MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646
SHA3-384 hash: 8ec35b45b9d04197fdf70d362f31b0fb715278271d290cb57f1f2dd18a1f1d9838b7a7a22b87b344cd969ee68f2a36d7
SHA1 hash: ad1289875a05ba89cb6e10b08b95ee45bdf79d0f
MD5 hash: d616794167af5c88812aabaf65120fad
humanhash: butter-saturn-football-charlie
File name:89468038.EXE
Download: download sample
Signature NetWire
Create hunting rule
File size:950'784 bytes
First seen:2023-03-07 07:55:08 UTC
Last seen:2023-03-07 09:28:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'014 x AgentTesla, 19'920 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 24576:Jg7gUMoMnm9cU9VHb5Z763rs7u8BeV67s7nCrt8dB:vWMnGcU95nAsyTKug+
Threatray 53 similar samples on MalwareBazaar
TLSH T13F15BFE42F5D6363F786E1F328442AA7DBACBA5D2517C0181EE2118FC1CDD6C5112EAE
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2892cc7092280000 (4 x AgentTesla, 3 x Formbook, 2 x Loki)
Reporter cocaman
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
3
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
89468038.EXE
Verdict:
Malicious activity
Analysis date:
2023-03-07 07:57:35 UTC
Tags:
rat netwire
Link:
https://app.any.run/tasks/fa998637-9b0d-4e14-b15e-a695687bb611

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372161/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6406ee1586426ca5a86ab6d8/reports/5805b823-48e2-4280-89c6-8e18db243a03/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30a52231-b909-4f41-b83e-305b6b970204
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188412
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821282 Sample: 89468038.EXE.exe Startdate: 07/03/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 6 other signatures 2->72 9 89468038.EXE.exe 7 2->9         started        13 vrlnli.exe 5 2->13         started        process3 file4 52 C:\Users\user\AppData\Roaming\vrlnli.exe, PE32 9->52 dropped 54 C:\Users\user\...\vrlnli.exe:Zone.Identifier, ASCII 9->54 dropped 56 C:\Users\user\AppData\Local\...\tmpFE6D.tmp, XML 9->56 dropped 58 C:\Users\user\...\89468038.EXE.exe.log, CSV 9->58 dropped 74 Found evasive API chain (may stop execution after checking mutex) 9->74 76 Contains functionality to steal Internet Explorer form passwords 9->76 78 Contains functionality to steal Chrome passwords or cookies 9->78 86 2 other signatures 9->86 15 89468038.EXE.exe 3 9->15         started        18 powershell.exe 21 9->18         started        20 schtasks.exe 1 9->20         started        22 89468038.EXE.exe 9->22         started        80 Antivirus detection for dropped file 13->80 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 24 schtasks.exe 13->24         started        26 vrlnli.exe 13->26         started        signatures5 process6 file7 60 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 15->60 dropped 28 Host.exe 5 15->28         started        32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 24->36         started        process8 dnsIp9 64 192.168.2.1 unknown unknown 28->64 88 Antivirus detection for dropped file 28->88 90 Multi AV Scanner detection for dropped file 28->90 92 Machine Learning detection for dropped file 28->92 94 Adds a directory exclusion to Windows Defender 28->94 38 Host.exe 28->38         started        42 powershell.exe 28->42         started        44 schtasks.exe 28->44         started        signatures10 process11 dnsIp12 62 212.193.30.230, 49683, 49684, 6826 SPD-NETTR Russian Federation 38->62 50 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 38->50 dropped 46 conhost.exe 42->46         started        48 conhost.exe 44->48         started        file13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 06:26:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
12 of 25 (48.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57c4ssmw6sxxvy5c2f67y465p7r7qqtj4453mepfqbxs7ujruzda._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
34daae4c26da65a8a6b4b5fe0286dcd9c412610120e31ddb98ab67f0466b3a56
NetWire
373a8b67c6375977c663fbc851b2c3b5a329313fbd3e8cef3cc7cda667c29d0d
NetWire
53e04b40ad30d83c66ef729d87e5822f732fbc6804cbe216d68898f583ce7ad3
NetWire
6a9fbdd219a7ccbb64cdc17ab06f17f2964414c3b4ed5dfe69dac4aafe308300
NetWire
89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7
NetWire
8f2a0d373539a2f7f3a871315e598bfc0451307e89a4550b85de34ba49299e20
NetWire
d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616
NetWire
e09603d415564f497c3e06ae53dece0dca6c250a6f7533dc382c35e7d55b552a
NetWire
e91b0fc888495a9583c32e70cae090980adccfab2ba310ff7f5f16eea7417354
NetWire
edb8e5632be4abe56057e7358be590d934c761dafe8dca82641aac4fded1095b
NetWire
+ 43 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/230307-jspx5ahc74/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
212.193.30.230:6826
Unpacked files
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/934a3196-ef20-4886-b948-d8df3e8936ca/
SH256 hash:
ac05f15dbd150669cc32ec8281f39c17670399a7f854115724d5fec39b719697
MD5 hash:
4d4c8afb1a300c3f3064acfc0f5847e0
SHA1 hash:
a641092e1ae285e500bac2a672ad09c55bf71aff
Detections:
Netwire
Create hunting rule
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/934a3196-ef20-4886-b948-d8df3e8936ca/
SH256 hash:
e2e1c9421f8287f87527a445fe5b5f8f2cd1acab7f19ccb19a59b2fe1a255252
MD5 hash:
461a0e1dbbfde90e2bf4554c8c80fd30
SHA1 hash:
880e5961f1ebf9efbd528cc085b21c48ed1b12c0
Link:
https://www.unpac.me/results/934a3196-ef20-4886-b948-d8df3e8936ca/
SH256 hash:
8ee54b1174254e1347587e35fa1fd45905e34c17bc8d5fa6ec593a917ac1da6a
MD5 hash:
97e2e4260f3abc4ef5977669f9b44769
SHA1 hash:
70a4f0729d71de6dd32f33dca485b9cbef985ee6
Link:
https://www.unpac.me/results/934a3196-ef20-4886-b948-d8df3e8936ca/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/934a3196-ef20-4886-b948-d8df3e8936ca/
SH256 hash:
efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646
MD5 hash:
d616794167af5c88812aabaf65120fad
SHA1 hash:
ad1289875a05ba89cb6e10b08b95ee45bdf79d0f
Link:
https://www.unpac.me/results/934a3196-ef20-4886-b948-d8df3e8936ca/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/efc5c94996f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

img 046bf1870416a2ea4108d3809fcdfda514663aa9fabd74b88f78c7e332eb397d

NetWire

Executable exe efc5c94996f4af7ae3a2d17dfc73dd7fe3f84269e73bb611e5806f2fd131a646

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 046bf1870416a2ea4108d3809fcdfda514663aa9fabd74b88f78c7e332eb397d
Cape
Cape
https://www.capesandbox.com/analysis/372161/
  
Dropped by
MD5 cf4a7094acb7f0d2a002f5bbb6b5db9a

Comments