MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9cc0af19d1d8bafdef3ffb9dae747c83cce8b83718ca9d6ef95c80d6e66b344. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	e9cc0af19d1d8bafdef3ffb9dae747c83cce8b83718ca9d6ef95c80d6e66b344
SHA3-384 hash:	7160e577572baa715312e6d8c2970d35b077185c41ffedffd3f31f8b1f74cc77717f6a02e639f07debf336f827672851
SHA1 hash:	5bdfb2bed56472cf2c57aefaafa28c6d7e21fa8d
MD5 hash:	de9b712ef2b81341e7ffbc46ffc10f33
humanhash:	lion-tango-leopard-equal
File name:	PO.17822.pdf.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	762'880 bytes
First seen:	2022-08-17 04:20:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:qc+IN611R/5PEDNaJWhEzGVjil+SyRFNQaSVliSmR9vcbEMW4ykfUFr8tA+/S:qc/EPMThEC6+SyT+lSvai4bsiA
Threatray	375 similar samples on MalwareBazaar
TLSH	T181F4233423DC4629CA5E2638EBB51611173DFB077016EF9E42C0EBD929B5BD44EB9223
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.3% (.SCR) Windows screen saver (13101/52/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	7eeceeccd6c2f2f2 (14 x Formbook, 9 x AgentTesla, 8 x RemcosRAT)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
91.192.100.7:6671

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.192.100.7:6671	https://threatfox.abuse.ch/ioc/843792/

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

PO.17822.pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-08-17 04:20:56 UTC

Tags:

trojan rat netwire

Link:

https://app.any.run/tasks/99eb4544-26d6-4fac-b4c8-bfeb7376ebd1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/299096/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.12627.30770.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62fc6cef2093f73528636d8a/reports/674f5ce5-e153-4de4-a4f9-4e3d32fcb79f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/18c4fd46-78e1-409d-ab9c-8141bdd2d9c5

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1052689

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e9cc0af19d1d8bafdef3ffb9dae747c83cce8b83718ca9d6ef95c80d6e66b344/

Threat name:

Win32.Trojan.NetWired

Status:

Malicious

First seen:

2022-08-17 04:21:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5hgav4m5dwf27xxt7645vz2hza6m5c4doggktvxpsxea23tgwnca._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

4a762e8f8af34dcfcd469d9e9bfb43c977cd878d939527053a46dd580e654c80

NetWire

9754284c45e7c6b119c5d377df3679f88ec3e753390d0f43980b22673302b059

NetWire

984288db5fa138cb2222df3a7ef8b2dae66d614da85d3fd5b5ee5f88bb36a03b

NetWire

b26e6022641bfe674c7b7d2967300f74e1381e402b0046e24d2ad6f16167d3c9

NetWire

+ 365 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220817-eym89sadbq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

ingobea.hopto.org:6671

Unpacked files

SH256 hash:

4638f25709cd1447a35a29060800304801e28112291935178b2b3f175184a8ad

MD5 hash:

2aef63d2f4636c3af4684b2a9db292f2

SHA1 hash:

d2567e22b04f965f341daeaedb9d98edf91df14f

Detections:

win_netwire_g1

win_vigilant_cleaner_auto

Netwire

Link:

https://www.unpac.me/results/91c25b26-b6f4-4e75-bc2b-7faa945cb8eb/

SH256 hash:

a73cd42a6a0789234632117da7f72ae55ef638e96e258c5cf49427e324558bee

MD5 hash:

bb343a1ce3418186f2e24d6a4b21bca5

SHA1 hash:

09aa1d3bdb0ad9b3bd7d0e378bfa58ca02ca8b58

Detections:

win_netwire_g1

Netwire

Link:

https://www.unpac.me/results/91c25b26-b6f4-4e75-bc2b-7faa945cb8eb/

SH256 hash:

551ef0181260a5ab5728a618c2e86443753aaeb425e6c3b1346dfb0a661c73af

MD5 hash:

3c7205139e6aabd7de040b15021c24ed

SHA1 hash:

e4c66e4ca1bb3b5488d7c4ba7fddc8cac118955f

Link:

https://www.unpac.me/results/91c25b26-b6f4-4e75-bc2b-7faa945cb8eb/

SH256 hash:

a814af8a15ef24b7ef484ae4deed65dbba06bc0635e92575dcb3788bd0c4fbab

MD5 hash:

6e814a5301c1c765b7a67ab184ad108d

SHA1 hash:

809ef36821b0767d39d6a25029c7e01881ccb89a

Link:

https://www.unpac.me/results/91c25b26-b6f4-4e75-bc2b-7faa945cb8eb/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/91c25b26-b6f4-4e75-bc2b-7faa945cb8eb/

SH256 hash:

e9cc0af19d1d8bafdef3ffb9dae747c83cce8b83718ca9d6ef95c80d6e66b344

MD5 hash:

de9b712ef2b81341e7ffbc46ffc10f33

SHA1 hash:

5bdfb2bed56472cf2c57aefaafa28c6d7e21fa8d

Link:

https://www.unpac.me/results/91c25b26-b6f4-4e75-bc2b-7faa945cb8eb/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e9cc0af19d1d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/e9cc0af19d1d8bafdef3ffb9dae747c83cce8b83718ca9d6ef95c80d6e66b344

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/299096/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample