MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee70cb2fc82abe10d225555baf80864b1c8f779fce79dcb2b76943d145a8130e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee70cb2fc82abe10d225555baf80864b1c8f779fce79dcb2b76943d145a8130e
SHA3-384 hash: cf011f376d6f8510037dcb11d65ae1c6e11b86d5e29486a651497e5891816fc91e6a3a7a263a10ab817262edfd56f9ca
SHA1 hash: c9e67190debfb937b1c148b5c1c0f2869e4c0b8a
MD5 hash: 35a80e79a290dfce0d019d467ec8dc9c
humanhash: early-bulldog-ohio-romeo
File name:35A80E79A290DFCE0D019D467EC8DC9C.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:3'121'840 bytes
First seen:2021-07-23 04:21:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (433 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 12288:Jh1Lk70TnvjcHBVm9l5tHvvvvvEvvvvv9q2W12i4xaPxq1x1:Vk70TrcHBVa5tr2WOaPKx1
Threatray 595 similar samples on MalwareBazaar
TLSH T172E51C52EF0EED47E87C29720CBF862514E02C2E79137986E6C037DBE53E15669CC269
dhash icon 11cacc8ccccace11 (1 x NetWire, 1 x BitRAT)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
74.201.28.67:3021

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
74.201.28.67:3021 https://threatfox.abuse.ch/ioc/162209/

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
35A80E79A290DFCE0D019D467EC8DC9C.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 04:23:31 UTC
Tags:
opendir trojan rat netwire loader
Link:
https://app.any.run/tasks/cc4f6243-af43-4c00-9e69-d7f624b49fa9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173489/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65d96063-5fce-4e58-b9c8-49f1f7f3f473
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820529
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee70cb2fc82abe10d225555baf80864b1c8f779fce79dcb2b76943d145a8130e/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 00:42:18 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zymwl6ifk7bburfkvn27aegjmoi6547zz45zmvxnfb5crnicmha._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821
NetWire
5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
NetWire
5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4
NetWire
5b4962b939b67929dcb5b0c5a90b75e617f9af630271d710a21ccbe0d7738e05
NetWire
608ec84d6c6d1b552b0c77210475ead69a437d02cc688d60e798cf530c02897e
NetWire
797a9a105652922546340d44d623196f8f5d22410011156a710bdf4f239a3d40
NetWire
7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32
NetWire
a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2
NetWire
c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
NetWire
f6262c14a5f6c845a95cab29a6e1e2a662d5df47499935c1f050d908ee01db90
NetWire
+ 585 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210723-j5t4ztnh1x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
finerthings.duckdns.org:3021
Unpacked files
SH256 hash:
f0e28d6089afd24ecaa5198138212e579504648e9fd0f9e1c8f6fb24e83cb434
MD5 hash:
d0e85021ad21de4570d19fc83aed02fa
SHA1 hash:
92722b75deadcf39b96d9451760b4f85005b2f80
Link:
https://www.unpac.me/results/eb7fb393-97a7-4f65-8732-e0e736931dff/
SH256 hash:
a559d5f5feb9d98feb2180efd10c866a881512ef8907f17574ee8def37c14dfb
MD5 hash:
7ebb3caaae12ece144efc590cd54a067
SHA1 hash:
6527d242a07635a2e507a6c110838dc20670af64
Link:
https://www.unpac.me/results/eb7fb393-97a7-4f65-8732-e0e736931dff/
SH256 hash:
ee70cb2fc82abe10d225555baf80864b1c8f779fce79dcb2b76943d145a8130e
MD5 hash:
35a80e79a290dfce0d019d467ec8dc9c
SHA1 hash:
c9e67190debfb937b1c148b5c1c0f2869e4c0b8a
Link:
https://www.unpac.me/results/eb7fb393-97a7-4f65-8732-e0e736931dff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee70cb2fc82abe10d225555baf80864b1c8f779fce79dcb2b76943d145a8130e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173489/

Comments