MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f
SHA3-384 hash:	c53597667f1de5644175fac3c5b553bf7480d1121835e2c52fdc6e5cc4bbabcd44c3d40bfda78ebc9304a19cb1a88344
SHA1 hash:	7bc871be5b1905692eb1a6d93158668092cdb51c
MD5 hash:	059d96b63981600043166193b25f479e
humanhash:	beryllium-east-iowa-coffee
File name:	059d96b63981600043166193b25f479e.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	247'663 bytes
First seen:	2021-03-03 06:14:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:N8LxBY7vyBX+kFMUfuCqQTgYLpGYR7/XGhieXdAZdaP:p7QX+JUfdqQEA7uhieXdAZd2
TLSH	B3340176B89189A3F9B287744361A965F7B54DC85CF1CC4B8B803A277AF31C3065A90F
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire RAT C2:
severdops.ddns.net:7390

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMAGE2102100021110001.js

Verdict:

Malicious activity

Analysis date:

2021-03-03 06:15:37 UTC

Tags:

loader trojan netwire

Link:

https://app.any.run/tasks/f6d8e76f-3d46-4171-ad1f-0e3721d2f7b8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetWire

Link:

https://www.capesandbox.com/analysis/121184/

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Unauthorized injection to a recently created process

DNS request

Connection attempt

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/625479

Signature

Contains functionality to log keystrokes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: NetWire

Uses dynamic DNS services

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f/

Threat name:

Win32.PUA.Wacapew

Status:

Malicious

First seen:

2021-03-03 06:15:13 UTC

AV detection:

19 of 47 (40.43%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=655twkj6r4rbqcbedf2cxboccvx6rqjtkphmks5aehrggewtnghq._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/210303-m5j2d7lkea/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

96bd5ffbb80da05ab52772e4e6de235ef3b75d4823daec84a981559e73989ef8

MD5 hash:

f82eac7f1f593e36cd6c783c2085384a

SHA1 hash:

7f9553b5804d69f3d81fc6fbe1cc60388946cd85

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/17fc91e7-b937-4bca-9837-4711db688ab7/

Parent samples :

f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f
63d0937af7bf53fe0b74ae6631452ff2d254ab6c7e1d0a62372f1f6992a1a1fd

SH256 hash:

34b8fa81e55222dd7bdcf4f585c8b7b041182fb3dc36463efc88fc34d4437911

MD5 hash:

1db4e4a8ab63672735213bf187508898

SHA1 hash:

3af9cd6be2722a135b5c40bf99a57c0a7d037cc4

Link:

https://www.unpac.me/results/17fc91e7-b937-4bca-9837-4711db688ab7/

SH256 hash:

70a16730ec76b2ba4cd725c410252df8fc6166dce07aaf2f3a7849cd3aed8347

MD5 hash:

e54640ebb8c6d700031db04912e24f51

SHA1 hash:

547fd55ad68e63a9d43c774848c78d890b49168a

Link:

https://www.unpac.me/results/17fc91e7-b937-4bca-9837-4711db688ab7/

SH256 hash:

f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f

MD5 hash:

059d96b63981600043166193b25f479e

SHA1 hash:

7bc871be5b1905692eb1a6d93158668092cdb51c

Link:

https://www.unpac.me/results/17fc91e7-b937-4bca-9837-4711db688ab7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	MALWARE_Win_NetWire Create hunting rule
Author:	ditekSHen
Description:	Detects NetWire RAT

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator