MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3edba9f4ae246a43360369856788767104a0ecd46cc016c71ca2bbdf515b523. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NetWire


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments

SHA256 hash: e3edba9f4ae246a43360369856788767104a0ecd46cc016c71ca2bbdf515b523
SHA3-384 hash: bae54ffe7a406401967a07bb2045aba46f1856473b2201b7b5e60f2d544cca07ad13d5a21846e480ad9b6801eb409308
SHA1 hash: b73d2d744a31fe07149db05358b9cd4f7120baad
MD5 hash: 220deca03f53883f6e18e92a3ad43c4e
humanhash: idaho-diet-low-hawaii
File name:220DECA03F53883F6E18E92A3AD43C4E.exe
Download: download sample
Signature NetWire
File size:714'720 bytes
First seen:2021-03-22 17:28:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8bf672a41053f2797940aae8ccd5c211 (2 x RemcosRAT, 1 x NetWire)
ssdeep 12288:Dcmw61oKvfK189V4k3vymEyhVPznPMP8PGF7a34UCKg:oC1Y189SkKmnEEf3Tg
TLSH F4E47C11A6A140F6D16319788C5B572958A6BF703A386C463AED1D0CBFFF3903D2DE92
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
194.5.98.100:2222

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.100:2222 https://threatfox.abuse.ch/ioc/4423/

Intelligence


File Origin
# of uploads :
1
# of downloads :
402
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
220DECA03F53883F6E18E92A3AD43C4E.exe
Verdict:
Malicious activity
Analysis date:
2021-03-22 23:07:19 UTC
Tags:
rat netwire trojan

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Result
Threat name:
NetWire
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to steal Chrome passwords or cookies
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: NetWire
Sigma detected: Suspicious Program Location Process Starts
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Delf
Status:
Malicious
First seen:
2021-03-18 08:32:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Result
Malware family:
netwire
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
e3edba9f4ae246a43360369856788767104a0ecd46cc016c71ca2bbdf515b523
MD5 hash:
220deca03f53883f6e18e92a3ad43c4e
SHA1 hash:
b73d2d744a31fe07149db05358b9cd4f7120baad
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:IPPort_combo_mem
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_NetWire
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments