MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbafada7e8406895de0d99952e4543a123b453c9181e4b9244c8938e3cbc9d6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbafada7e8406895de0d99952e4543a123b453c9181e4b9244c8938e3cbc9d6d
SHA3-384 hash: 809d24ddc67f3213072d85d7446f6a7847d1eba402e580a0258df9f13e04c0f79433e90e0592c32b6b7f94b15bb13495
SHA1 hash: 694a52adcd917ece99e03b46459d9dbcd1d89dd3
MD5 hash: 9a6ab94484d3987d7ffc49d24b3b5783
humanhash: comet-green-spring-triple
File name:Kojcujmcpvqazbuwcyhwoekmlsfsochnsl.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:849'920 bytes
First seen:2021-10-04 06:55:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8276363bcf2f383c8cd04fac30801161 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
ssdeep 12288:0w6jlNSq3W9F1Sa+tiDWIyNCYAycjL7YiEFXXXB:Naeq3gF1Sf+WIy9AyAdSXXXB
Threatray 1'262 similar samples on MalwareBazaar
TLSH T1840506224144A72AF11A3336E98B111417E2AD3C2E604B3AF5955B4B4F3F784EED687F
File icon (PE):PE icon
dhash icon 1432694969516806 (10 x RemcosRAT, 2 x NetWire, 1 x Formbook)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
104.254.90.235:5457

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.254.90.235:5457 https://threatfox.abuse.ch/ioc/230078/

Intelligence

File Origin
# of uploads :
1
# of downloads :
459
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Kojcujmcpvqazbuwcyhwoekmlsfsochnsl.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 06:57:06 UTC
Tags:
installer
Link:
https://app.any.run/tasks/bc292113-0631-498d-b2ed-7f29c56b257f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194443/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/615c2fd1b95458900cdc642c/reports/7a03fe37-e1fd-4895-a6fe-74bffa9794ab/overview
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3f9483b-cf6c-41af-a31e-5f7fbd45553b
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863679
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496107 Sample: Kojcujmcpvqazbuwcyhwoekmlsf... Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Yara detected NetWire RAT 2->67 69 C2 URLs / IPs found in malware configuration 2->69 8 Kojcujmcpvqazbuwcyhwoekmlsfsochnsl.exe 1 22 2->8         started        13 Kojcujm.exe 15 2->13         started        15 Kojcujm.exe 15 2->15         started        process3 dnsIp4 49 vmps3w.sn.files.1drv.com 8->49 57 2 other IPs or domains 8->57 41 C:\Users\Public\Libraries\...\Kojcujm.exe, PE32 8->41 dropped 77 Writes to foreign memory regions 8->77 79 Creates a thread in another existing process (thread injection) 8->79 81 Injects a PE file into a foreign processes 8->81 17 logagent.exe 2 8->17         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        51 vmps3w.sn.files.1drv.com 13->51 59 2 other IPs or domains 13->59 83 Multi AV Scanner detection for dropped file 13->83 85 Allocates memory in foreign processes 13->85 25 logagent.exe 13->25         started        53 192.168.2.1 unknown unknown 15->53 55 vmps3w.sn.files.1drv.com 15->55 61 2 other IPs or domains 15->61 27 DpiScaling.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 185.103.96.143, 49828, 5457 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 17->43 45 91.214.169.69, 5457 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding Switzerland 17->45 47 3 other IPs or domains 17->47 71 Contains functionality to log keystrokes 17->71 73 Contains functionality to steal Internet Explorer form passwords 17->73 75 Contains functionality to steal Chrome passwords or cookies 17->75 29 reg.exe 1 21->29         started        31 conhost.exe 21->31         started        33 cmd.exe 1 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbafada7e8406895de0d99952e4543a123b453c9181e4b9244c8938e3cbc9d6d/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ox23j7iibujlxqntgks4rkduer3iu6jdapexesezcjy4pf4tvwq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0f67fd50b46ca7283dc172211a42e3ffab7b524a1e2e23433c34c88e657cd364
NetWire
27fc1cbcf702e483b8eec78bc2605e0d45dda7f0dae2c0adcd6f90b396a1151e
NetWire
5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a
NetWire
abd18b2d7cfc702e56442f2549808b301f2e0fc214cdf2230d5fbefc9620fd42
NetWire
bd62e723aff056a5f6dd9b9ece4f5ea4bae0a50cc3bdd5f4228fb265c2a96170
NetWire
c657a69c6832a40ff81651b72dde98ebd3dd5cece06ee57afe835370a2d51a3a
NetWire
cb9713e99535b6589f62d352c0a22488ae19d4b02df7f33e3fc052e9c8414481
NetWire
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
NetWire
dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb
NetWire
fb55f300cbcea6d62e33eb76a196849d1a67ce91c46255d2180fcd6a2cdc43f9
NetWire
+ 1'252 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/211004-hqdawagafn/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
64.42.179.51:5457
185.103.96.143:5457
91.214.169.69:5457
213.152.161.239:5457
104.254.90.235:5457
Unpacked files
SH256 hash:
8355a1e5aee67b2e140b6e38bf507d23470f1e223bc3e61e124313a14ebcfb59
MD5 hash:
4e1e2029a6257910978aed9bf3b6988f
SHA1 hash:
f4eb74facae591787fb7e254aa544e2fd93f2ce4
Link:
https://www.unpac.me/results/0c1177d2-a69a-4c0b-8bc0-d74e09a71a5e/
SH256 hash:
f808a11e5b1cb4332bb4d65cdbcf1e0ca7323b15bcf73cb7462ad3eb30f05703
MD5 hash:
6cfdeebc3c72279486ddd229eb14b009
SHA1 hash:
e3a2a0a2a0fabd55415c9007f52c79fe9e19e0a7
Link:
https://www.unpac.me/results/0c1177d2-a69a-4c0b-8bc0-d74e09a71a5e/
SH256 hash:
dbafada7e8406895de0d99952e4543a123b453c9181e4b9244c8938e3cbc9d6d
MD5 hash:
9a6ab94484d3987d7ffc49d24b3b5783
SHA1 hash:
694a52adcd917ece99e03b46459d9dbcd1d89dd3
Link:
https://www.unpac.me/results/0c1177d2-a69a-4c0b-8bc0-d74e09a71a5e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dbafada7e840/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbafada7e8406895de0d99952e4543a123b453c9181e4b9244c8938e3cbc9d6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194443/

Comments