MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f04be193c52029bdefce7211c67c328a4bdfbaa2653679a6e528d86bf2d7dd9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f04be193c52029bdefce7211c67c328a4bdfbaa2653679a6e528d86bf2d7dd9d
SHA3-384 hash: ed3948e8ae055e1bb6625beb7595b3bf8598a74f0a597e500d37e53cfba224c1348be2804cba5f707d66d3a372e1d826
SHA1 hash: 294d498cc958370b2ce1d6b7573680006b7ec7a7
MD5 hash: 168e22315d383afa8578738ce20a948a
humanhash: red-equal-ack-bulldog
File name:f04be193c52029bdefce7211c67c328a4bdfbaa2653679a6e528d86bf2d7dd9d
Download: download sample
Signature NetWire
Create hunting rule
File size:365'568 bytes
First seen:2021-09-23 07:12:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bba03710573bf50f7fc2e8ecd64646dc (1 x NetWire)
ssdeep 6144:Dk7HSZAGgdGSO8sz4wfEAOFQxM3QLylFzk8x2dQ32SY/XDzYtaw:D2IlgdGZS4xM3+yHY84dQmrzzAaw
Threatray 1'047 similar samples on MalwareBazaar
TLSH T10574CF2474D28473D476053A08F4EBB8893EBD550B1589EFA7D8077F8F343D0AA316AA
File icon (PE):PE icon
dhash icon e0d092b2ca8cc4f0 (1 x NetWire)
Reporter JAMESWT_WT
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
1
# of downloads :
535
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f04be193c52029bdefce7211c67c328a4bdfbaa2653679a6e528d86bf2d7dd9d
Verdict:
Suspicious activity
Analysis date:
2021-09-23 08:04:47 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/024b5e53-3af1-4dc2-b271-37898f15b799

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190648/
Detection(s):
Win.Malware.NetWire-9888539-1
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf27c5d2-c5be-489d-bee3-fb72888cf6d4
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856303
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488736 Sample: r358ecJTg8 Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 6 other signatures 2->61 8 r358ecJTg8.exe 1 2->8         started        11 Adobe Reader.exe 1 2->11         started        13 Adobe Reader.exe 1 2->13         started        process3 signatures4 65 Contains functionality to steal Chrome passwords or cookies 8->65 15 r358ecJTg8.exe 1 8->15         started        18 cmd.exe 3 8->18         started        20 conhost.exe 8->20         started        67 Injects a PE file into a foreign processes 11->67 22 cmd.exe 1 11->22         started        24 Adobe Reader.exe 11->24         started        26 conhost.exe 11->26         started        28 cmd.exe 1 13->28         started        30 Adobe Reader.exe 13->30         started        32 conhost.exe 13->32         started        process5 signatures6 69 Injects a PE file into a foreign processes 15->69 34 cmd.exe 2 15->34         started        38 r358ecJTg8.exe 2 15->38         started        71 Uses cmd line tools excessively to alter registry or file data 18->71 41 reg.exe 1 1 18->41         started        43 reg.exe 1 22->43         started        45 reg.exe 1 28->45         started        process7 dnsIp8 49 C:\Users\user\AppData\...\Adobe Reader.exe, PE32 34->49 dropped 51 C:\Users\...\Adobe Reader.exe:Zone.Identifier, ASCII 34->51 dropped 63 Uses cmd line tools excessively to alter registry or file data 34->63 47 reg.exe 1 34->47         started        53 66.154.103.106, 13374, 49737, 49738 ASN-QUADRANET-GLOBALUS Canada 38->53 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f04be193c52029bdefce7211c67c328a4bdfbaa2653679a6e528d86bf2d7dd9d/
Threat name:
Win32.Backdoor.NetWireRAT
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 15:50:00 UTC
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bf6de6feau3336ooii4m7bsrjf57ovcmu3htjxffdmgx4wx3woq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0f67fd50b46ca7283dc172211a42e3ffab7b524a1e2e23433c34c88e657cd364
NetWire
5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a
NetWire
557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
91f4cceeb3b8d11e2408bd72aead7513f7031226e5ebc969611379b1bd04256a
NetWire
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
NetWire
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
NetWire
+ 1'037 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210923-h147cafgc8/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
66.154.103.106:13374
Unpacked files
SH256 hash:
f7973974b06ffb1c2d29c79e2c8596679eaf3c99bf5328bb948053006ea78f7b
MD5 hash:
6dcb2cbe83abe9f34e4d9cfdedf88500
SHA1 hash:
3fe86d41d9ef6705f924e6ee68b2347cde61ca46
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/2fcce173-9aed-475c-8b4b-3518c67007db/
Parent samples :
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
f04be193c52029bdefce7211c67c328a4bdfbaa2653679a6e528d86bf2d7dd9d
SH256 hash:
f04be193c52029bdefce7211c67c328a4bdfbaa2653679a6e528d86bf2d7dd9d
MD5 hash:
168e22315d383afa8578738ce20a948a
SHA1 hash:
294d498cc958370b2ce1d6b7573680006b7ec7a7
Link:
https://www.unpac.me/results/2fcce173-9aed-475c-8b4b-3518c67007db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f04be193c52029bdefce7211c67c328a4bdfbaa2653679a6e528d86bf2d7dd9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190648/

Comments