MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d55aa6bea84dd9982c908b020d9529679c6219f9da29a794af64894eb9f092dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d55aa6bea84dd9982c908b020d9529679c6219f9da29a794af64894eb9f092dc
SHA3-384 hash: 6b49b4fcac521eeca668b462f89ec7e411f5cd847c3d0cefde020ae4f8de5b148ce91d82c9e5df714987a1fc28772a7b
SHA1 hash: 429e24de4d9858d2991469ec233b87d7c16e5f57
MD5 hash: b32bd1feccaec53b1bd1f1be43c6836e
humanhash: diet-twenty-thirteen-asparagus
File name:TT653GH?xcod..exe
Download: download sample
Signature NetWire
Create hunting rule
File size:792'576 bytes
First seen:2021-09-20 08:51:05 UTC
Last seen:2021-09-20 09:47:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:uovvQSmtiK5o8jHIOs4dUXMTOvZAGJoxJhRyEXpl47I9rX1f1rjknkAft:pvt+FoQl85axJqYy7IJF1vknkot
Threatray 10'494 similar samples on MalwareBazaar
TLSH T17FF49DC17D47D89BF4DF2AB3986FC0201165AE9D8165C73D2682BA2B55F3312306BE4E
File icon (PE):PE icon
dhash icon b282b8a4a6929e9e (23 x Formbook, 20 x AgentTesla, 9 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
194.5.98.25:5345

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.25:5345 https://threatfox.abuse.ch/ioc/223788/

Intelligence

File Origin
# of uploads :
2
# of downloads :
598
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d0829e13-2426-4a9d-b289-8c9b68785a1d
Verdict:
Malicious activity
Analysis date:
2021-09-20 09:00:02 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/ab0a32bf-3fe8-46de-9ee0-13d97964a464

