MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef54c64675efe225373ef855f19283a950e4be09769a6cfeffb4ff4987ee2179. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef54c64675efe225373ef855f19283a950e4be09769a6cfeffb4ff4987ee2179
SHA3-384 hash: 98ef13d88c86382b609596f6a63bc89b3a825f58a16341bcc190e9d84a4b3dd7172870d60d8727dffdeca2d0ad569266
SHA1 hash: 60b91f254c3046da45c59fdcc4fb2265ff69bd21
MD5 hash: 7f9c879ad3a3ea43a84d9613d6427b5f
humanhash: iowa-victor-louisiana-social
File name:Proof of Payment.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'036'262 bytes
First seen:2020-10-12 10:53:37 UTC
Last seen:2020-10-12 12:02:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:JAOcZypeeduD5QnKq+nNKLFF/UjAcNeVrvjnC61:j2DVQnKlELFpFcNyuQ
Threatray 513 similar samples on MalwareBazaar
TLSH 02251203BBD248B2D53219325E36AB256D7DBD201F28DB1EB3D44D6DEB705906224BB3
Reporter GovCERT_CH
Tags:NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70066/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Sending a UDP request
Creating a process from a recently created file
Creating a file in the %temp% directory
Adding an access-denied ACE
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/488337
Signature
Antivirus detection for dropped file
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Yara detected AntiVM autoit script
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296610 Sample: Proof of Payment.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 80 56 Yara detected NetWire RAT 2->56 58 Yara detected AntiVM autoit script 2->58 60 Initial sample is a PE file and has a suspicious name 2->60 62 Drops PE files with a suspicious file extension 2->62 14 Proof of Payment.exe 28 2->14         started        17 xbnjvmbc.pif 2->17         started        process3 file4 54 C:\Users\user\03990306\xbnjvmbc.pif, PE32 14->54 dropped 19 xbnjvmbc.pif 4 3 14->19         started        22 wscript.exe 1 17->22         started        process5 signatures6 64 Antivirus detection for dropped file 19->64 66 Multi AV Scanner detection for dropped file 19->66 24 wscript.exe 1 19->24         started        26 xbnjvmbc.pif 22->26         started        process7 process8 28 xbnjvmbc.pif 24->28         started        30 wscript.exe 26->30         started        process9 32 wscript.exe 1 28->32         started        34 xbnjvmbc.pif 30->34         started        process10 36 xbnjvmbc.pif 32->36         started        38 wscript.exe 34->38         started        process11 40 wscript.exe 36->40         started        42 xbnjvmbc.pif 38->42         started        process12 44 xbnjvmbc.pif 40->44         started        46 wscript.exe 42->46         started        process13 48 wscript.exe 44->48         started        50 xbnjvmbc.pif 46->50         started        process14 52 xbnjvmbc.pif 48->52         started       
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ef54c64675efe225373ef855f19283a950e4be09769a6cfeffb4ff4987ee2179/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 10:48:33 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=55kmmrtv57rcknz67bk7deudvfiojpqjo2ngz7x7wt7utb7oef4q._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
10189128ff7ff4ae10111c65ca809615595304636a0d0e451ee34bf23ee900a2
NetWire
1ca9978db84d8cad7f6a8f838e106799352c386cfa3aee2bbefa195e7fabe166
NetWire
3a61804bb8302d42eb46c25a884cf50e7e6e383a9a48bfbfb1cfbe78ed2ed389
NetWire
6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f
NetWire
a1c243083cc1870948216df122047ee1a8e473d0fab33283009c0d291567ea10
NetWire
a30dd99039152a76aacb5607d79b400098d9cd24350c0121fe4f7811177c0dbc
NetWire
b14306aa1789a4d6b9bfa4f8c9392033ef0fc70e584addad632135f7f832dec1
NetWire
dc8b1aa91228f69edb8b71fafd9231f6d6d55d50ea17e3a845a3014e419cdb60
NetWire
e34ce3660cbabe945aadb571016cbd7e73ca4a7baa6e9cd64a3615b6474ccdc8
NetWire
fba31181ed1957e81c452fa1e860414d3a2bd2da470074a32f196f873a37d9ad
NetWire
+ 503 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
rat persistence keylogger trojan stealer spyware family:nanocore botnet family:netwire
Link:
https://tria.ge/reports/201012-m473h3e3ca/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
NanoCore
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
ef54c64675efe225373ef855f19283a950e4be09769a6cfeffb4ff4987ee2179
MD5 hash:
7f9c879ad3a3ea43a84d9613d6427b5f
SHA1 hash:
60b91f254c3046da45c59fdcc4fb2265ff69bd21
Link:
https://www.unpac.me/results/34dbf8b4-dad1-4888-9486-15cf7c35cb6d/
SH256 hash:
623e8c4edc62b21a1d18cfa78269b1788610fce09fab55a850b0ebfafdf3adf4
MD5 hash:
59d297b99972c03f354d12d3d4cee4e9
SHA1 hash:
fe49b97e6356c93b56ca862dc0afb32921e78dcf
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/34dbf8b4-dad1-4888-9486-15cf7c35cb6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef54c64675efe225373ef855f19283a950e4be09769a6cfeffb4ff4987ee2179

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

iso d9549a139d44a6c2349e73aca39b75134d415fbb7bb053c3f8a11a9e4fbebe6b

NetWire

Executable exe ef54c64675efe225373ef855f19283a950e4be09769a6cfeffb4ff4987ee2179

(this sample)

  
Dropped by
MD5 bb300a139252d52c4088161af5b0bf89
  
Dropped by
SHA256 d9549a139d44a6c2349e73aca39b75134d415fbb7bb053c3f8a11a9e4fbebe6b
  
Dropped by
NetWire
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70066/

Comments