MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
SHA3-384 hash: 42dae368451953923c7e9eee4cee4679ed6b2fda2ce45b20e7e96cb431df438715724bfcc77c8ef38f5d71a8cd764206
SHA1 hash: 1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b
MD5 hash: 1a9ce8f81c2b5e3dbd4de1681975f1e1
humanhash: bravo-white-zulu-north
File name:GBO -590 ORDER.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:853'504 bytes
First seen:2023-01-05 06:45:35 UTC
Last seen:2023-01-05 08:36:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:yf0bR6AbG9g+ULV7/yCabiYgONmRyUVzgMl79f7y7m:o0bVa9ALFy5eOERyUWq7NyK
Threatray 5'143 similar samples on MalwareBazaar
TLSH T100058B8C6778E47BFADB237A020051F91E623613F5A6F11B5E7B7EE520096FA326C105
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
212.193.30.230:7324

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
GBO -590 ORDER.exe
Verdict:
Malicious activity
Analysis date:
2023-01-05 06:46:31 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/50d171ae-c01d-4744-a947-8bd2b850420d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349547/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.10442.27695.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63b6722c0e926711fd76ff79/reports/0c866248-73be-4500-8885-4f525e1a476c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf31e676-4845-4ff3-a4cb-5ce9c98aeafa
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145471
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778203 Sample: GBO -590 ORDER.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 11 other signatures 2->67 9 GBO -590 ORDER.exe 7 2->9         started        13 QmkdACHcaWibL.exe 5 2->13         started        process3 file4 49 C:\Users\user\AppData\...\QmkdACHcaWibL.exe, PE32 9->49 dropped 51 C:\...\QmkdACHcaWibL.exe:Zone.Identifier, ASCII 9->51 dropped 53 C:\Users\user\AppData\Local\...\tmp543A.tmp, XML 9->53 dropped 55 C:\Users\user\...behaviorgraphBO -590 ORDER.exe.log, ASCII 9->55 dropped 69 Adds a directory exclusion to Windows Defender 9->69 71 Injects a PE file into a foreign processes 9->71 15 GBO -590 ORDER.exe 3 9->15         started        18 powershell.exe 18 9->18         started        20 schtasks.exe 1 9->20         started        73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 22 schtasks.exe 13->22         started        24 QmkdACHcaWibL.exe 13->24         started        signatures5 process6 file7 57 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 15->57 dropped 26 Host.exe 5 15->26         started        29 conhost.exe 18->29         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        process8 signatures9 77 Multi AV Scanner detection for dropped file 26->77 79 Machine Learning detection for dropped file 26->79 81 Adds a directory exclusion to Windows Defender 26->81 83 Injects a PE file into a foreign processes 26->83 35 Host.exe 26->35         started        39 powershell.exe 26->39         started        41 schtasks.exe 26->41         started        process10 dnsIp11 59 212.193.30.230, 49698, 49699, 7324 SPD-NETTR Russian Federation 35->59 47 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 35->47 dropped 43 conhost.exe 39->43         started        45 conhost.exe 41->45         started        file12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 06:31:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yo4ukhtfsbwpscnkgxbjmtmiqzpshqiixoa3ns73ngmw7xpxsya._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
09355d5564e1cdd59ac0285e586ba2b0e2c7b4c5c9efa17cb8fb1fc4b8c3c19a
NetWire
1bb72419895796c3a394f4b55f0c31959c992111803764d8167dcb6c7af3088c
NetWire
1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc
NetWire
22a7c02eac7f7940eba9afa9ca51a179789e22257ffe87cbab02c15360a9fded
NetWire
63c76b6d8a6c83e113d4a72361c8df64d493339fe94503522b3f666b19aacfa2
NetWire
98949b9cd7eb063eb4a2970136d3483b29891bd8c1c2ec6104e45b76f838ddf9
NetWire
99e8dfa23cef1d5d67c765df3de3bc6e750a2d8fa4628a9442d08fc40aaaa656
NetWire
9a7a657e728c731ff69db20bfb86f32dea639d2020ed4415821161aced29f7b9
NetWire
a317414343c80367a0b5cdc91b77f1948f229fda4dbaea75b07258a2cd6a4ecd
NetWire
b1c36240effced3001500a115e71328faf0136490f67568ec382ccd97254415e
NetWire
+ 5'133 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/230105-hjmkzaef2y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
212.193.30.230:7324
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/533d0506-071d-4cfb-9658-28cf8b5aa234
Unpacked files
SH256 hash:
eb3ad42e12ebdcf4a830b02850ab126e419847c9c6ba6a8d1f45e01323b618ab
MD5 hash:
c2946a0e25d5df5ef1d05dc2bea9afa2
SHA1 hash:
c627ead0706a01223764ec38f6e232f4705bbf0a
Link:
https://www.unpac.me/results/63267259-a8c5-4c6d-a906-33b5532b01b3/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/63267259-a8c5-4c6d-a906-33b5532b01b3/
SH256 hash:
32fd4dfa87cc596e53a753482ce971f609f6a75df1f2d4cf9cae2b920aeeb890
MD5 hash:
312a89448b338804d07d44cabee7e11d
SHA1 hash:
ab183b57c94d11cbdd42d6d59c9210eaef3b58ff
Link:
https://www.unpac.me/results/63267259-a8c5-4c6d-a906-33b5532b01b3/
SH256 hash:
e0977b1c5a15c04d30f09db5775a0e0bd4ba6dcc434cbcbf35051ec11b26f22a
MD5 hash:
8e0236147f436164137fbc702159670c
SHA1 hash:
7027afe6def27cb7f5e16f992a458982459baccc
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/63267259-a8c5-4c6d-a906-33b5532b01b3/
Parent samples :
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
SH256 hash:
c540ee591b86046d35bd8c6d10081c0a11ca9292c1665b772ea48a0b54ce200e
MD5 hash:
640dae8ea290a5b59948adf98a5a48ac
SHA1 hash:
6fc6c71f5820a59d87306d05076030ca8109380f
Link:
https://www.unpac.me/results/63267259-a8c5-4c6d-a906-33b5532b01b3/
SH256 hash:
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
MD5 hash:
1a9ce8f81c2b5e3dbd4de1681975f1e1
SHA1 hash:
1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b
Link:
https://www.unpac.me/results/63267259-a8c5-4c6d-a906-33b5532b01b3/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/de1dca28f32c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349547/

Comments