MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ded08c2f175c8c5e189e3d431447ec15d0bd5a6cf3b674cd0fd917e77f912972. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NetWire


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 6 File information Comments

SHA256 hash: ded08c2f175c8c5e189e3d431447ec15d0bd5a6cf3b674cd0fd917e77f912972
SHA3-384 hash: f0575e70712e3a077a68982135a6b0f613642bd063540af25a9b2922c2037f7ea94ef895a93273e1d5801ad0ec6ba029
SHA1 hash: 91e19e4f8781a0d218b2eb34ff8d42a53a924adb
MD5 hash: a6db5feb36d5b6ceeeb3693fb695d565
humanhash: don-gee-oregon-moon
File name:a6db5feb36d5b6ceeeb3693fb695d565.exe
Download: download sample
Signature NetWire
File size:156'672 bytes
First seen:2022-03-20 10:46:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7d7eef28fafe2b5ddc3acb058c53dd9 (1 x NetWire)
ssdeep 3072:/2bUB9DOMhb0pwHRLGv/xYFS9zIgn2S6eQi+:lleiGHxb51r+
TLSH T1C6E33A1AE15B95ECCD2BC0B486F7A232B4727C641234FD3B5760DF321E23A51BB69609
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
161.35.116.7:80

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
161.35.116.7:80 https://threatfox.abuse.ch/ioc/427195/

Intelligence


File Origin
# of uploads :
1
# of downloads :
524
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug greyware keylogger netwire razy shell32.dll
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Signature
Contains functionality to log keystrokes
Contains functionality to steal Internet Explorer form passwords
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire RAT Registry Key
Behaviour
Behavior Graph:
Threat name:
Win64.Backdoor.NetWired
Status:
Malicious
First seen:
2022-03-15 21:57:05 UTC
File Type:
PE+ (Exe)
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Result
Malware family:
netwire
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
ded08c2f175c8c5e189e3d431447ec15d0bd5a6cf3b674cd0fd917e77f912972
MD5 hash:
a6db5feb36d5b6ceeeb3693fb695d565
SHA1 hash:
91e19e4f8781a0d218b2eb34ff8d42a53a924adb
Malware family:
Netwire
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MALWARE_Win_NetWire
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:MAL_unspecified_Jan18_1
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:MAL_unspecified_Jan18_1_RID2F4A
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Author:jeFF0Falltrades
Rule name:Suspicious_BAT_Strings
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments