MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
SHA3-384 hash: 700a2cd24ea0fa8d38597bccf5609da7ecf1ce10a902794834201b59743ca2ed1aa17e7a8e37641e3286554f8bd300d7
SHA1 hash: 13bcf9ee210e4130a45dbde394b5e242e34af2e3
MD5 hash: da276444d26b555c6c794248df8019c7
humanhash: red-coffee-friend-seventeen
File name:HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:398'848 bytes
First seen:2023-06-18 08:16:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'012 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 6144:93PyM/PNbjuSR81Uwzqs52CEhuA0Xop90V/az3Ws2of1Q:RPyCV/o/qUWDAopyV/rZof1Q
TLSH T1AE84E02C33D88416D42AB2B544C0E7389635BDA67E0BD31F69C4AD6B3D257C6CE822D7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 60f0dafaf0e8f0e8 (1 x NanoCore)
Reporter abuse_ch
Tags:exe NanoCore RAT


Avatar
abuse_ch
NanoCore C2:
184.105.237.196:4416

Intelligence

File Origin
# of uploads :
1
# of downloads :
378
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe
Verdict:
Malicious activity
Analysis date:
2023-06-18 08:18:44 UTC
Tags:
netwire
Link:
https://app.any.run/tasks/5410a4f5-737d-406b-964f-9a31c2fd9ea8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400026/
Detection(s):
SecuriteInfo.com.Variant.Barys.28585.25190.17644.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing the Zone.Identifier stream
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
Creating a window
DNS request
Enabling the 'hidden' option for files in the %temp% directory
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe hawkeye keylogger lolbin obfuscated packed packed
Link:
https://www.filescan.io/uploads/648ebee7e2e32acd7bfca71a/reports/e9424451-fbe7-4bbd-b17a-3fe584d8ef18/overview
Verdict:
Malicious
Labled as:
BKDR_ASDROP.SMFG
Link:
https://www.hybrid-analysis.com/sample/d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5acc2dce-3534-4b91-a483-5f518ae08708
Result
Threat name:
Netwire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256793
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Creates an undocumented autostart registry key
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 889813 Sample: HEUR-Backdoor.Win32.Generic... Startdate: 18/06/2023 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 9 other signatures 2->63 7 HEUR-Backdoor.Win32.Generic-d25e23199a7c7f97e.exe 12 2->7         started        11 name.exe 6 2->11         started        process3 file4 47 C:\Users\user\AppData\Roaming\tmp.exe, PE32 7->47 dropped 49 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 7->49 dropped 51 C:\Users\user\AppData\...\name.exe.lnk, MS 7->51 dropped 53 2 other malicious files 7->53 dropped 65 Writes to foreign memory regions 7->65 67 Allocates memory in foreign processes 7->67 69 Injects a PE file into a foreign processes 7->69 13 tmp.exe 1 7->13         started        17 cmd.exe 3 7->17         started        20 svhost.exe 1 7->20         started        22 cmd.exe 1 7->22         started        71 Antivirus detection for dropped file 11->71 73 Multi AV Scanner detection for dropped file 11->73 75 Machine Learning detection for dropped file 11->75 24 cmd.exe 11->24         started        26 tmp.exe 11->26         started        28 svhost.exe 11->28         started        signatures5 process6 dnsIp7 55 william1979.ddns.net 184.105.237.196, 4416, 49699, 49700 RVBA2016US United States 13->55 77 Antivirus detection for dropped file 13->77 79 Multi AV Scanner detection for dropped file 13->79 81 Contains functionality to log keystrokes 13->81 85 2 other signatures 13->85 43 C:\Users\user\AppData\Roaming\...\name.exe, PE32 17->43 dropped 45 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 17->45 dropped 83 Uses cmd line tools excessively to alter registry or file data 17->83 30 reg.exe 1 1 17->30         started        33 conhost.exe 17->33         started        35 conhost.exe 22->35         started        37 timeout.exe 1 22->37         started        39 conhost.exe 24->39         started        41 reg.exe 1 24->41         started        file8 signatures9 process10 signatures11 87 Creates an undocumented autostart registry key 30->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d/
Threat name:
ByteCode-MSIL.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2018-01-15 23:42:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jpcggm2pr7zpy7cd74spvjqai2t6ixsthcb3st42pg4hsxgkmoq._file
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/230618-j6pjhsec66/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
william1979.ddns.net:4416
mathkros79.ddns.net:4416
engine79.ddns.net:4416
chrisle79.ddns.net:4416
jacknop79.ddns.net:4416
smath79.ddns.net:4416
whatis79.ddns.net:4416
goodgt79.ddns.net:4416
bonding79.ddns.net:4416
Unpacked files
SH256 hash:
029d4a55e87b0b199dc34fb0f377bd45d5c2578f426f740a0b35b3ebb71ad12d
MD5 hash:
9ce7a686c415b0e0dcdc085d666b7698
SHA1 hash:
c0bf07937a933b7c1c2d3b5c57e9fdc5b93518bd
Detections:
Netwire
Create hunting rule
win_netwire_auto
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/30e2888d-97b7-4ae8-afdc-be8a56daeddd/
SH256 hash:
d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d
MD5 hash:
da276444d26b555c6c794248df8019c7
SHA1 hash:
13bcf9ee210e4130a45dbde394b5e242e34af2e3
Link:
https://www.unpac.me/results/30e2888d-97b7-4ae8-afdc-be8a56daeddd/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d25e23199a7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d25e23199a7c7f97e3e21ff927d53002353f22f299c41dca7cd3cdc3cae6531d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HawkEye_Keylogger_Feb18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Semiautomatically generated YARA rule
Reference:https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9
Rule name:HawkEye_Keylogger_Feb18_1_RID302C
Create hunting rule
Author:Florian Roth
Description:Semiautomatically generated YARA rule
Reference:https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:malware_netwire_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:MAL_unspecified_Jan18_1_RID2F4A
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:netwire
Create hunting rule
Author:jeFF0Falltrades
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:Windows_Trojan_Netwire_6a7df287
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Netwire_f42cb379
Create hunting rule
Author:Elastic Security
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.
Rule name:win_netwire_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400026/

Comments