MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef4fb21fec01aa193370b1ac7551aa759765b4e289f781b67d762e61335c7e41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef4fb21fec01aa193370b1ac7551aa759765b4e289f781b67d762e61335c7e41
SHA3-384 hash: 88b389494f832443425d97de6bfbb2d15baa5804d1b95a13f13b1bf4b109e571e0fc6f60fbd29715f7dbaf0b4daf76f5
SHA1 hash: 616c863f53f9a9bc3507b14cb759c289fcf6eb5f
MD5 hash: 4e0ee2b83297b3b44acdce3e9a3a4d24
humanhash: georgia-orange-victor-berlin
File name:Bank details.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:719'360 bytes
First seen:2021-07-20 09:31:41 UTC
Last seen:2021-07-20 10:41:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 67d179cc1bd8024cb66801d5092fedd2 (2 x Formbook, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:JFMJS2qUretr/3cd/iWu5n6jRGCjJMLmqRRSst7/Ssdpk6dz:JFModTMdxuFAkqYmq7SI764z
Threatray 59 similar samples on MalwareBazaar
TLSH T1E0E49D77B3B10937C32B397AED5B9778E4267D623D1824097FF96E088B2D24224191F6
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
216.250.250.29:4320

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
216.250.250.29:4320 https://threatfox.abuse.ch/ioc/161656/

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bank details.exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 09:33:09 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/15fb611c-be51-4e94-9d9d-fa0da3f21a44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172755/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.47661.23216.27909.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b70ee01-5fa6-4bda-9eb2-fd1ecc064565
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818788
Signature
Allocates memory in foreign processes
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451198 Sample: Bank details.exe Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected NetWire RAT 2->68 70 Machine Learning detection for sample 2->70 8 Bfakyal.exe 16 2->8         started        12 Bank details.exe 1 24 2->12         started        15 Bfakyal.exe 16 2->15         started        process3 dnsIp4 50 p6ptig.bn.files.1drv.com 8->50 60 2 other IPs or domains 8->60 78 Multi AV Scanner detection for dropped file 8->78 80 Machine Learning detection for dropped file 8->80 82 Writes to foreign memory regions 8->82 17 dialer.exe 8->17         started        52 p6ptig.bn.files.1drv.com 12->52 54 onedrive.live.com 12->54 56 bn-files.fe.1drv.com 12->56 46 C:\Users\Public\Libraries\...\Bfakyal.exe, PE32 12->46 dropped 84 Allocates memory in foreign processes 12->84 86 Creates a thread in another existing process (thread injection) 12->86 88 Injects a PE file into a foreign processes 12->88 21 mshta.exe 2 12->21         started        23 WerFault.exe 20 9 12->23         started        26 cmd.exe 1 12->26         started        28 cmd.exe 1 12->28         started        58 p6ptig.bn.files.1drv.com 15->58 62 2 other IPs or domains 15->62 30 ieinstal.exe 15->30         started        file5 signatures6 process7 dnsIp8 48 warin.hopto.org 216.250.250.29, 4320, 49738, 49754 AS-TIERP-19019US United States 21->48 72 Contains functionality to log keystrokes 21->72 74 Contains functionality to steal Internet Explorer form passwords 21->74 76 Contains functionality to steal Chrome passwords or cookies 21->76 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->44 dropped 32 reg.exe 1 26->32         started        34 conhost.exe 26->34         started        36 cmd.exe 1 28->36         started        38 conhost.exe 28->38         started        file9 signatures10 process11 process12 40 conhost.exe 32->40         started        42 conhost.exe 36->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef4fb21fec01aa193370b1ac7551aa759765b4e289f781b67d762e61335c7e41/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 07:34:37 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=55h3eh7magvbsm3qwgwhkunkowlwlnhcrh3ydnt5oyxgcm24pzaq._file
Verdict:
malicious
Similar samples:
0c3748f23fb4ade0edb0e497f0f39adc528cec04ac7530e15e3f5baad6b69567
NetWire
33f0d367ae282d4c9b9a6acbfefd3e86999eb84fc65c43d99f1de1b95c1f80af
NetWire
3d263b6e2cdc6e43060faf06203a211ed5f716238157fc36f3f0d5b21777c0ac
NetWire
3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719
NetWire
6a6d545fd995dbffb75332ad4a05e32f20777410b36e633c42e4f6c8cdc685d2
NetWire
7a192e61d40bed06f4bad4e004d2a1152f3c1955c4cbe6dcbe4076f400670374
NetWire
92258f992fbf15509591d96b11cb50eda41cf0c19f35fdd089c311ca5eace947
NetWire
c65e9659dc7d97331803b2137d4d7e0a47869eca75d718ea9f92397dcd68eb55
NetWire
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
NetWire
f4f27e005b5381e5d1eb3d1d95cd4ae5c963c7601934254ebe266f08cfaf78d2
NetWire
+ 49 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence rat stealer trojan
Link:
https://tria.ge/reports/210720-an5sb2zp9j/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader, DBatLoader
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
warin.hopto.org:4320
Unpacked files
SH256 hash:
3c89381eb5d9bc9b2cc8835190944650d0fab08f3f5bd80e7d60c805c34f85a3
MD5 hash:
046256d9fc63f3f656d8a381e787ccdd
SHA1 hash:
d60bbe23be14e9acd5d9f718ce5686dbcf65e518
Link:
https://www.unpac.me/results/a5deb684-a8b6-4c9d-90aa-e810f659d80e/
SH256 hash:
ef4fb21fec01aa193370b1ac7551aa759765b4e289f781b67d762e61335c7e41
MD5 hash:
4e0ee2b83297b3b44acdce3e9a3a4d24
SHA1 hash:
616c863f53f9a9bc3507b14cb759c289fcf6eb5f
Link:
https://www.unpac.me/results/a5deb684-a8b6-4c9d-90aa-e810f659d80e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef4fb21fec01aa193370b1ac7551aa759765b4e289f781b67d762e61335c7e41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172755/

Comments