MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2e59bc33911a374a68ae6c312b06284b82ced9a41dca1e05aa0cabf839029d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2e59bc33911a374a68ae6c312b06284b82ced9a41dca1e05aa0cabf839029d0
SHA3-384 hash: a148b0b117482360f19e07f4f2979a0cfd4ff2ce1a3423399d9ef3db2918f08a9ac6f7d9bf7204fd81f94d0cc1206b2f
SHA1 hash: 12e5a955abafe37b127c8c3064426b5378f4a480
MD5 hash: ecf1de43c38bda88dd119d167c71cbd8
humanhash: mockingbird-fourteen-enemy-ink
File name:Document.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:833'536 bytes
First seen:2021-09-08 15:26:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6f9ce49927a1276962e131ee30a4701 (4 x AveMariaRAT, 2 x NetWire, 2 x RemcosRAT)
ssdeep 12288:GDylNhPTW3jR+9bHoraZlojpF/b8PmcuVpvC1VGEdaj:j7I3N8DoraZ6d8unzUVA
Threatray 881 similar samples on MalwareBazaar
TLSH T14F053A61E2D534FEE0121AB84C27716998317F61250E7CC66EE43D888F76B433536BAE
dhash icon acacacb6a2968eaa (13 x RemcosRAT, 4 x Formbook, 4 x AveMariaRAT)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
217.64.151.194:6655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
217.64.151.194:6655 https://threatfox.abuse.ch/ioc/218133/

Intelligence

File Origin
# of uploads :
1
# of downloads :
857
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document.exe
Verdict:
Malicious activity
Analysis date:
2021-09-08 15:28:02 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/8410dc38-66e7-4aa5-8211-52694a79a990

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186426/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Zusy.400069.18306.23715.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Deleting a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa9e047f-766d-458d-bb62-d0705962a574
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/847547
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 479980 Sample: Document.exe Startdate: 08/09/2021 Architecture: WINDOWS Score: 96 40 Found malware configuration 2->40 42 Yara detected NetWire RAT 2->42 44 C2 URLs / IPs found in malware configuration 2->44 46 2 other signatures 2->46 8 Document.exe 20 2->8         started        process3 dnsIp4 32 onedrive.live.com 8->32 34 dm-files.fe.1drv.com 8->34 36 bfxklw.dm.files.1drv.com 8->36 48 Writes to foreign memory regions 8->48 50 Allocates memory in foreign processes 8->50 52 Creates a thread in another existing process (thread injection) 8->52 54 Injects a PE file into a foreign processes 8->54 12 secinit.exe 2 8->12         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        signatures5 process6 dnsIp7 38 liquor01.ddns.net 217.64.151.194, 49754, 6655 OBE-EUROPEObenetworkEuropeSE Sweden 12->38 56 Contains functionality to log keystrokes 12->56 58 Contains functionality to steal Internet Explorer form passwords 12->58 60 Contains functionality to steal Chrome passwords or cookies 12->60 20 reg.exe 1 16->20         started        22 conhost.exe 16->22         started        24 cmd.exe 1 18->24         started        26 conhost.exe 18->26         started        signatures8 process9 process10 28 conhost.exe 20->28         started        30 conhost.exe 24->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2e59bc33911a374a68ae6c312b06284b82ced9a41dca1e05aa0cabf839029d0/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-09-08 15:27:05 UTC
AV detection:
6 of 32 (18.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lszxqzzcgrxjjuk43brfmdcqs4cz3m2ihokdyc2udfl7a4qfhia._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
151f57078e89aa2f81fcb307bf88fe23e9f2437a4df1e37def5d0b78797e12f8
NetWire
16fc50c5d5b5419d2a3244294c7d6a77087edca488ec63146b573b31f1526809
NetWire
204b5f6085ac0a3082590aa0518074cb2e7fa9ebb6ccb4106cbf57588453104e
NetWire
82dc13144b5d22e2e75fc7dc783439e2c1e93dbe630411d3fa62b77b27645e12
NetWire
98f868900b27ba82ac18f919dc551ea15dc310813eb1538ebf2d0ab3afaa8328
NetWire
c952644e56294c56309d52fffcacdc6d1d054625a3e438727c0a7c3d944eb3e8
NetWire
e04977f7d1fbf8b3a69237bbd2170af6c3046a8ce29e2732cd7c72f079f0e0f8
NetWire
e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
f53faac8d340d58a2e4916652372ccc1ec9be6a34da5332ee31072ed9c75c37a
NetWire
+ 871 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet stealer
Link:
https://tria.ge/reports/210908-svrdeahhgp/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Netwire
Unpacked files
SH256 hash:
cd4b225505e84218ef7418c8e5f41acbb67c51bd43e9ddcfa25341259377d3df
MD5 hash:
b7816cb3535b2f2675804d3052295003
SHA1 hash:
db4588853aa1ec16b1f2d29b1e873a653a1ecb13
Link:
https://www.unpac.me/results/b45dd632-a1e1-4cd6-9887-2bd016537cab/
SH256 hash:
d2e59bc33911a374a68ae6c312b06284b82ced9a41dca1e05aa0cabf839029d0
MD5 hash:
ecf1de43c38bda88dd119d167c71cbd8
SHA1 hash:
12e5a955abafe37b127c8c3064426b5378f4a480
Link:
https://www.unpac.me/results/b45dd632-a1e1-4cd6-9887-2bd016537cab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d2e59bc33911/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2e59bc33911a374a68ae6c312b06284b82ced9a41dca1e05aa0cabf839029d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186426/

Comments