MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4f4db9b1a68038b8d1a8f5e775f05bb8de7d8c4d99c55d3f4ca433812006546. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	d4f4db9b1a68038b8d1a8f5e775f05bb8de7d8c4d99c55d3f4ca433812006546
SHA3-384 hash:	2413ad64c1fbc2e9fb058ddf6e69822d9b5bbc6cba3fbf44ad7827b9b320969f2c02b8ea2bdbd28e3646f8a740eb833e
SHA1 hash:	6fd780b87a40cf4e53c9753816e2a6e936874751
MD5 hash:	3a391690055e204f6529d457f0b853e1
humanhash:	nevada-spaghetti-quebec-lactose
File name:	d4f4db9b1a68038b8d1a8f5e775f05bb8de7d8c4d99c55d3f4ca433812006546
Download:	download sample
Signature	NetWire Create hunting rule
File size:	405'337 bytes
First seen:	2021-08-31 10:21:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	6144:RqjIReFkChRrQtxpTY0CfYvzUKhiStGyME5zA/u1vRrV:49keQNTY0CAvzUGYn0zAMZ
Threatray	543 similar samples on MalwareBazaar
TLSH	T14084C09BCA908A53CB907B300FBAE7355735FE683964455B7BE87D2B3A7F5835802102
dhash icon	4cccd4d4e8e0e870 (1 x NetWire)
Reporter	JAMESWT_WT
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

972

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d4f4db9b1a68038b8d1a8f5e775f05bb8de7d8c4d99c55d3f4ca433812006546

Verdict:

Malicious activity

Analysis date:

2021-08-31 10:43:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6cb037d8-b249-402b-8e11-cc0da6f18a98

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/184134/

Detection(s):

SecuriteInfo.com.Zum.Androm.1.1011.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

DNS request

Connection attempt

Sending a custom TCP request

Creating a window

Sending a UDP request

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a9d190a6-cf4a-4c3f-8dce-ecd1e8217658

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/842546

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d4f4db9b1a68038b8d1a8f5e775f05bb8de7d8c4d99c55d3f4ca433812006546/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2021-07-01 06:47:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2t2nxgy2nabyxdi2r5phoxyfxog6pwge3goflu7uzjbtqeqamvda._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

5b4962b939b67929dcb5b0c5a90b75e617f9af630271d710a21ccbe0d7738e05

NetWire

6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

NetWire

70e793d2230cc480a7b60dd9ebd5a4244ffec956f436153e255f10de62ead69c

NetWire

7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32

NetWire

ee70cb2fc82abe10d225555baf80864b1c8f779fce79dcb2b76943d145a8130e

NetWire

+ 533 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/210831-zrr9j6etzx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

warin.hopto.org:4320

Unpacked files

SH256 hash:

3bdf0bfc560e222d6b91542a5bae5a13baefd92d8a298ecaae561c601236dee2

MD5 hash:

ec3b3672c3607c6a7a797721ac3fe01f

SHA1 hash:

bcf676a124edd959bafd4a72b7e9cfe47e80af20

Link:

https://www.unpac.me/results/a9cfbfef-d200-4ff2-b83b-1638d3a86145/

SH256 hash:

c4b4a822a77f9e88dcc7ca5c6fb1bd67edf18cd40521d4095e9dd11f3d4fabe2

MD5 hash:

761fa1c330f4bf4f9e2c592d94253575

SHA1 hash:

767e4b952b5c3d267423a9ca82ee733c95d413a4

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/a9cfbfef-d200-4ff2-b83b-1638d3a86145/

Parent samples :

79712cd9030282fbf73a6a8a0ada993f2b0f682d75a255cebf5a344896652306
0d7f2b187239381646230ae6f03ce02a7bba8a95482df00f459904af60da902a
6e318257ff61f8aeff03704c59af6d66f52b4ae7fe36ab8b715db00694cad13a
d4f4db9b1a68038b8d1a8f5e775f05bb8de7d8c4d99c55d3f4ca433812006546

SH256 hash:

d4f4db9b1a68038b8d1a8f5e775f05bb8de7d8c4d99c55d3f4ca433812006546

MD5 hash:

3a391690055e204f6529d457f0b853e1

SHA1 hash:

6fd780b87a40cf4e53c9753816e2a6e936874751

Link:

https://www.unpac.me/results/a9cfbfef-d200-4ff2-b83b-1638d3a86145/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.67

Link:

https://yomi.yoroi.company/submissions/d4f4db9b1a68038b8d1a8f5e775f05bb8de7d8c4d99c55d3f4ca433812006546

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/184134/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample