MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56
SHA3-384 hash:	af3c86d722f54d0b8f6d7af5a87777ef8e77a64d91967ef57df886eebfd024c69babf81a36db474aa3f059a99dacdfb4
SHA1 hash:	409794c9962f28780176be4a82b3fdd7d7b41427
MD5 hash:	cca05958526ca1b406317bbc8137c6fe
humanhash:	hotel-washington-red-vermont
File name:	dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56
Download:	download sample
Signature	NetWire Create hunting rule
File size:	685'056 bytes
First seen:	2021-09-03 09:10:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:g5q/hHhR8NrA1wLVJfhE2GAOenG6AWzT+8TWDGWrFVny1oC6hhTskwIOX4H09cDO:zhLUUChBn3AGT+8yD9Jo1N8hTLC4t
Threatray	624 similar samples on MalwareBazaar
TLSH	T1D4E4FB7F19BDA2279175C6F58BE78827F0108B6F3110692476D347264322A7AB4F336E
Reporter	JAMESWT_WT
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

959

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56

Verdict:

Malicious activity

Analysis date:

2021-09-03 09:46:13 UTC

Tags:

trojan netwire

Link:

https://app.any.run/tasks/1f5f8b48-7069-48bb-8327-da435d5f2dce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/185119/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a process with a hidden window

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1f70c89a-37d2-4935-868e-fd6913003d06

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/844728

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Powershell Defender Exclusion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-31 13:00:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 43 (60.47%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3p3bnlm4olppscrwhqdwyltg2jmdcninfynnmczcm5pcycwzlzla._file

Verdict:

malicious

Label(s):

netwirerc

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/210903-k5mtzagadp/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

night90.ddns.net:8999

Unpacked files

SH256 hash:

c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565

MD5 hash:

29db2e114b88ae1f6a00c9aa71690043

SHA1 hash:

ec82db71443556a5b320357b0b8b09e70ec1db9c

Link:

https://www.unpac.me/results/91d2726a-80eb-4424-b039-21f2c0899d51/

SH256 hash:

8df807bcdf4024109206e1616209cf978ddacac8c4b7335fea55e3326d5b5042

MD5 hash:

c89f7d7dfe60f975aaa49036ab067340

SHA1 hash:

c957c574d5d1d176d32dc43e889a0bb49a4c9fcd

Link:

https://www.unpac.me/results/91d2726a-80eb-4424-b039-21f2c0899d51/

SH256 hash:

3121f99240fd4c3f45da8f20d10d491bfd0b87c911f3f7c957c556c92d050029

MD5 hash:

b1b3d7734b861dfd6609920c2c94304b

SHA1 hash:

56a0059510c8e5951d115cfaaf897b98040e51c9

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/91d2726a-80eb-4424-b039-21f2c0899d51/

Parent samples :

466c6eed81c9e10b97b539264af394bef185fdfa72cd3550f62d6634dfb2acc3
46b6c90d331eabb7e554cfe3baa01ed3e72b40793f7bc670f95b22ee611725a9
11084f0e466c6e14a898cd1e806dcfddc4ae3c7819a617c3d0a54490989ba559
dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56
0257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650c
6b64c512504060c171eee898bb53f7d402ccb274f9350a2f543803c6ef23a6fd

SH256 hash:

dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56

MD5 hash:

cca05958526ca1b406317bbc8137c6fe

SHA1 hash:

409794c9962f28780176be4a82b3fdd7d7b41427

Link:

https://www.unpac.me/results/91d2726a-80eb-4424-b039-21f2c0899d51/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/dbf616ad9c72/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dbf616ad9c72def90a363c076c2e66d25831350d2e1ad60b22675e2c0ad95e56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185119/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample