18b2d7cfc702e56442f2549808b301f2e0fc214cdf2230d5fbefc9620fd42
NetWire
c4b73299f51cc04c30ee6080144f960c8d5de3d62c0e0b10c6c497f57b844474
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
+ 652 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210630-z1r3ctanaa/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
66.154.103.106:13374
Unpacked files
SH256 hash:
f7973974b06ffb1c2d29c79e2c8596679eaf3c99bf5328bb948053006ea78f7b
MD5 hash:
6dcb2cbe83abe9f34e4d9cfdedf88500
SHA1 hash:
3fe86d41d9ef6705f924e6ee68b2347cde61ca46
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/9cadac24-ef70-4d80-9f33-65c3485d2d9e/
Parent samples :
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
f04be193c52029bdefce7211c67c328a4bdfbaa2653679a6e528d86bf2d7dd9d
SH256 hash:
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
MD5 hash:
467e17b8d44626b7456716680e3d043d
SHA1 hash:
6636511ae14abb0f2554199b4ed8977def1d9b8a
Link:
https://www.unpac.me/results/9cadac24-ef70-4d80-9f33-65c3485d2d9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168968/

Comments