MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4715658b6981b37c06e063e6b59af6d82c8c5edeb93e339e367d497332b7b69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4715658b6981b37c06e063e6b59af6d82c8c5edeb93e339e367d497332b7b69
SHA3-384 hash: 96797c361d016f2c78b7c7f948f282954a03ceea1495d29653bc282f8509530a817250095e1bc60ceeb31773a97e60f9
SHA1 hash: 88b017cc2231895fdb283a9dde7430f7627a229d
MD5 hash: f00a0488e36311c7f68821c6aecd6717
humanhash: network-iowa-saturn-sodium
File name:HSBC379.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:465'047 bytes
First seen:2022-02-14 07:11:40 UTC
Last seen:2022-02-21 09:06:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:fw1nduwdSXyXLj2vg+ZZXbtcGNRuIF6YVYVML/Kv2VBj3D8TToQ6yAhZRQNb:6VdSXy7j8ZXbOAI+6YzMyBjTK6TJYb
Threatray 9'229 similar samples on MalwareBazaar
TLSH T1FDA4E4B3D35CC8E1DD9211F4220ECEA71A517F9FA4D462C959ECB63BDB38065E0E4892
File icon (PE):PE icon
dhash icon 30808a9c9c8a8830 (1 x NetWire)
Reporter abuse_ch
Tags:exe HSBC NetWire

Intelligence

File Origin
# of uploads :
3
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241280/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a1af923-3168-44e3-bdf6-9c83404e9ccd
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/939133
Signature
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 571607 Sample: HSBC379.exe Startdate: 14/02/2022 Architecture: WINDOWS Score: 92 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected NetWire RAT 2->49 51 Machine Learning detection for sample 2->51 9 HSBC379.exe 19 2->9         started        12 tgfujffgjiox.exe 2->12         started        14 tgfujffgjiox.exe 2->14         started        process3 file4 35 C:\Users\user\AppData\Local\Temp\mdltm.exe, PE32 9->35 dropped 16 mdltm.exe 1 2 9->16         started        20 WerFault.exe 10 12->20         started        22 WerFault.exe 10 14->22         started        process5 file6 31 C:\Users\user\AppData\...\tgfujffgjiox.exe, PE32 16->31 dropped 37 Contains functionality to log keystrokes 16->37 39 Found evasive API chain (may stop execution after checking mutex) 16->39 41 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->41 43 3 other signatures 16->43 24 mdltm.exe 3 16->24         started        signatures7 process8 file9 33 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 24->33 dropped 27 Host.exe 24->27         started        process10 process11 29 WerFault.exe 23 9 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4715658b6981b37c06e063e6b59af6d82c8c5edeb93e339e367d497332b7b69/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 07:12:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ryvmwfwtantpqdoay7gwwnpnwbmrrpn5oj6gopdm7kjomzlpnuq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
091d92d2e14ba95af59e11e051333ad696507d9b2a93d9a926fc95cd40b4fbf4
NetWire
13c9e72370631d555cab3bd6ba12339252fa26915a6a60741668aea478a17cbb
NetWire
1c783c06aa669b0133618672069fba39409a6eda891e48e172d679ed0c1e8fef
NetWire
3d0defc77abb415c8854149e73e067b94bdb3fdc638fa7e104bcc4a325dc658a
NetWire
524881f1bcc00d0a27ab7829b776e32844b3e9f19cea0bfae32b95a6a8006ffc
NetWire
6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9
NetWire
88d97538adda1f29e2f088883d64db0776c2f7e9c80a2a789785c4af970ec129
NetWire
dee29915a45463d25c7f4de2abac14269137c359f848baf8ad4205fb07e2fa0b
NetWire
+ 9'219 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/220214-h1kspsgbg9/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
194.147.140.14:3360
Unpacked files
SH256 hash:
b6116ab2f5d8d9be2ae327f3bfbbae58e7aac59d7ad284a8d92708ab391338c0
MD5 hash:
f35d90a9a4d87916bee33c42f6dd8d0d
SHA1 hash:
f68f633d3e65b3176c6e5d7ac14f191cea60c8cb
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/466d9da2-81f6-49ef-9f53-4f6f51738dc0/
Parent samples :
e4715658b6981b37c06e063e6b59af6d82c8c5edeb93e339e367d497332b7b69
e83b81147f0b08a09751772c75cdec2522f2fce19b1f035a2ddc415f633dd2e0
SH256 hash:
b6280c9cf636cc90cee4025bce694f236140ba02b0922ac664edcdb16fa0fbb2
MD5 hash:
f1b977dcfa8f4405d010fdfe8c758909
SHA1 hash:
43db45c019b68bb35ad0405ce7e14817e93e0589
Link:
https://www.unpac.me/results/466d9da2-81f6-49ef-9f53-4f6f51738dc0/
SH256 hash:
e4715658b6981b37c06e063e6b59af6d82c8c5edeb93e339e367d497332b7b69
MD5 hash:
f00a0488e36311c7f68821c6aecd6717
SHA1 hash:
88b017cc2231895fdb283a9dde7430f7627a229d
Link:
https://www.unpac.me/results/466d9da2-81f6-49ef-9f53-4f6f51738dc0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4715658b6981b37c06e063e6b59af6d82c8c5edeb93e339e367d497332b7b69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241280/

Comments