MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d072441e276c608471a851b369726d633a66ad702663cf2868d15edfe79c5e64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
NetWire
Vendor detections: 10
| SHA256 hash: | d072441e276c608471a851b369726d633a66ad702663cf2868d15edfe79c5e64 |
|---|---|
| SHA3-384 hash: | 93e698282669c7d125406668ca9568ae0c722021e4975b4e6f5ec966becd3e1c11d4e29790680fb7003810ec7a6fdabc |
| SHA1 hash: | fd70e0ec9fca053c34dc08640477ff516d2d5725 |
| MD5 hash: | 7a5a9f55643adf965ea93bd197353248 |
| humanhash: | grey-cup-cat-lima |
| File name: | SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222 |
| Download: | download sample |
| Signature | NetWire |
| File size: | 1'856'512 bytes |
| First seen: | 2021-05-06 17:55:57 UTC |
| Last seen: | 2021-05-06 18:01:17 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 0b6ce52b13559fc7fd638da8d5c538c2 (2 x NetWire) |
| ssdeep | 49152:WhtORUwc166NlRq7vLSUtwFOla7t12iSzZ2WFeZkP9aiK+d:WhtORUB166NHq7vLZUsaRMfNzFeZkP9t |
| Threatray | 388 similar samples on MalwareBazaar |
| TLSH | 2185BD13FA48D1B7CB7E0179068D62BA55A5BC690B25A4F767C83B4F65312C02EFC18E |
| Reporter |  SecuriteInfoCom |
| Tags: | NetWire |
Intelligence
File Origin
# of uploads :
2
# of downloads :
350
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Result
Verdict:
Clean
Maliciousness:
Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Detection:
malicious
Classification:
troj
Score:
76 / 100
Signature
C2 URLs / IPs found in malware configuration
Country aware sample found (crashes after keyboard check)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Detection:
netwire
Threat name:
Win32.Trojan.NetWired
Status:
Malicious
First seen:
2021-05-06 02:03:00 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
5/5
Verdict:
malicious
Label(s):
netwirerc
Similar samples:
+ 378 additional samples on MalwareBazaar
Result
Malware family:
netwire
Score:
10/10
Tags:
family:netwire botnet persistence rat stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
23.105.131.210:1955
Unpacked files
SH256 hash:
101b804d7b4fb0039efff4058f8b0166aa6c7fee3514be3e36992ebed407112c
MD5 hash:
cd7c1120466cc32964cd1443e1b47ec3
SHA1 hash:
84441996ea8868c6793b3b07bd5f7a38d43b92da
SH256 hash:
52a04c1a352c84295a7f25624180d011bb950111e68eb806504d50229999a1ab
MD5 hash:
550168c3138a42509f36ea73e2cb6e9e
SHA1 hash:
32e1fe31e99552352853bd354afb985bf6203608
Detections:
win_netwire_g1
win_netwire_auto
SH256 hash:
d072441e276c608471a851b369726d633a66ad702663cf2868d15edfe79c5e64
MD5 hash:
7a5a9f55643adf965ea93bd197353248
SHA1 hash:
fd70e0ec9fca053c34dc08640477ff516d2d5725
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.034] Anti-Behavioral Analysis::Anti-debugging Instructions
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [F0002.002] Collection::Polling
3) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
4) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
8) [C0045] File System Micro-objective::Copy File
9) [C0046] File System Micro-objective::Create Directory
10) [C0047] File System Micro-objective::Delete File
11) [C0049] File System Micro-objective::Get File Attributes
12) [C0051] File System Micro-objective::Read File
13) [C0050] File System Micro-objective::Set File Attributes
14) [C0052] File System Micro-objective::Writes File
15) [E1510] Impact::Clipboard Modification
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
18) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
19) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process