MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efe7085d016f39d6e180df2cf41e774b28e64b3e1847b5e69386ef068bea5f20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efe7085d016f39d6e180df2cf41e774b28e64b3e1847b5e69386ef068bea5f20
SHA3-384 hash: 43459d161d8fb0d5b98b768739f3e80605c58c85397483112a23c9342dd3afc3012fb603b0d77c21b26f7ca029ee38b8
SHA1 hash: 2fe04c567b5b5d0c0fddb635e22394a2d57e0b47
MD5 hash: 3faf7e18d7e2c4396d07dac4a94b2c0d
humanhash: tennis-fillet-quiet-twelve
File name:Almadeena-Bakery-005445536555665445.scr.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:771'072 bytes
First seen:2021-05-03 05:10:47 UTC
Last seen:2021-05-03 06:04:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 831fc92f23cd73751a129066fe55905a (2 x NetWire, 2 x RemcosRAT, 1 x Formbook)
ssdeep 12288:qjG2QEEsadOoRzP6nIHNFfHH3tmDJP2uU/Oy/5/:qK2adO0zznPXIPRUD/Z
Threatray 583 similar samples on MalwareBazaar
TLSH 05F46C2161E004F6D15E1E399C6BB6A408A6BE313AF56C4417F86D48BFFF6803E1CD96
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
176.107.178.179:5218

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.107.178.179:5218 https://threatfox.abuse.ch/ioc/28110/

Intelligence

File Origin
# of uploads :
3
# of downloads :
350
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148135/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Deleting a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707027
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Sigma detected: NetWire
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402434 Sample: Almadeena-Bakery-0054455365... Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Yara detected NetWire RAT 2->64 66 3 other signatures 2->66 11 Almadeena-Bakery-005445536555665445.scr.exe 1 25 2->11         started        16 Nvjwch.exe 2->16         started        18 Nvjwch.exe 2->18         started        process3 dnsIp4 58 cdn.discordapp.com 162.159.129.233, 443, 49731, 49732 CLOUDFLARENETUS United States 11->58 50 C:\Users\Public50etplwiz.exe, PE32+ 11->50 dropped 52 C:\Users\Public52ETUTILS.dll, PE32+ 11->52 dropped 54 C:\Users\Public\Libraries54vjwch54vjwch.exe, PE32 11->54 dropped 84 Drops PE files to the user root directory 11->84 86 Writes to foreign memory regions 11->86 88 Allocates memory in foreign processes 11->88 92 2 other signatures 11->92 20 cmd.exe 1 11->20         started        22 secinit.exe 2 11->22         started        90 Machine Learning detection for dropped file 16->90 file5 signatures6 process7 dnsIp8 26 cmd.exe 5 20->26         started        30 conhost.exe 20->30         started        56 176.107.178.179, 49733, 5218 FREEHOSTUA Ukraine 22->56 72 Contains functionality to log keystrokes 22->72 74 Contains functionality to steal Internet Explorer form passwords 22->74 76 Contains functionality to steal Chrome passwords or cookies 22->76 78 DLL side loading technique detected 22->78 signatures9 process10 file11 46 C:\Windows \System3246etplwiz.exe, PE32+ 26->46 dropped 48 C:\Windows \System3248ETUTILS.dll, PE32+ 26->48 dropped 82 Drops executables to the windows directory (C:\Windows) and starts them 26->82 32 Netplwiz.exe 26->32         started        34 conhost.exe 26->34         started        signatures12 process13 process14 36 cmd.exe 1 32->36         started        signatures15 68 Suspicious powershell command line found 36->68 70 Adds a directory exclusion to Windows Defender 36->70 39 powershell.exe 24 36->39         started        42 conhost.exe 36->42         started        process16 signatures17 80 DLL side loading technique detected 39->80 44 conhost.exe 39->44         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efe7085d016f39d6e180df2cf41e774b28e64b3e1847b5e69386ef068bea5f20/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 05:11:07 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=57tqqxibn445nyma34wpihtxjmuomsz6dbd3lzutq3xqnc7kl4qa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
16fc50c5d5b5419d2a3244294c7d6a77087edca488ec63146b573b31f1526809
NetWire
2f3c9eec055b5c11f8bbd794fde194e68a7c27cad4112d131ae999b953759ac0
NetWire
3ffc5daa049116311ac1363623b7a8960b7aabb4b874d1126a358b8d483e33cd
NetWire
56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58
NetWire
5759a1711d0f78b7be3f76aa9e451516f93d91370586f863dd5a68291c82ee3b
NetWire
5d3724894277765b2182d26064f7891d58b3f3614f6adaa281a7b673d2b7b071
NetWire
85c2475f5bb564338727b25d030019e2ec0f08a9892df26024e45339ef3c0792
NetWire
deabb312ade9d16c64ea491e5cf9477e1b98f2c5cda72ab2cb1b8b75af558d31
NetWire
e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762
NetWire
f862eb253778c7b1c35349d798736124d7ee97db446217b2e5962fe2431d1e46
NetWire
+ 573 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence stealer trojan
Link:
https://tria.ge/reports/210503-hm6qcgtdja/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
ModiLoader, DBatLoader
Netwire
Unpacked files
SH256 hash:
8f63001a412f92b1e28e17cf0ca84b5d4fa126a661cdae11c5221b7344c26999
MD5 hash:
77fbc4c0b74cf1b87fa3804f3c4c0ff1
SHA1 hash:
721f7b2c9db79c8a34b8ad43f103b22df632d2dc
Link:
https://www.unpac.me/results/33f34b8c-e4f9-40bf-9f11-739e878030eb/
SH256 hash:
efe7085d016f39d6e180df2cf41e774b28e64b3e1847b5e69386ef068bea5f20
MD5 hash:
3faf7e18d7e2c4396d07dac4a94b2c0d
SHA1 hash:
2fe04c567b5b5d0c0fddb635e22394a2d57e0b47
Link:
https://www.unpac.me/results/33f34b8c-e4f9-40bf-9f11-739e878030eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efe7085d016f39d6e180df2cf41e774b28e64b3e1847b5e69386ef068bea5f20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148135/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 06:20:31 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0051] File System Micro-objective::Read File
8) [C0052] File System Micro-objective::Writes File
9) [C0007] Memory Micro-objective::Allocate Memory
10) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
11) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
12) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
13) [C0038] Process Micro-objective::Create Thread
14) [C0041] Process Micro-objective::Set Thread Local Storage Value
15) [C0018] Process Micro-objective::Terminate Process