MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb
SHA3-384 hash: fc73269451708a2cbc8573eba7a43389724e92ca99c33818ef49ae453678ac81bedb3cb7d0e9a37e095fbf1e1b31627d
SHA1 hash: 7cd829a3453c6bd2904a4a354a69cd436c126449
MD5 hash: 629e124eff07f0d656e30939bec28af9
humanhash: venus-ten-mississippi-quebec
File name:SBIN32000636990,pdf.scr
Download: download sample
Signature NetWire
Create hunting rule
File size:1'108'808 bytes
First seen:2020-07-21 06:08:33 UTC
Last seen:2020-07-21 07:24:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e381c455fbb563ca5f2237e8dff94bd (4 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 24576:g0vtfbdNzTnlj/jllmyXvybwEIVKGfHNBJV2jjFP0Mh:g0v9f/vxEIVRfHfJV2nFP0M
Threatray 481 similar samples on MalwareBazaar
TLSH 9335AF23F2A08D32D1331538DC574ABC9A6EBF153625984D6AE6DF0C8F3918179393A7
Reporter abuse_ch
Tags:NetWire nVpn RAT scr

Code Signing Certificate

Organisation:Microsoft Windows
Issuer:Microsoft Windows Production PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:Aug 11 20:23:35 2017 GMT
Valid to:Aug 11 20:23:35 2018 GMT
Serial number: 330000017469DE108B3765A8D7000000000174
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 20DB8B651606A47C7DB2D6AC484EC317D2C725D98B2EB6EE4B6CAB000E416ABA
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: titan.fibersunucu.com.tr
Sending IP: 188.132.179.148
From: "Alev ALKAN"<ekstre@halkbank.com.tr>
Subject: DEBIT NOTE SBIN32000636990
Attachment: SBIN32000636990,pdf.001 (contains "SBIN32000636990,pdf.scr")

NetWire RAT C2:
hurricane.myq-see.com:2310 (185.140.53.6)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-BE-NL4
country: EU
descr: Zaventem, Belgium
descr: Amsterdam, Netherlands
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-16T21:16:41Z
source: RIPE

Intelligence

File Origin
# of uploads :
3
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29682/
Detection(s):
SecuriteInfo.com.Generic.mg.629e124eff07f0d6.7986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Running batch commands
Creating a process with a hidden window
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392448
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248393 Sample: SBIN32000636990,pdf.scr Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected NetWire RAT 2->84 86 4 other signatures 2->86 10 SBIN32000636990,pdf.exe 1 3 2->10         started        15 mshta.exe 1 2->15         started        17 mshta.exe 19 2->17         started        process3 dnsIp4 76 googlehosted.l.googleusercontent.com 216.58.206.1, 443, 49734, 49739 GOOGLEUS United States 10->76 78 doc-0o-b8-docs.googleusercontent.com 10->78 60 C:\Users\user\AppData\Local\...60zcqfck.exe, PE32 10->60 dropped 100 Writes to foreign memory regions 10->100 102 Allocates memory in foreign processes 10->102 104 Creates a thread in another existing process (thread injection) 10->104 106 Injects a PE file into a foreign processes 10->106 19 TapiUnattend.exe 7 10->19         started        23 ieinstal.exe 2 10->23         started        108 DLL side loading technique detected 15->108 26 Nzcqfck.exe 15->26         started        28 Nzcqfck.exe 17->28         started        file5 signatures6 process7 dnsIp8 56 C:\Users\Public\propsys.dll, PE32+ 19->56 dropped 58 C:\Users\Public\fodhelper.exe, PE32+ 19->58 dropped 88 Drops PE files to the user root directory 19->88 30 cmd.exe 5 19->30         started        33 cmd.exe 1 19->33         started        66 hurricane.myq-see.com 185.140.53.6, 2310, 49736 DAVID_CRAIGGG Sweden 23->66 68 googlehosted.l.googleusercontent.com 26->68 70 doc-0o-b8-docs.googleusercontent.com 26->70 90 Multi AV Scanner detection for dropped file 26->90 92 Machine Learning detection for dropped file 26->92 94 Writes to foreign memory regions 26->94 35 ieinstal.exe 26->35         started        72 googlehosted.l.googleusercontent.com 28->72 74 doc-0o-b8-docs.googleusercontent.com 28->74 96 Injects a PE file into a foreign processes 28->96 37 ieinstal.exe 28->37         started        file9 signatures10 process11 file12 62 C:\Windows \System32\propsys.dll, PE32+ 30->62 dropped 64 C:\Windows \System32\fodhelper.exe, PE32+ 30->64 dropped 39 fodhelper.exe 30->39         started        42 conhost.exe 30->42         started        44 conhost.exe 33->44         started        46 reg.exe 1 1 33->46         started        48 reg.exe 1 33->48         started        process13 signatures14 98 Drops executables to the windows directory (C:\Windows) and starts them 39->98 50 cmd.exe 1 39->50         started        process15 process16 52 conhost.exe 50->52         started        54 cmd.exe 1 50->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 05:06:40 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5trg7kwolphxv7v2gwjhtul25n7zt5zz7tsfj2lezchlvwlulpnq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1296e2be1e9e8dc2431cd3c37337af6fe9f2ad6e9b380111507b009642250216
NetWire
1ac8944d42d3a594940bbd74613193bc47430b6c6c958caf9a5b4521bd9efb91
NetWire
23fd501c884e2f46d38af81b0d6e423ea0bff8c5eee615227806faf7b2833827
NetWire
249e738650027df7635aa70373e2e2f936eb58e1a208fdc8df9ee2f66e4cb9e3
NetWire
760c5c96174d0f5f899970f3b35da290b831f4c85221b1e274a5491fcf08b264
NetWire
76f20f51dda2d37c9e1c9ddff49fa03defa148abcfd399dfd2c0633f5609cc7d
NetWire
9119946bcfe8c01ea4bfe6ab3222c17146a04b7321b8094f2de58a7f9a5e1840
NetWire
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
NetWire
cb54cd1dc1efb943d5308d6681f36ecaec957f0a70f9683f1da3e7e1188b9748
NetWire
ccd667e3a1a0577ed841968990cb37790e1e6f0fb4ceb1a2f947ef391d68dd4d
NetWire
+ 471 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat persistence botnet stealer family:netwire
Link:
https://tria.ge/reports/200721-jfhrmgjsma/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Modifies registry key
Drops file in Program Files directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Executes dropped EXE
Netwire
NetWire RAT payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

rar 87d1e23212ef405f0cc24e3d45e4ac408906e3a43964bfbf5d2e13aa1492c2fd

NetWire

Executable exe ece26faace5bcf7afeba359279d17aeb7f99f739fce454e964c88ebad9745bdb

(this sample)

  
Dropped by
MD5 298f29a71611a4d1458362ba485b9909
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29682/
  
Dropped by
SHA256 87d1e23212ef405f0cc24e3d45e4ac408906e3a43964bfbf5d2e13aa1492c2fd

Comments