MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7
SHA3-384 hash: 94e424f53fc633966217df0d49e56402898331b028950b98bd969ecb945c69ac04a7a08f2cd5961ce4fb18ac4420a205
SHA1 hash: 89527bedf848caf1890612d3848c61a941517125
MD5 hash: 3a0e8117d1ab854750d95f7035d26caa
humanhash: eight-sweet-solar-uncle
File name:Departamento de contadores Consejos de pago 0.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:847'362 bytes
First seen:2021-07-30 17:20:49 UTC
Last seen:2021-07-30 17:41:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c54a51ade970b440d47c550557ef97c5 (1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:UW/TXFjs7ss0L1gFV5qNri5CQBznMjFJHQndtXUhF0dh0MgkLmPD:UW/DZs7qgPRVVnWwJdha1PD
Threatray 825 similar samples on MalwareBazaar
TLSH T121058CD8E2630432ED630A389D2B576D9B39BF40172411436BFDED484FB9B4ABC7149A
dhash icon 89acae93529aaaa2 (1 x NetWire, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
194.5.98.7:3278

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.7:3278 https://threatfox.abuse.ch/ioc/164903/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'009
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Departamento de contadores Consejos de pago 0.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-30 17:22:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf739330-a62f-4f28-81ec-6837d762a4c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175324/
Detection(s):
SecuriteInfo.com.Trojan.Heur3.LPT.ZGX@auBrKekib.15253.28050.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aba5da16-fdb8-47dd-8286-bbed9dae84ff
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/824606
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 17:21:05 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5acuepxrs4nnmdzm7e65bbc7hpat7nn44xodwoz6hh2wyt4riltq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
16fc50c5d5b5419d2a3244294c7d6a77087edca488ec63146b573b31f1526809
NetWire
204b5f6085ac0a3082590aa0518074cb2e7fa9ebb6ccb4106cbf57588453104e
NetWire
242d38ebd19ccd5c3b65eb9aad87844fc17ca11075fab108dc00d26cc0d137ba
NetWire
3ffc5daa049116311ac1363623b7a8960b7aabb4b874d1126a358b8d483e33cd
NetWire
5759a1711d0f78b7be3f76aa9e451516f93d91370586f863dd5a68291c82ee3b
NetWire
82dc13144b5d22e2e75fc7dc783439e2c1e93dbe630411d3fa62b77b27645e12
NetWire
cb9713e99535b6589f62d352c0a22488ae19d4b02df7f33e3fc052e9c8414481
NetWire
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
NetWire
deabb312ade9d16c64ea491e5cf9477e1b98f2c5cda72ab2cb1b8b75af558d31
NetWire
f3ad47ca842225f405e277f5f2b0521266fe65a90bf746ac39a67990835ddf14
NetWire
+ 815 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet stealer
Link:
https://tria.ge/reports/210730-r9sd79r23x/
Behaviour
Suspicious use of WriteProcessMemory
Netwire
Unpacked files
SH256 hash:
a6dbc14cb792b7eb21fb78abbcfc50ab940717ff8bdebf2f8db47e1ab12b6f9b
MD5 hash:
49995a2953873c7265752d191ae9f40b
SHA1 hash:
2f911fc1c8371812fbe412cf60886cf7554b20c9
Link:
https://www.unpac.me/results/c451f5b3-e35c-444c-8ebf-20a6ecebb420/
SH256 hash:
e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7
MD5 hash:
3a0e8117d1ab854750d95f7035d26caa
SHA1 hash:
89527bedf848caf1890612d3848c61a941517125
Link:
https://www.unpac.me/results/c451f5b3-e35c-444c-8ebf-20a6ecebb420/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175324/

Comments