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189360/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.19461.7220.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9a539b7-14e8-457c-bb29-92ccc8b167ac
Result
Threat name:
AgentTesla NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853857
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Contains functionality to steal Chrome passwords or cookies
Creates multiple autostart registry keys
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected NetWire RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486289 Sample: TT653GH_xcod..exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected AgentTesla 2->70 72 Yara detected Telegram RAT 2->72 74 5 other signatures 2->74 8 TT653GH_xcod..exe 15 7 2->8         started        13 cay.exe 2->13         started        15 uyp.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 60 cdn.discordapp.com 162.159.133.233, 443, 49733 CLOUDFLARENETUS United States 8->60 48 C:\Users\user\AppData\Local\Temp\ngf.exe, PE32 8->48 dropped 50 C:\Users\user\...\TT653GH_xcod..exe.log, ASCII 8->50 dropped 84 Writes to foreign memory regions 8->84 86 Injects a PE file into a foreign processes 8->86 19 ngf.exe 7 8->19         started        23 MSBuild.exe 3 8->23         started        88 Antivirus detection for dropped file 13->88 90 Multi AV Scanner detection for dropped file 13->90 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->92 94 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 13->94 96 Machine Learning detection for dropped file 15->96 98 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->98 62 betterday.duckdns.org 17->62 64 betterday.duckdns.org 17->64 file5 signatures6 process7 file8 42 C:\Users\user\AppData\Local\Temp\maur.exe, PE32 19->42 dropped 44 C:\Users\user\AppData\Local\Temp\49.exe, PE32 19->44 dropped 46 C:\Users\user\AppData\Local\Temp\22.exe, PE32 19->46 dropped 76 Antivirus detection for dropped file 19->76 78 Machine Learning detection for dropped file 19->78 25 22.exe 2 6 19->25         started        29 49.exe 2 4 19->29         started        31 maur.exe 19->31         started        80 Contains functionality to steal Chrome passwords or cookies 23->80 34 Host.exe 4 23->34         started        signatures9 process10 dnsIp11 52 C:\Users\user\AppData\Local\Temp\...\cay.exe, PE32 25->52 dropped 100 Antivirus detection for dropped file 25->100 102 Multi AV Scanner detection for dropped file 25->102 104 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->104 112 4 other signatures 25->112 54 C:\Users\user\AppData\Local\Temp\...\uyp.exe, PE32 29->54 dropped 106 Tries to steal Mail credentials (via file access) 29->106 108 Machine Learning detection for dropped file 29->108 110 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 29->110 66 192.168.2.1 unknown unknown 31->66 56 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 31->56 dropped 36 Host.exe 31->36         started        40 conhost.exe 34->40         started        file12 signatures13 process14 dnsIp15 58 betterday.duckdns.org 194.5.98.25, 49734, 49737, 49738 DANILENKODE Netherlands 36->58 82 Creates multiple autostart registry keys 36->82 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d55aa6bea84dd9982c908b020d9529679c6219f9da29a794af64894eb9f092dc/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 08:51:15 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vnknpvijxmzqleqrmba3fjjm6ogegpz3iu2pffpmseu5opqsloa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0538554b73f98f395950af81f30e4fc99407e991babdce510bb61f9f9b56f23e
NetWire
06835e2c284ded66ca44497caf918d1ce6f216e68af866e85ac6fb79332b75f7
NetWire
1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216
NetWire
2cda176ce221ab580e6d9bbebc4333fa2156c33c9d4e3666c38eba656e13ef6b
NetWire
3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2
NetWire
482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7
NetWire
760c5c96174d0f5f899970f3b35da290b831f4c85221b1e274a5491fcf08b264
NetWire
8c940846bd45f30de0358c90c8caef670b5e15bc9468452418d215c40ed62a20
NetWire
ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa
NetWire
bcdc3a6d1789655987f5d907b4448d4cf1f5c862b6f24b91ae7b73dcaca65b2a
NetWire
+ 10'484 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:netwire botnet keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210920-kssjpadeb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
AgentTesla
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
betterday.duckdns.org:5345
https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument
Unpacked files
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/0284aa6d-76ba-4332-8ee1-482f50fac9ba/
SH256 hash:
5914deb7dd35a1a094bb6730e63949cb1a9a1dc17cbce4cd6a9ddc31bcea6b9e
MD5 hash:
04fb7a130385a83fd5a5ac7d0b245f83
SHA1 hash:
50d7120af20ecf484614d6c476d20d191c716e35
Link:
https://www.unpac.me/results/0284aa6d-76ba-4332-8ee1-482f50fac9ba/
SH256 hash:
8503624c768d7c481f4fa71984b078512aa3cd0f80df75a9034d6e403a0f5e21
MD5 hash:
fba31ad42d33817c3009cf26f719f506
SHA1 hash:
282fb37047c36f4a7de4a88d915217ca1a3c7874
Link:
https://www.unpac.me/results/0284aa6d-76ba-4332-8ee1-482f50fac9ba/
SH256 hash:
0d46fa6b67893cdfa116756b67b4f342aa093ac2e4e9574fd2e9b60ada66b5fe
MD5 hash:
2f04be5ed8911b97868e8b859ff9072a
SHA1 hash:
20cd1daa8a424579316faf62026806587a70578e
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/0284aa6d-76ba-4332-8ee1-482f50fac9ba/
Parent samples :
d55aa6bea84dd9982c908b020d9529679c6219f9da29a794af64894eb9f092dc
23f943791b5757309e0fa0531c4f347ecba3d45d568cd1aae3f6828af0c0ea1d
be2073e4f262c4e72167e22c77958fa4e7b4fb08c63c213e2cfdd5b9a3b30f50
SH256 hash:
d55aa6bea84dd9982c908b020d9529679c6219f9da29a794af64894eb9f092dc
MD5 hash:
b32bd1feccaec53b1bd1f1be43c6836e
SHA1 hash:
429e24de4d9858d2991469ec233b87d7c16e5f57
Link:
https://www.unpac.me/results/0284aa6d-76ba-4332-8ee1-482f50fac9ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d55aa6bea84dd9982c908b020d9529679c6219f9da29a794af64894eb9f092dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189360/

Comments