MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea32c3c39c8c3f83e95916262d37b5aa49c920a9356dcebfa639b8391413ae9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	ea32c3c39c8c3f83e95916262d37b5aa49c920a9356dcebfa639b8391413ae9a
SHA3-384 hash:	d7ffb902d13f3b494edc2f74cbdd10271e3fa697d56ff3f9471c72314358743ae20187ddecc1c51b97f4da44803128ff
SHA1 hash:	9dd92ebe68c7b149cb09edebf7587adf7ee5a4e5
MD5 hash:	a2609cffa6b57d22ffbe342013f59847
humanhash:	lactose-maryland-cardinal-crazy
File name:	Purchase Order No. PO2732559-022.pdf (742 KB).exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	827'392 bytes
First seen:	2022-09-05 12:30:08 UTC
Last seen:	2022-09-15 15:34:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:SzE+eQ2iNEF75euLUDYGbOwUjJLN4DXwEBYHofeVs06RBteoqpo1cxWY4/:ZQ16Z5fSYv5vsXwVHofdYoqpo2
Threatray	917 similar samples on MalwareBazaar
TLSH	T16305F11DE66CDFE4F038477924F0EA162FB5BF2594BDC14A0D96B2AB18B47524007E8B
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	58525252dac96c52 (10 x NetWire)
Reporter	lowmal3
Tags:	exe NetWire

Intelligence

File Origin

# of uploads :

# of downloads :

424

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

Purchase Order No. PO2732559-022.pdf (742 KB).exe

Verdict:

Malicious activity

Analysis date:

2022-09-05 12:31:16 UTC

Tags:

trojan netwire

Link:

https://app.any.run/tasks/d9d0b918-3404-4078-ab47-9720425314bb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/307898/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.1427-2.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6315ec53b00f73916cba57b9/reports/e3a7a471-25b5-427a-9512-7aaddeca7a67/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/12531a6e-5ead-406b-a80e-f1119283bb68

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1065101

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NetWire

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea32c3c39c8c3f83e95916262d37b5aa49c920a9356dcebfa639b8391413ae9a/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2022-09-05 08:11:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 40 (47.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5izmhq44rq7yh2kzcytc2n5vvje4sifjgvw45p5ghg4dsfatv2na._file

Verdict:

malicious

Label(s):

netwirerc

NetWire

2a05a23d8879f9d001af335779b5102dd644b08d2f106353c28c8ce303ee9b58

NetWire

73662d6a7b9efd762e7a7942b2b4c9f0b16b0421875f1a22c8d58034323d4d37

NetWire

a1bc1aba176e99f0531b911a04d6c636ef21dab12d24026c672829d0c624e16e

NetWire

f310b643bdb799627e5b28339b5f455129d61bfd4fb50bdc802b052038c7eb1a

NetWire

f53a21f7dbd23dbb06174d92ba8c94f9a4296ae1271372c3e5369121aa7a6e62

NetWire

+ 907 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220905-pp2qeabfd2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

podzeye2.duckdns.org:4433
podzeye2.duckdns.org:4411
podzeye2.duckdns.org:4422

Unpacked files

SH256 hash:

4a0c2d888ee006f7dc854bd3925feeaf3475db4e650ad686aebd0e1e93a9ee01

MD5 hash:

a4d4adbf1c316ea7794b8ce2d3d0b4c9

SHA1 hash:

bf385a90e5bfe7e73ae4894c8befa197c4f71c93

Detections:

Netwire

win_vigilant_cleaner_auto

win_netwire_g1

Link:

https://www.unpac.me/results/e0f10c3d-da0b-461d-9484-dd53bc2a17ff/

Parent samples :

ea32c3c39c8c3f83e95916262d37b5aa49c920a9356dcebfa639b8391413ae9a
2dad351121415ba79882fa8576277f4c863a51cb6aafb9fd2789e7204ba7b0b3
8b86424f0ef6817bcb0ce07545ae7fd2c808d02346ee0e3d602115d791d6993b

SH256 hash:

34b2041a3bd98bf49184ff6df8849416c706b414479294c97ebb0955fee94c4f

MD5 hash:

f057278da65d0191ee153c7194a86af9

SHA1 hash:

59dda8512c9288518721cdd9050060e55975202b

Link:

https://www.unpac.me/results/e0f10c3d-da0b-461d-9484-dd53bc2a17ff/

SH256 hash:

40487aa57cb4dbde869aa9c95df9009c96b1a7cf4bd3215e516e41cc1ed5e461

MD5 hash:

6eba1a56683264b9a3feb9bab14ee019

SHA1 hash:

ea6be8cd5f757ccdcba7a99d6d6d75c68f0663e6

Link:

https://www.unpac.me/results/e0f10c3d-da0b-461d-9484-dd53bc2a17ff/

SH256 hash:

c45a3dae97e5e635a567df02635fe941af384f35cc993d4e52a57fa4f4026b3e

MD5 hash:

966c65a2893f62df72494272d810448f

SHA1 hash:

de82f765123b6ed954996603b663e9bac36acfb6

Link:

https://www.unpac.me/results/e0f10c3d-da0b-461d-9484-dd53bc2a17ff/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/e0f10c3d-da0b-461d-9484-dd53bc2a17ff/

SH256 hash:

ea32c3c39c8c3f83e95916262d37b5aa49c920a9356dcebfa639b8391413ae9a

MD5 hash:

a2609cffa6b57d22ffbe342013f59847

SHA1 hash:

9dd92ebe68c7b149cb09edebf7587adf7ee5a4e5

Link:

https://www.unpac.me/results/e0f10c3d-da0b-461d-9484-dd53bc2a17ff/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ea32c3c39c8c3f83e95916262d37b5aa49c920a9356dcebfa639b8391413ae9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.