MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7f8e0a363a5042ec6e8365095076dd56636ade1cd6cdd4df9ea47a953ea8c22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	e7f8e0a363a5042ec6e8365095076dd56636ade1cd6cdd4df9ea47a953ea8c22
SHA3-384 hash:	c652fb09835ec3f0a72f7df7c10fe045b36c9260029980bd1ab44de748c41cd869e207e6d1f2ead64ee668adcb54007d
SHA1 hash:	ba92c4b517ff7aed579ed4ff0531ba5962da5072
MD5 hash:	e127d529f562c3fb560cf9aa2e505913
humanhash:	pizza-illinois-crazy-vegan
File name:	e7f8e0a363a5042ec6e8365095076dd56636ade1cd6cdd4df9ea47a953ea8c22
Download:	download sample
Signature	NetWire Create hunting rule
File size:	549'888 bytes
First seen:	2020-11-07 17:09:51 UTC
Last seen:	2020-11-13 15:41:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	12288:QV1I/nPzArR9hzK4ZZJC2gjkwZm5MwHcZ6TMHBpZjWLPo3U1rq:wonLaJe4ZZJ/g4wZpUTqbZI1
TLSH	02C4B64FBA442CADC517FCB3BC184D10A230991C678E86173116B35AB9BE71E7A931E7
Reporter	seifreed
Tags:	NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Creating a file

DNS request

Creating a window

Sending a TCP request to an infection source

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e7f8e0a363a5042ec6e8365095076dd56636ade1cd6cdd4df9ea47a953ea8c22/

Threat name:

ByteCode-MSIL.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2020-11-07 17:14:56 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=474obi3duucc5rxigzijkb3n2vtdnlpbzvwn2tpz5jd2su7krqra._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/201108-nxkt1v4ezn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

e7f8e0a363a5042ec6e8365095076dd56636ade1cd6cdd4df9ea47a953ea8c22

MD5 hash:

e127d529f562c3fb560cf9aa2e505913

SHA1 hash:

ba92c4b517ff7aed579ed4ff0531ba5962da5072

Link:

https://www.unpac.me/results/564355cb-3780-4d01-81aa-21ada1f45194/

SH256 hash:

870829e1759aeaa1005086b8da0509d3250828e96b41734437d79acdad3913e4

MD5 hash:

f07e3cd680774cb86b17c6f358aecd8d

SHA1 hash:

5e7de75a84c9471f7f5ac866e3e014cc2bef5a57

Link:

https://www.unpac.me/results/564355cb-3780-4d01-81aa-21ada1f45194/

SH256 hash:

5fda7ee9bc5175075ee399ebf129d02f46eee3955ec06d359409e913ba7612d7

MD5 hash:

a10645a9d67ce46819443318e9b3063c

SHA1 hash:

a1ba5cfd0eb7fda77e513e3cc5c647baba61e29e

Link:

https://www.unpac.me/results/564355cb-3780-4d01-81aa-21ada1f45194/

SH256 hash:

35e1a18b70184f73d428b8a5e74868d64414991952cb4d602a025a64afdef59e

MD5 hash:

60a3a71ca505a406bcfbd9ab68588a44

SHA1 hash:

d8ce5dd4634276a7320e92ccf68392ff925d1d07

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/564355cb-3780-4d01-81aa-21ada1f45194/

Parent samples :

1c646687e4988d451dedfe0d30dc1b6d42bc757dd69f3c638e972169d0278d2a
c35d8629ac725a6fd6bc953e5f86e4fa1b8a3680b367b52b33880ddeaa7492d4
f95d6d1493ac922503b6a6a5532cd20bb87f35f07af72b7748915409c7e5b99f
e7f8e0a363a5042ec6e8365095076dd56636ade1cd6cdd4df9ea47a953ea8c22
2b4569753be7e894aff4079e30581195d611e123a77ddb5115e05d15f16ed887
7511c244b32ec5bc59ff7173ee5aa83a764ea6607522b79cc99c5537907e50e7

SH256 hash:

317bd6ceeb652b16a2c5ca0d9b7e3d8de42aed3f840ea4085c8201cb8f898298

MD5 hash:

bfd36ace7ea373f7620e627f0a304de9

SHA1 hash:

f5caa2519314f3100cd2b478c30a2ebdc8147279

Link:

https://www.unpac.me/results/564355cb-3780-4d01-81aa-21ada1f45194/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	Embedded_PE Create hunting rule

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample