MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f250ac555d8a417883aec028d6b80e0eb627686d08a56f2c5e5bbb04c0ecbf85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f250ac555d8a417883aec028d6b80e0eb627686d08a56f2c5e5bbb04c0ecbf85
SHA3-384 hash: 5d6a0de54acbe9f877847e3837bf0846d900bdcd1b7414e48081f75ddbaa5333dbca51cf594914d319953acc91bd59fc
SHA1 hash: c359f7237425521c59dec5d620c40f00853c2a3c
MD5 hash: 2d2591e482c2d0543023a6b2b7f5dc94
humanhash: quebec-papa-lion-paris
File name:PO-13916.jpeg.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:292'797 bytes
First seen:2021-05-25 06:17:56 UTC
Last seen:2021-05-25 07:07:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:cspL7LYDMLszZ8S8E7HtXVl3/ncvQHa0x2PAASK5w:VL7VaZdTtXn3/cAmw
Threatray 433 similar samples on MalwareBazaar
TLSH F554E0C9E5844494DC7297300C7AFD7B2B937C3A5ABD111EAE4DF23A4F771922222366
Reporter abuse_ch
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/161630/
Detection(s):
PUA.Win.Trojan.Casino-141
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792084
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 424481 Sample: PO-13916.jpeg.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected NetWire RAT 2->43 45 5 other signatures 2->45 7 PO-13916.jpeg.exe 1 23 2->7         started        10 qxxtoohxgmn.exe 18 2->10         started        process3 file4 27 C:\Users\user\AppData\...\qxxtoohxgmn.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\System.dll, PE32 7->29 dropped 13 PO-13916.jpeg.exe 19 7->13         started        17 svchost.exe 7->17         started        31 C:\Users\user\AppData\Local\...\System.dll, PE32 10->31 dropped 49 Multi AV Scanner detection for dropped file 10->49 51 Machine Learning detection for dropped file 10->51 19 qxxtoohxgmn.exe 16 10->19         started        21 svchost.exe 10->21         started        signatures5 process6 file7 33 C:\Users\user\AppData\Local\...\System.dll, PE32 13->33 dropped 53 Writes to foreign memory regions 13->53 55 Maps a DLL or memory area into another process 13->55 23 svchost.exe 2 13->23         started        57 System process connects to network (likely due to code injection or exploit) 17->57 59 Contains functionality to steal Chrome passwords or cookies 17->59 signatures8 process9 dnsIp10 35 netwire.linkpc.net 193.104.222.76, 6000 TELIANETTeliaCarrierEU unknown 23->35 37 192.168.2.1 unknown unknown 23->37 47 System process connects to network (likely due to code injection or exploit) 23->47 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f250ac555d8a417883aec028d6b80e0eb627686d08a56f2c5e5bbb04c0ecbf85/
Threat name:
Win32.Spyware.Xegumumune
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 03:01:33 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jikyvk5rjaxra5oyaunnoaob23co2dnbcsw6lc6lo5qjqhmx6cq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
NetWire
6ba5c67ab5a2f0905d5140b65b193d1062bcba3abb6e9755efe2a862f753cc95
NetWire
76947dcfe886fe0e3273c7723140533999741f239a2ad7568a460cae74bb0e50
NetWire
87c89f29aaa5dd79839585af00f1d29fa406e18ee341b23aa08f471b8c096f8b
NetWire
90dbd6dce0e0e7013656333f1cd8a9b7660e0e40e782a622856800c52e980d3e
NetWire
a7813261c3c899e29185faee49f8a63d4e81a2da6acccb4cc57add4c5646e37d
NetWire
ee105aefe05012972398fb6eed4c5b408b1c7c81072a5b97e99cd4072c4f853f
NetWire
f5c3a4c6e9a672d984b794977cac7cc5ce38b6ab3c76bb79227217cc432a6ad9
NetWire
f5d88ee96cd5fbdda828c9ec267600fb6308a11318f8290d6d15d34f64070f05
NetWire
fefea87ebfbd43c789033d46905fd2a11b8ea9d4c6b57691f23a89e8f8687992
NetWire
+ 423 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210525-hv6pj8ycan/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
netwire.linkpc.net:6000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/f250ac555d8a417883aec028d6b80e0eb627686d08a56f2c5e5bbb04c0ecbf85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_netwire_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe f250ac555d8a417883aec028d6b80e0eb627686d08a56f2c5e5bbb04c0ecbf85

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/161630/

Comments