MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee61ac3cd6ac0319af2ca16d292464c08c018c15cd54f48c27df5907c9fca089. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee61ac3cd6ac0319af2ca16d292464c08c018c15cd54f48c27df5907c9fca089
SHA3-384 hash: 4984c51f98e04895150e279cfb8d145dfab12c533a8e7e112c77932d80ffba747a25642ac1703c99237a9300f1263b36
SHA1 hash: cd69a5a835ec1043537a214f9f5b691502b9862d
MD5 hash: 05537902058bc265bf790af120df1723
humanhash: magazine-undress-william-robert
File name:05537902058bc265bf790af120df1723
Download: download sample
Signature NetWire
Create hunting rule
File size:1'383'677 bytes
First seen:2022-09-21 14:00:34 UTC
Last seen:2023-08-27 08:55:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:MAOcZXgZd9/xGcLEQprgWA78zmi8wC8c4TjgbKc6QSGoNuTgl9RTxtv5V:a33oMrgWi8ai8R8cw46OZT8XT/v5V
Threatray 1'802 similar samples on MalwareBazaar
TLSH T177551222B7F1C8B1E5770931BA2A5705AE7E79201E369ADEA3D405ECEE371811530B73
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 30e2d0a8d2d8e830 (3 x NetWire)
Reporter zbetcheckin
Tags:32 exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ta505
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.VBA.Amphitryon.1704.16009.3666
Verdict:
Malicious activity
Analysis date:
2022-09-21 12:12:57 UTC
Tags:
macros macros-on-open ta505 maldoc-33 loader
Link:
https://app.any.run/tasks/bb16706f-6588-4010-9606-90b99c3fadb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312080/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Adding an access-denied ACE
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38402/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/632b192936ba812561a84449/reports/d9e7d04d-b3b9-493f-bc5b-604ab40ddff0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5989b335-06ce-402e-ac56-3b5cfebb0792
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1074654
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 707196 Sample: GcS3ByrNGa.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 96 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 3 other signatures 2->50 10 GcS3ByrNGa.exe 75 2->10         started        14 voggchu.pif 1 2->14         started        16 voggchu.pif 2->16         started        18 voggchu.pif 2->18         started        process3 file4 38 C:\Users\user\AppData\Roaming\...\voggchu.pif, PE32 10->38 dropped 54 Drops PE files with a suspicious file extension 10->54 20 voggchu.pif 4 3 10->20         started        23 wscript.exe 1 14->23         started        25 wscript.exe 16->25         started        40 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 18->40 dropped signatures5 process6 signatures7 52 Multi AV Scanner detection for dropped file 20->52 27 wscript.exe 1 20->27         started        29 voggchu.pif 23->29         started        process8 process9 31 voggchu.pif 27->31         started        dnsIp10 42 192.168.2.1 unknown unknown 31->42 34 wscript.exe 1 31->34         started        process11 process12 36 voggchu.pif 34->36         started       
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee61ac3cd6ac0319af2ca16d292464c08c018c15cd54f48c27df5907c9fca089/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 09:23:52 UTC
File Type:
PE (Exe)
Extracted files:
421
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zq2ypgwvqbrtlzmufwssjdeycgaddavzvkpjdbh35mqpsp4uceq._file
Verdict:
unknown
Similar samples:
02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105
NetWire
1d8d1ed93e2bb02931e7184988ad25b149d75beaaf5c4604144aef7981352109
NetWire
508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0
NetWire
6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f
NetWire
a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32
NetWire
aa005608adb8e7e3c775383f20f2608164056713bcbb92d0ec5c99994d8af750
NetWire
b3a3645cf2d804bebd0d8049b70c95ae545ff06ca2acc9f85721a1d1f3c9b5b8
NetWire
c8a3afbe993a8c462856e72256e1ec0a251777a5d5bc6cac978e4349f8cb9ac2
NetWire
f44204e826a1b7fc6ce46ba2bc2eff5f77c0d525f87f40dcc2fe363c8491ab2f
NetWire
+ 1'792 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/220921-rbjnsagdh2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
37.0.14.206:3384
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fbb36b29-316d-4fa1-a8bc-add19e94dd15
Unpacked files
SH256 hash:
1e01c03d99d1b4f9538f4c4ccc77d5f306bdc27ce81492ba25ee28924aad8ba1
MD5 hash:
a18fefe32e4eff33cbbd9fcfdc0ffd5a
SHA1 hash:
9ac220732cdaf99512787fca4a84351e6116fd5b
Link:
https://www.unpac.me/results/2d768558-faae-4065-adf5-19f5dfb9776a/
SH256 hash:
8cd5768918996f0bff2c443f8a5bd75582e08468db71a2a5e30699408ab55528
MD5 hash:
97660947708189b0aab3ff3498073207
SHA1 hash:
f249672e44d397420605adfce60713e1ffc8814a
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/2d768558-faae-4065-adf5-19f5dfb9776a/
SH256 hash:
ee61ac3cd6ac0319af2ca16d292464c08c018c15cd54f48c27df5907c9fca089
MD5 hash:
05537902058bc265bf790af120df1723
SHA1 hash:
cd69a5a835ec1043537a214f9f5b691502b9862d
Link:
https://www.unpac.me/results/2d768558-faae-4065-adf5-19f5dfb9776a/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee61ac3cd6ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee61ac3cd6ac0319af2ca16d292464c08c018c15cd54f48c27df5907c9fca089

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe ee61ac3cd6ac0319af2ca16d292464c08c018c15cd54f48c27df5907c9fca089

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2309155/
Cape
Cape
https://www.capesandbox.com/analysis/312080/

Comments


Avatar
zbet commented on 2022-09-21 14:00:40 UTC

url : hxxp://192.3.194.246/RFQ.exe