MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d60de14c758c25427363470c83986085c1e46740906b6fa0c946b1483b741696. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 4 File information Comments

SHA256 hash:	d60de14c758c25427363470c83986085c1e46740906b6fa0c946b1483b741696
SHA3-384 hash:	522d42066186829204711b363af46a513a2b222644f03c0948de97d55289d08af4974babd7141923acdef475c6124865
SHA1 hash:	d4d27f3c08306ff881c9577a26476986d2d2e974
MD5 hash:	c6ce41c28af4b9089a513d0952d2197b
humanhash:	uranus-orange-early-river
File name:	Shipping Document PL&BL Draft.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	654'288 bytes
First seen:	2021-12-21 13:06:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	12288:ilzhbZ6wScNYC8dctN9zwwU3xRCQ2RDqF9tCy2NMB6eOHcdDl73Xo:ilFdwwUzQqF9o1NU/jDFo
Threatray	624 similar samples on MalwareBazaar
TLSH	T192D4BED6D730706FCDE8133E45E8A40C6154AD2E7D71E09E12B0BB4B3BF269A0999F94
File icon (PE):
dhash icon	f0f8e0e9e9e0e8f0 (1 x NetWire)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
89.238.150.43:5512

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
89.238.150.43:5512	https://threatfox.abuse.ch/ioc/279263/

Intelligence

File Origin

# of uploads :

# of downloads :

450

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Shipping Document PL&BL Draft.exe

Verdict:

Malicious activity

Analysis date:

2021-12-21 13:08:35 UTC

Tags:

installer

Link:

https://app.any.run/tasks/589fcdeb-29d0-415b-a9a5-024c95b507c4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/215655/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Sending a custom TCP request

DNS request

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2847/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

60%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61c1d1798991ba72b390384f/reports/56d0c6c0-9e6d-4182-ab2e-acbcfdddaafc/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0b580061-5801-486d-ac9b-32bed1dfe1ad

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/910938

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d60de14c758c25427363470c83986085c1e46740906b6fa0c946b1483b741696/

Threat name:

Win32.Trojan.NetWired

Status:

Malicious

First seen:

2021-12-21 13:07:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2yg6ctdvrqsue43di4gihgdaqxa6iz2asbvw7igji2yuqo3uc2la._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

23fd501c884e2f46d38af81b0d6e423ea0bff8c5eee615227806faf7b2833827

NetWire

482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7

NetWire

62b21f15caf460ffc5fd34e06228587c3b244902d922bade48a1a8b6a6879243

NetWire

9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

NetWire

b4ac3be33fd7d731376ea3b504995b465122d8ef268e59e7ded5d433762cc932

NetWire

ba468ce1204233cbcb5d473ac13cd5554588480c0186f52e0bd7f091eb3f081c

NetWire

cb54cd1dc1efb943d5308d6681f36ecaec957f0a70f9683f1da3e7e1188b9748

NetWire

ccd667e3a1a0577ed841968990cb37790e1e6f0fb4ceb1a2f947ef391d68dd4d

NetWire

+ 614 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/211221-qcmw6aechp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Program crash

Loads dropped DLL

Executes dropped EXE

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

89.238.150.43:5512

Unpacked files

SH256 hash:

d60de14c758c25427363470c83986085c1e46740906b6fa0c946b1483b741696

MD5 hash:

c6ce41c28af4b9089a513d0952d2197b

SHA1 hash:

d4d27f3c08306ff881c9577a26476986d2d2e974

Link:

https://www.unpac.me/results/1c987750-b24a-4a27-80e8-bc294febdb2d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.23

Link:

https://yomi.yoroi.company/submissions/d60de14c758c25427363470c83986085c1e46740906b6fa0c946b1483b741696

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.netwire.

Rule name:	win_netwire_w0 Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	NetWiredRC

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/215655/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample