MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6ab9f8682b3afdc2d594873776c56341e67734dbea4f4bea62b5c59a2f69cd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6ab9f8682b3afdc2d594873776c56341e67734dbea4f4bea62b5c59a2f69cd7
SHA3-384 hash: b5a9fa77e171f76be0e4bf88e07a114df18bce1d4e055d2ebc856fb3956bc71add7097adb06895557c876fa1a794e33a
SHA1 hash: 225d94e764c03b9524836d2d68f6b324ee952b4a
MD5 hash: 9b2be10d80b4a80c733fe8101234da89
humanhash: chicken-early-blossom-nebraska
File name:9b2be10d80b4a80c733fe8101234da89.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:823'808 bytes
First seen:2021-01-30 06:20:03 UTC
Last seen:2021-01-30 07:57:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:lyWkovCo42Y1e0LwP09plXh2T09plXh2wIGjOFPrMI+rUScJCX7gc2MVFr2gV:0oagYUGwP09fUT09fUpFPADYScJe0t+
Threatray 5 similar samples on MalwareBazaar
TLSH AA05F12027A89B55D1BE67B4E071811493F5BC03CB22EADEADE0349D2E73781CA5774A
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire RAT C2:
winmonitor97435hr463n.hopto.org:888 (8.208.101.136)

Intelligence

File Origin
# of uploads :
2
# of downloads :
370
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b2be10d80b4a80c733fe8101234da89.exe
Verdict:
Malicious activity
Analysis date:
2021-01-30 06:20:54 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/9d297c22-141f-4a9b-be7f-361efcadbcf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114868/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594489
Signature
.NET source code contains potential unpacker
Contains functionality to steal Chrome passwords or cookies
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d6ab9f8682b3afdc2d594873776c56341e67734dbea4f4bea62b5c59a2f69cd7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-23 04:08:00 UTC
AV detection:
33 of 46 (71.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=22vz7bucwox5ylkzjbzxo3cwgqpgo42nx2spjpvgfnoftixwttlq._file
Verdict:
unknown
Similar samples:
25f49539277650096e232f0d3e11788d7099d0bb7f23e87d6fcd852e3384b640
NetWire
3f1f5532911efbb82c03e4c3ad1bd72452c4030b8647cf2098a782d9501f4368
NetWire
5cd5db1f2bc06d7827e42e7e81a180b0abb3a937cd106ed0e3e2813833d3469b
NetWire
9ba18e86e31632fe443edbc886f6b40c4b93290e87d45221c12cc5ac92f2a95d
NetWire
d7587177c5cc5b1d1ef4d0a0a7ddac3834934740e9e0ff53805addab18c03a25
NetWire
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet evasion ransomware rat stealer
Link:
https://tria.ge/reports/210130-y57fy1xx1s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
aa6d4cb48b8f24190dd890e62dae4fcf3916cdb5cbd61f9bc242a00c1d0d75a7
MD5 hash:
958dcf28ab8cc66b2ee6162f4225f89b
SHA1 hash:
a29773b837fe2856c2b2e9dbfc236e0efcc1debb
Link:
https://www.unpac.me/results/5c7b281e-1ae5-4b8d-a1f8-da68ea9cd55d/
SH256 hash:
3f1d315f96d6b1654c69038abf3a16ba716f1e519e104906257c952bedb7adc9
MD5 hash:
afce43a571637ac765e44e9b58ed7f9d
SHA1 hash:
a0a9d89753d13627aceb9dad5d85d43252049f0a
Link:
https://www.unpac.me/results/5c7b281e-1ae5-4b8d-a1f8-da68ea9cd55d/
SH256 hash:
b89fcf22d2b3b7401841153e3b7294385711e4a4780d67b744552ec724bb15dc
MD5 hash:
48631897f4a237e4490281863055e0ca
SHA1 hash:
51cca61c84e7a97c6421c4579fda3d8970c1655a
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/5c7b281e-1ae5-4b8d-a1f8-da68ea9cd55d/
SH256 hash:
d6ab9f8682b3afdc2d594873776c56341e67734dbea4f4bea62b5c59a2f69cd7
MD5 hash:
9b2be10d80b4a80c733fe8101234da89
SHA1 hash:
225d94e764c03b9524836d2d68f6b324ee952b4a
Link:
https://www.unpac.me/results/5c7b281e-1ae5-4b8d-a1f8-da68ea9cd55d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6ab9f8682b3afdc2d594873776c56341e67734dbea4f4bea62b5c59a2f69cd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe d6ab9f8682b3afdc2d594873776c56341e67734dbea4f4bea62b5c59a2f69cd7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/983726/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114868/

Comments