MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f53a21f7dbd23dbb06174d92ba8c94f9a4296ae1271372c3e5369121aa7a6e62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f53a21f7dbd23dbb06174d92ba8c94f9a4296ae1271372c3e5369121aa7a6e62
SHA3-384 hash: e862611c2b67a5bdbc3c68039a1a10b13ad014400cb424f4bbb925265305b9d843a9527e4b3d4ab617b6909aaf2d6c17
SHA1 hash: 86479f926b9b30e62f97195bf79807e31a684148
MD5 hash: 7a87a81f2cdbfa63af7b2ef820a739c4
humanhash: music-muppet-march-salami
File name:DHL0038747896.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:777'728 bytes
First seen:2022-06-23 09:14:35 UTC
Last seen:2022-06-23 09:48:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:4ZMzJWPNeB5LxohrF9AV0xnakSzETf/YdbQpE25Fynqd/BmWbBzVxIX:tJENefV+g0xnaFwT3YOpEAx
Threatray 948 similar samples on MalwareBazaar
TLSH T1B3F4F152F2A85F9AC46263F85D26D5141377F75A852CDA0C28FAB0CE5037BC2D0A2F97
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
154.53.40.254:4433

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
154.53.40.254:4433 https://threatfox.abuse.ch/ioc/701444/

Intelligence

File Origin
# of uploads :
2
# of downloads :
382
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282587/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
DNS request
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b42f18a6ececa45fc4e8e4/reports/33d864d3-6674-46c7-9e19-d9779818781e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/55695bfc-b091-4850-8c74-a35672c245b3
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1018533
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 651029 Sample: DHL0038747896.exe Startdate: 23/06/2022 Architecture: WINDOWS Score: 100 32 xman2.duckdns.org 2->32 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected NetWire RAT 2->40 42 Yara detected AntiVM3 2->42 44 6 other signatures 2->44 8 DHL0038747896.exe 7 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\kssnogOXZx.exe, PE32 8->24 dropped 26 C:\Users\...\kssnogOXZx.exe:Zone.Identifier, ASCII 8->26 dropped 28 C:\Users\user\AppData\Local\...\tmp5496.tmp, XML 8->28 dropped 30 C:\Users\user\...\DHL0038747896.exe.log, ASCII 8->30 dropped 46 Uses schtasks.exe or at.exe to add and modify task schedules 8->46 48 Writes to foreign memory regions 8->48 50 Allocates memory in foreign processes 8->50 52 2 other signatures 8->52 12 vbc.exe 2 8->12         started        16 powershell.exe 25 8->16         started        18 schtasks.exe 1 8->18         started        signatures6 process7 dnsIp8 34 xman2.duckdns.org 154.53.40.254, 4433, 49745, 49746 COGENT-174US United States 12->34 36 192.168.2.1 unknown unknown 12->36 54 Found evasive API chain (may stop execution after checking mutex) 12->54 56 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->56 20 conhost.exe 16->20         started        22 conhost.exe 18->22         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f53a21f7dbd23dbb06174d92ba8c94f9a4296ae1271372c3e5369121aa7a6e62/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-23 09:15:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6u5cd5632i63wbqxjwjlvdeu7gscs2xbe4jxfq7fg2isdkt2nzra._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
128a8048d3b0c7279c6634076d2153fd727bf24673d701cddf6801ab010d55e7
NetWire
2827bdbc3b1d06f967618d657a5186d96493af1d9325ac545b589330db598e69
NetWire
31303bbf52a52527c7aeb11e8e2a8076b097952a9d6a760a6c8b247928e8a0d4
NetWire
45d1b699698ba99b1a8c51ef57d3ed895b762f418cc05f8c54425e3cebcea4c0
NetWire
6c01cab75c9caaf8e00850ef763246c4b2ec0f0e1ce79e205a00356d031240f2
NetWire
805349748fac13914897312f803dddd30c94c64287016ce9f0ace62aaddc752e
NetWire
98757d38bdbe966a734be8f2ee396d8df92c9cf9b22da68c11d474cd052f8236
NetWire
b3c1d0252adba6ec3d9209c8e79e934ae8a43d3b8f6bc1e1f29df40d6fedf04e
NetWire
bb3badcf4159c2db2028003d745932747ebffe2f4faa9b8e124d53495b0a25ea
NetWire
ee02123ae50f55b649c1353cd064f1d39edd1f0a01e2a74bf1f0aa2a4ff6e828
NetWire
+ 938 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220623-k7wvnafbe9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
xman2.duckdns.org:4433
Unpacked files
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/3f606ab3-4b37-4be6-8d3a-dfbf0a3e2eff/
SH256 hash:
44d19d7f2f0c11eded7a4c86ab343ef45dba35f64c832e7e03ac0c37ddc8f720
MD5 hash:
643c5001ec573c78d4dfce756f050623
SHA1 hash:
63e932a601f9b4ce5531443abf53c0b0bf3e21f3
Link:
https://www.unpac.me/results/3f606ab3-4b37-4be6-8d3a-dfbf0a3e2eff/
SH256 hash:
f89026d3aae7af784c52bd53dbd8c9870c3333485a0ce3076470a8b6e80e4c45
MD5 hash:
9342f9bea28edf9885f288c2f2cf0485
SHA1 hash:
43215a8bebbef46a266faa44aa2d673a973b588c
Link:
https://www.unpac.me/results/3f606ab3-4b37-4be6-8d3a-dfbf0a3e2eff/
SH256 hash:
880c9ff80de33cde042ab26d75677dab18fdc7695908d615c44efa8b5d8e088a
MD5 hash:
07e1e5baea35d75e784cce3b991a5fdc
SHA1 hash:
2f5cd9ad4acec13ddb49f9d69093f9fe475342c2
Link:
https://www.unpac.me/results/3f606ab3-4b37-4be6-8d3a-dfbf0a3e2eff/
SH256 hash:
266508dce1a3c5c7e5589c5af137856377354c330a3c87116adca28479daf0dd
MD5 hash:
2082941d28cfc542068a8fb3df2a99c8
SHA1 hash:
0bf2bdc753e6f7766e7870a99602c11a1945936b
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/3f606ab3-4b37-4be6-8d3a-dfbf0a3e2eff/
SH256 hash:
f53a21f7dbd23dbb06174d92ba8c94f9a4296ae1271372c3e5369121aa7a6e62
MD5 hash:
7a87a81f2cdbfa63af7b2ef820a739c4
SHA1 hash:
86479f926b9b30e62f97195bf79807e31a684148
Link:
https://www.unpac.me/results/3f606ab3-4b37-4be6-8d3a-dfbf0a3e2eff/
Malware family:
Netwire
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f53a21f7dbd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f53a21f7dbd23dbb06174d92ba8c94f9a4296ae1271372c3e5369121aa7a6e62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282587/

Comments