MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13
SHA3-384 hash: 7bb31902347a0c38b49a4161a526458b113f0b4c2ffbbb049fc9e55af4848fb9d3373420e9b8142c29b91303c76ed318
SHA1 hash: a398e2390b0dffb28acd0a9cd92c1116c112e0ea
MD5 hash: 2316249bc9225731783d970056673d52
humanhash: cola-lake-north-coffee
File name:e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13
Download: download sample
Signature NetWire
Create hunting rule
File size:18'874'368 bytes
First seen:2020-11-15 22:39:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 393216:/mc8QZa8QKA4TIFgUQI6QOHsFVUQmtIMdI7xDw7Uhr15:/OQs8QKjTIiqvUttbStDwQr15
Threatray 52 similar samples on MalwareBazaar
TLSH 5C173320FCD28831C6600471BA5DA59AFF38FD751AAC48C7ABDC038D19725E195BA7E3
Reporter seifreed
Tags:NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.NetWire-9792487-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Forced system process termination
Deleting a recently created file
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 22:40:32 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45ephyifve3q5qmucnbvbq2swgrmclg7io7bnzmajzhlckvttqjq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
NetWire
076dfc0a55afc36cdfd6dff84cfd0feae23029843e745b7f122980b341f7b710
NetWire
238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb
NetWire
28d1ce2d141fcfc52b6b8a81f5424920ba2818a14e8ac201446697ff977082de
NetWire
47470dc6911824b1a903197f0d06acedeba47415ebf3d212dd6514a14eec0ded
NetWire
8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0
NetWire
bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080
NetWire
bfae4bc772025d9c3b68f74230a937a1bf062c4bb22994ce2606aa785577c2b4
NetWire
e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16
NetWire
f1ff26f937fb6b5d3071a430d45db0439454d9311ef88610aeac7620e1c89e54
NetWire
+ 42 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet evasion persistence rat stealer trojan
Link:
https://tria.ge/reports/201115-sdadd6xj1e/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
NSIS installer
Modifies service
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Modifies security service
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13
MD5 hash:
2316249bc9225731783d970056673d52
SHA1 hash:
a398e2390b0dffb28acd0a9cd92c1116c112e0ea
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
SH256 hash:
311e6587c7c2295625ebf54e87d44920ae2b4fc96205f7ca1423a22a195a3cd5
MD5 hash:
71d4873b054fefea490b0c0205624d99
SHA1 hash:
ab960203994c5e39b33ef67596106a3457f55f6c
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
SH256 hash:
4e58d5ca1092a8f640a511fd34f968f4389d6c1969f1f1226a443b4d71709c9b
MD5 hash:
fb7a229155c8ac32a6784851f301dbad
SHA1 hash:
b22c170177974ef71a1f4afcc70ceeb98c20c731
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
SH256 hash:
ffa9ca6fabcb1d9dcd2961949223bf179c85f697f7146ebc58b9b88596e9d896
MD5 hash:
07905522647a16815aad1b6de89f88e5
SHA1 hash:
6c06fc48bdfc5a7c70cb8342b738afbc574b329e
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
SH256 hash:
d5f893fea3cdc98314c6528619b12d6b1e1830b74f0704f35b052cf3c38c8686
MD5 hash:
bbe71e3878d61da08998af88a5f53eff
SHA1 hash:
afa529cd240a027b9da345f630268586c28f2bc4
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
SH256 hash:
c6dbc2c4a260a739da534fda74a083e6ee18132913392ac7a09a0434db707b69
MD5 hash:
ffa8561c93051072ecd13139f3098885
SHA1 hash:
cb22c112a389001a939c327a6f48102d91f93733
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
SH256 hash:
5886dbc91ebc7a1e9d6b72794eb0bed7403d060a322aec65a9269f52deb4ff46
MD5 hash:
773658b99d7e72b3b75b404c4afc1dec
SHA1 hash:
3938e9d73cdedf65c4a2ee321d6b6a35f62ddb3a
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
SH256 hash:
02869b76936e3c3102bb36e34b41bc989770bf81dca09f31c561bb6be52285ee
MD5 hash:
70d4c5f9acc5ddf934b73fa311ade7d8
SHA1 hash:
6962e84782b0e1fe798cdce1d7447211228ca85b
Link:
https://www.unpac.me/results/95d00336-19e2-40cb-bcdc-16b6b83eb2dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments