MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b
SHA3-384 hash: fb3adf44c5b57b8dc26582bf741c661822664f862fdb19420d93ed604fc73073bbc1086f6ac48434e453f7fa09af5729
SHA1 hash: 5ca58f3d62d35c1cd0f917820ce044c386819c34
MD5 hash: 586fa8fea2272a93224d52ea5c32c331
humanhash: nevada-maryland-vegan-california
File name:Xeroxscan002371414.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:525'312 bytes
First seen:2020-07-29 14:36:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c458ff2d515beb8f44158cd3636a7400 (19 x AgentTesla, 6 x NetWire, 3 x HawkEye)
ssdeep 12288:Fm+IRd9SSBFDhQS2dTQmdg61VnTlW50hv9pc7v+fb1VBTRkXDHzp:Fm+StbQldTvuwVnTlS0hvbc7v+fV1kX5
Threatray 1'337 similar samples on MalwareBazaar
TLSH 0FB423E5CB4A84A9D2462DB8812759F7B507F84ACC2A2548F581FD4F7E337878B93483
Reporter abuse_ch
Tags:exe NetWire nVpn RAT t-online


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mailout08.t-online.de
Sending IP: 194.25.134.20
From: Daniel - Arroz do Padre <firmahs@t-online.de>
Reply-To: Daniel - Arroz do Padre <firmahs@t-online.de>
Subject: RES: FATURA MACIEL
Attachment: Xeroxscan002371414.7z (contains "Xeroxscan002371414.exe")

NetWire RAT C2:
79.134.225.12:1414

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34998/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Dropper.NetWire-8025706-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Result
Threat name:
Nanocore NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/402752
Signature
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes
Detected Nanocore Rat
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: NanoCore
Sigma detected: NetWire
Yara detected Nanocore RAT
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 253719 Sample: Xeroxscan002371414.exe Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Sigma detected: NanoCore 2->46 48 Detected Nanocore Rat 2->48 50 5 other signatures 2->50 7 Xeroxscan002371414.exe 2 2->7         started        11 Host.exe 2->11         started        13 Host.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\bob.exe, PE32 7->28 dropped 52 Maps a DLL or memory area into another process 7->52 54 Contains functionality to detect sleep reduction / modifications 7->54 15 bob.exe 3 7->15         started        19 Xeroxscan002371414.exe 8 7->19         started        22 Xeroxscan002371414.exe 7->22         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 15->30 dropped 38 Contains functionality to log keystrokes 15->38 40 Machine Learning detection for dropped file 15->40 24 Host.exe 3 15->24         started        34 79.134.225.12, 1414, 49738, 49739 FINK-TELECOM-SERVICESCH Switzerland 19->34 32 C:\Users\user\AppData\Roaming\...\run.dat, data 19->32 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->42 file8 signatures9 process10 dnsIp11 36 43.226.229.43, 2030, 49737, 49740 SOFTLAYERUS Hong Kong 24->36 56 Contains functionality to log keystrokes 24->56 58 Machine Learning detection for dropped file 24->58 signatures12
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 14:38:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gpgsatv4hxmjb2uivjdm2wm2eevm6ety6ntmngo6mkrlonaugnq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
netwirerc
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
07f411bd02cb5654c8903477700a32802c0ed1f445d14144bc306a2af3aa7910
NetWire
090c4ff20568f647c80d5ae386bf5aedd9d8b066066a465b5300f8bd42ff1282
NetWire
0c91c97182b3f1389437d15ff6aaa935156fc5ecc1c71c5588c0d831943acf4e
NetWire
474fdc334d61a837436e2979eebb789db0263ef26cf4bc00b5936823246a0b78
NetWire
4b110258d8a90160fd07abfd441805de6b8e1cb646c0734febd7de606ca5a4e4
NetWire
8cafd9b602e666abf81ea94c48663a8a1ebbf06746ed799be5184ecb748ae304
NetWire
9b1b5389e9953290c088469ae38ceb0c58899b90226fbc217012c965e523149c
NetWire
cdb81c63c05c1850a79a3441001e9f007fea5851a06090da724c8fe924204e93
NetWire
cf3b59c22659d7931cf9d0338d57af01d63fbb8363ebc4c86be884194ef62e40
NetWire
eb082ead8de20d80f1aa722b1ea95512e7c08d26403b8cf8cd6670a7fbc75c95
NetWire
+ 1'327 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200729-vs8ejgmlpa/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

7z 2161031f4255f42708403f54742de0a236055091ba0892990647a7f5d347ac6c

NetWire

Executable exe d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b

(this sample)

  
Dropped by
MD5 478e23faa6103b35de00b0dca9d52ed6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34998/
  
Dropped by
SHA256 2161031f4255f42708403f54742de0a236055091ba0892990647a7f5d347ac6c

Comments