MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeec2f71b05b8a71de011e002adf1c9c3b6da84c12517184bfe0b3ccf04d1a56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeec2f71b05b8a71de011e002adf1c9c3b6da84c12517184bfe0b3ccf04d1a56
SHA3-384 hash: d3d37ed44ea8b8e2493cbcbff9d605cdd25969cf719726252d677e8d7e3c33d7b101b2c2c9189957443e43945c3f08a5
SHA1 hash: a9f3a6f93e04365d300eb7c88b7e06000d91b66b
MD5 hash: 731897f9c1288f50a2c3684869b56dba
humanhash: four-purple-alpha-speaker
File name:731897f9c1288f50a2c3684869b56dba
Download: download sample
Signature NetWire
Create hunting rule
File size:1'360'384 bytes
First seen:2021-12-06 16:54:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 24576:32vAFLUyoctCm+e6M8xWCoB1k+uE2VJTlMOXnCXZhdsP4yxw/:aMLPQm2fxMB67EwxuJXZhKP4d/
Threatray 619 similar samples on MalwareBazaar
TLSH T15B556A5C317025AFE83A853145541F3B9EF12C3E866B63CE7317349B8ABD9428F252E9
File icon (PE):PE icon
dhash icon 86e8c0c8ccd89ce6 (18 x AgentTesla, 18 x Formbook, 8 x Loki)
Reporter zbetcheckin
Tags:32 exe NetWire

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.56.29.131:3360 https://threatfox.abuse.ch/ioc/260493/

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
731897f9c1288f50a2c3684869b56dba
Verdict:
Malicious activity
Analysis date:
2021-12-06 17:00:12 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/466893a0-8c84-4220-ad89-d80d43a5f6cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211881/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61ae406afa72c81b5b0eae04/reports/1732249f-1d79-4a09-a3e1-85f8f1b7a5c0/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4f13881-4354-4678-8a9a-c1b00c0ce7ee
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/902485
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to steal Chrome passwords or cookies
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeec2f71b05b8a71de011e002adf1c9c3b6da84c12517184bfe0b3ccf04d1a56/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 16:55:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=53wc64nqlofhdxqbdyacvxy4tq5w3kcmcjixdbf74cz4z4cndjla._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0f67fd50b46ca7283dc172211a42e3ffab7b524a1e2e23433c34c88e657cd364
NetWire
22dd73a06a3bff8a7866c95b5191aa6a7b57d67d632b2373235e7b2ba4fd46fa
NetWire
61722636c5cad31d212e7ea1da55d4fde3a7e93fc46f81484dd7597a684a8164
NetWire
bd62e723aff056a5f6dd9b9ece4f5ea4bae0a50cc3bdd5f4228fb265c2a96170
NetWire
c657a69c6832a40ff81651b72dde98ebd3dd5cece06ee57afe835370a2d51a3a
NetWire
cc2894394da12ab098b78a9ca9fa5c462f294a6c678d584d6d283c6d436d88c4
NetWire
ce0791b1ccec1c7907e99e48f2207cafa0cd2c8528a5e0f6625187b51a14f284
NetWire
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
NetWire
dbafada7e8406895de0d99952e4543a123b453c9181e4b9244c8938e3cbc9d6d
NetWire
dbe60153ede523dc838e9289aa0b43c5022c182b85396381b96b5d44c1698e27
NetWire
+ 609 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/211206-ve41nshef2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies Installed Components in the registry
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
193.56.29.131:3360
Unpacked files
SH256 hash:
fdb256a562c32e4a299bf1ab5f38488bd78bd0c60abc3c5eafdbc08edc0dd584
MD5 hash:
91883215a201aa7f0d63bd23ae41d20b
SHA1 hash:
2a2b588671a2cdfe3d2968279690e3911a86cc09
Link:
https://www.unpac.me/results/54db99a2-ce1c-47a5-82f2-0753c3a1fea0/
SH256 hash:
308466c3158173bf615a5564e1a25f310824b6568415f565b4d7b40b699aa2fe
MD5 hash:
17e865f2d02e75ba3f8add687339179e
SHA1 hash:
b62e88e6cad084926a05d8d02da8ce5be9d171aa
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/54db99a2-ce1c-47a5-82f2-0753c3a1fea0/
SH256 hash:
bb69f9fde19df34229288289dbfa00d782aa8aaaebd546176a126bb4a3554fc7
MD5 hash:
cc65f81ee855a34626753294633254ca
SHA1 hash:
c51ec3ae6429be2635be99c80b1e035089b33cdb
Link:
https://www.unpac.me/results/54db99a2-ce1c-47a5-82f2-0753c3a1fea0/
SH256 hash:
eeec2f71b05b8a71de011e002adf1c9c3b6da84c12517184bfe0b3ccf04d1a56
MD5 hash:
731897f9c1288f50a2c3684869b56dba
SHA1 hash:
a9f3a6f93e04365d300eb7c88b7e06000d91b66b
Link:
https://www.unpac.me/results/54db99a2-ce1c-47a5-82f2-0753c3a1fea0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/eeec2f71b05b8a71de011e002adf1c9c3b6da84c12517184bfe0b3ccf04d1a56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetWire

Executable exe eeec2f71b05b8a71de011e002adf1c9c3b6da84c12517184bfe0b3ccf04d1a56

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211881/
  
URLhaus
https://urlhaus.abuse.ch/url/1859709/

Comments


Avatar
zbet commented on 2021-12-06 16:54:17 UTC

url : hxxp://carbinz.ml/izuzx.exe