MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc9030495d59d6792868d978609f095ab2cf6145a60897550d606712717bac76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc9030495d59d6792868d978609f095ab2cf6145a60897550d606712717bac76
SHA3-384 hash: 304d694d7939239e0e0b1ba347ded05ff4b97b2ea73b8bff9870377288328504baa724a3ca7bb506870ccaa6d932886a
SHA1 hash: f752d4fce11482deb2cbe2b7d36c2fa35a9098f0
MD5 hash: 1dec08891610db104bce8f7abdcf3c93
humanhash: north-fourteen-double-six
File name:PO20880538.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'504'036 bytes
First seen:2021-05-27 18:52:42 UTC
Last seen:2021-05-27 20:19:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 24576:0iH+xbBfsT5p0AYzGqSB1lAZqOvWeRE5E82qc5BSssc+kX:dmBEqzGqSBQZ5BEaH5BtsG
Threatray 2'978 similar samples on MalwareBazaar
TLSH 5F65225BB541C0EEC7974AB0CE1AD36CA6236DF1AFE08042BFC53B9E6F7546AD915002
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
185.140.53.129:8753

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.129:8753 https://threatfox.abuse.ch/ioc/65655/

Intelligence

File Origin
# of uploads :
2
# of downloads :
366
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO20880538.exe
Verdict:
No threats detected
Analysis date:
2021-05-27 20:58:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/815fad44-3bd6-4aa3-9379-0fb5e0d27694

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162817/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.45720.25542.24615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
DNS request
Creating a window
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Nanocore NetWire Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793462
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Yara detected Beds Obfuscator
Yara detected Nanocore RAT
Yara detected NetWire RAT
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425863 Sample: PO20880538.exe Startdate: 27/05/2021 Architecture: WINDOWS Score: 100 76 sipex2021.ddns.net 2->76 78 copieronlineph209.ddns.net 2->78 92 Multi AV Scanner detection for domain / URL 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 16 other signatures 2->98 8 PO20880538.exe 11 2->8         started        11 nehsehikp.exe 17 2->11         started        14 nehsehikp.exe 2->14         started        16 dhcpmon.exe 2->16         started        signatures3 process4 file5 54 C:\Users\user\AppData\Local\...\snakelog.exe, PE32 8->54 dropped 56 C:\Users\user\AppData\...\netwirelog.exe, PE32 8->56 dropped 58 C:\Users\user\AppData\Local\...\nanolog.exe, PE32 8->58 dropped 18 snakelog.exe 20 8->18         started        22 netwirelog.exe 1 22 8->22         started        24 nanolog.exe 20 8->24         started        60 C:\Users\user\AppData\Local\...\System.dll, PE32 11->60 dropped 118 Multi AV Scanner detection for dropped file 11->118 120 Detected unpacking (changes PE section rights) 11->120 122 Detected unpacking (overwrites its own PE header) 11->122 126 3 other signatures 11->126 26 nehsehikp.exe 11->26         started        62 C:\Users\user\AppData\Local\...\System.dll, PE32 14->62 dropped 124 Maps a DLL or memory area into another process 14->124 29 nehsehikp.exe 14->29         started        64 C:\Users\user\AppData\Local\...\System.dll, PE32 16->64 dropped 31 dhcpmon.exe 16->31         started        signatures6 process7 dnsIp8 42 C:\Users\user\AppData\Local\...\System.dll, PE32 18->42 dropped 100 Multi AV Scanner detection for dropped file 18->100 102 Detected unpacking (changes PE section rights) 18->102 104 Detected unpacking (creates a PE file in dynamic memory) 18->104 106 May check the online IP address of the machine 18->106 33 snakelog.exe 15 2 18->33         started        44 C:\Users\user\AppData\...\nehsehikp.exe, PE32 22->44 dropped 46 C:\Users\user\AppData\Local\...\System.dll, PE32 22->46 dropped 108 Detected unpacking (overwrites its own PE header) 22->108 110 Contains functionality to log keystrokes 22->110 112 Contains functionality to steal Internet Explorer form passwords 22->112 114 Contains functionality to steal Chrome passwords or cookies 22->114 37 netwirelog.exe 2 22->37         started        48 C:\Users\user\AppData\Local\...\System.dll, PE32 24->48 dropped 116 Maps a DLL or memory area into another process 24->116 39 nanolog.exe 1 10 24->39         started        80 sipex2021.ddns.net 26->80 82 sipex2021.ddns.net 29->82 file9 signatures10 process11 dnsIp12 66 checkip.dyndns.org 33->66 68 checkip.dyndns.com 131.186.161.70, 49730, 49732, 80 DYNDNSUS United States 33->68 74 2 other IPs or domains 33->74 84 Tries to steal Mail credentials (via file access) 33->84 86 Tries to harvest and steal ftp login credentials 33->86 88 Tries to harvest and steal browser information (history, passwords, etc) 33->88 70 copieronlineph209.ddns.net 185.140.53.129, 49715, 49717, 49719 DAVID_CRAIGGG Sweden 37->70 72 sipex2021.ddns.net 37->72 50 C:\Program Files (x86)\...\dhcpmon.exe, PE32 39->50 dropped 52 C:\Users\user\AppData\Roaming\...\run.dat, data 39->52 dropped 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->90 file13 signatures14
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dc9030495d59d6792868d978609f095ab2cf6145a60897550d606712717bac76/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2021-05-27 01:47:50 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3sidask5lhlhskdi3f4gbhyjlkzm6ykfuyejovinmbtre4l3vr3a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216
NetWire
1aa7d80336821e86d39b12d3787619f82096e3e4e0004d82187067d92ac105cf
NetWire
31a804fddf5f1ed1d5c1a69772bc92026f90696a6903a3a7ebaf7aef6dfa9478
NetWire
328908f054c4a82ebcb35127b0e9c7924dcdb6c134b76f01b269a2dd23967b18
NetWire
43e61498399ac2110f53a170eaa2d37c85bc43473306088d156bf683e636c795
NetWire
63d0937af7bf53fe0b74ae6631452ff2d254ab6c7e1d0a62372f1f6992a1a1fd
NetWire
adb2126ab8201d688d9569a05f08fd1738bf80302d46ef2aa83eb2fc7eb94203
NetWire
bdfb906a3a02d8a28bef1d13d0abff090bc9582373e05e5f376186e9a7c5a902
NetWire
d19e690275e1eec487544552366accd109567893c79b3634cef31515b9a0a19b
NetWire
f250ac555d8a417883aec028d6b80e0eb627686d08a56f2c5e5bbb04c0ecbf85
NetWire
+ 2'968 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:netwire family:snakekeylogger botnet evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210527-zptpl67lsj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
NanoCore
NetWire RAT payload
Netwire
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
:6596
copieronlineph209.ddns.net:6596
https://api.telegram.org/bot1761516426:AAE3Juu_v6fG9Gy1S33LdTvyz85ua-duZsk/sendMessage?chat_id=1727399585
sipex2021.ddns.net:8753
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc9030495d59d6792868d978609f095ab2cf6145a60897550d606712717bac76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:Nanocore
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Feb18_1
Create hunting rule
Author:Florian Roth
Description:Detects Nanocore RAT
Reference:Internal Research - T2T
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_nanocore_w0
Create hunting rule
Author: Kevin Breen <kevin@techanarchy.net>
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162817/

Comments