MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f52b398d958c3ebda27ec4f40d4f788bdf6cb514cf43cdc5687d8ada61a0ea38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f52b398d958c3ebda27ec4f40d4f788bdf6cb514cf43cdc5687d8ada61a0ea38
SHA3-384 hash: 23432bafbfef26e902be7d6c0127bbd5007063615d2c92d17cbba891eaa91ebee19a1b310f3ad85f341ede5aca281386
SHA1 hash: ebfedead60dd198f87932369859e42f9436ddf2f
MD5 hash: 777a79953b2d85aba7c28c736a41f027
humanhash: virginia-high-music-green
File name:2 (2).exe
Download: download sample
Signature NetWire
Create hunting rule
File size:966'656 bytes
First seen:2022-04-22 10:10:50 UTC
Last seen:2022-04-22 10:47:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9ce2f30aeb19f24c41844bd28f56defc (1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:ueiJMC6q9g89SmxrmogsE43GWpy8YlEvGjBjufY8afqUKzaRHr:tiuCq89SmxysECLtY2vCqaynz
Threatray 7'578 similar samples on MalwareBazaar
TLSH T1D8254A31A2A005F2E4625E758E5E92B4BF667E00DD24954EE6F4BDC83A373C1E0251FB
TrID 22.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
20.6% (.SCR) Windows screen saver (13101/52/3)
16.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
91.207.57.115:5019

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.207.57.115:5019 https://threatfox.abuse.ch/ioc/524814/

Intelligence

File Origin
# of uploads :
2
# of downloads :
437
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265745/
Detection(s):
SecuriteInfo.com.Variant.Jaik.66705.27885.4754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger mini pos replace.exe
Link:
https://www.filescan.io/uploads/62628899ee7d742c7f2b6ef9/reports/a7b75348-a584-470d-b1da-cbc614918102/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe72dce5-82c7-4838-b71c-2b9e594f11f3
Result
Threat name:
DBatLoader NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981274
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 613757 Sample: 2 (2).exe Startdate: 22/04/2022 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 3 other signatures 2->68 9 2 (2).exe 1 22 2->9         started        14 Prbvhxq.exe 14 2->14         started        16 Prbvhxq.exe 17 2->16         started        process3 dnsIp4 48 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49729, 49731 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->48 50 onedrive.live.com 9->50 56 2 other IPs or domains 9->56 38 C:\Users\Public\Libraries\Prbvhxq.exe, PE32 9->38 dropped 40 C:\Users\...\Prbvhxq.exe:Zone.Identifier, ASCII 9->40 dropped 72 Writes to foreign memory regions 9->72 74 Creates a thread in another existing process (thread injection) 9->74 76 Injects a PE file into a foreign processes 9->76 18 logagent.exe 9->18         started        22 cmd.exe 1 9->22         started        52 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49760, 49767 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->52 54 onedrive.live.com 14->54 58 2 other IPs or domains 14->58 78 Multi AV Scanner detection for dropped file 14->78 80 Allocates memory in foreign processes 14->80 24 logagent.exe 14->24         started        60 3 other IPs or domains 16->60 26 DpiScaling.exe 16->26         started        file5 signatures6 process7 dnsIp8 42 91.207.57.115, 49818, 5019 M247GB United Kingdom 18->42 44 199.249.223.130, 5019 QUINTEXUS United States 18->44 46 2 other IPs or domains 18->46 70 Found evasive API chain (may stop execution after checking mutex) 18->70 28 cmd.exe 1 22->28         started        30 conhost.exe 22->30         started        signatures9 process10 process11 32 net.exe 1 28->32         started        34 conhost.exe 28->34         started        process12 36 net1.exe 1 32->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f52b398d958c3ebda27ec4f40d4f788bdf6cb514cf43cdc5687d8ada61a0ea38/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 10:11:10 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
10 of 42 (23.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6uvttdmvrq7l3it6yt2a2t3yrppwzniuz5b43rlipwfnuyna5i4a._file
Verdict:
malicious
Similar samples:
25f95bec948dd2f304c9a68b61e057d3f7ac656ec3b9849c87c0751949e858e8
NetWire
6299e5f3946878e16130c6454bcd90bf319b3dcf8bd13d9a56bb867ba82eb655
NetWire
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
NetWire
9ea23f24620fd64243f22df105d30b97810377238aed2fd83aa31665198175db
NetWire
b2d45c9e0e80aa26cec7cfdd54a0bcd634de6233d68450374488b89ed3db47dc
NetWire
ba1b1f218d5236e121b68da9183c90e8e6640f91c77a5e8d0ea5eead270f2199
NetWire
bd09b7f6ad0ca7e7c74eee9ecab5fd3de92f24529c708370710161847d0861be
NetWire
cc584053d88f795417a45c3f1eec2ccd26d42187ee6363f765a9af5e3f8ab8f8
NetWire
+ 7'568 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/220422-l7x86abgh2/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
f52b398d958c3ebda27ec4f40d4f788bdf6cb514cf43cdc5687d8ada61a0ea38
MD5 hash:
777a79953b2d85aba7c28c736a41f027
SHA1 hash:
ebfedead60dd198f87932369859e42f9436ddf2f
Link:
https://www.unpac.me/results/57563967-b8ef-4c2a-8fa4-77e26c27529d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f52b398d958c3ebda27ec4f40d4f788bdf6cb514cf43cdc5687d8ada61a0ea38

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/265745/

Comments