MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f847c4abf2105e997260161da48567968b7be870ae8e92e2ec6e5959e556bb5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f847c4abf2105e997260161da48567968b7be870ae8e92e2ec6e5959e556bb5e
SHA3-384 hash: 1b7a56235454f530a411696c8740e5337487c22a40e214bb268d1d0a0c7ac88fae48908a92653edb58ac4b7849902224
SHA1 hash: a875a7853bcbfaa0f52b1d403cc3006ee453354d
MD5 hash: aff3a4ce7643f274aaa725c69982b39a
humanhash: william-sixteen-east-steak
File name:MORE INFORMATIONS.doc.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'542'144 bytes
First seen:2020-08-15 06:02:39 UTC
Last seen:2020-08-15 06:52:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:+4EcmZHAFaxmVmie9bngPrcaGr+PVXOmTaZ0CN7VFQMdYn9tebgtiRRZjlx:+4EcmZHAFaxmVmie9bngPgaGINOm+LNJ
Threatray 44 similar samples on MalwareBazaar
TLSH 3A65DE8A35805B6DE6E9DAB23520680407635F874BE1992B79A4FFA0C3F76C03F754C6
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: outsmtp02.sadecehosting.com
Sending IP: 77.92.152.38
From: defnenet@rcp01.hosting.sh.com.tr
Reply-To: mdaan23480@gmail.com
Subject: COOPARATION OFFER
Attachment: MORE_INFORMATIONS.doc.zip (contains "MORE INFORMATIONS.doc.exe")

NetWire RAT C2:
djohn-fax.home-webserver.de:1020 (88.198.101.62)

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46232/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.50805.22762.4735.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/431700
Signature
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Sigma detected: NetWire
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 268267 Sample: MORE INFORMATIONS.doc.exe Startdate: 16/08/2020 Architecture: WINDOWS Score: 100 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Yara detected NetWire RAT 2->54 56 Yara detected AntiVM_3 2->56 58 6 other signatures 2->58 10 MORE INFORMATIONS.doc.exe 3 2->10         started        process3 process4 12 MORE INFORMATIONS.doc.exe 2 10->12         started        signatures5 62 Injects a PE file into a foreign processes 12->62 15 MORE INFORMATIONS.doc.exe 6 12->15         started        19 MORE INFORMATIONS.doc.exe 12->19         started        21 MORE INFORMATIONS.doc.exe 12->21         started        23 2 other processes 12->23 process6 file7 44 C:\Users\user\AppData\Local\...\tmpA208.tmp, XML 15->44 dropped 46 C:\Users\user\AppData\...\TaQsqTwtYun.exe, PE32 15->46 dropped 50 Injects a PE file into a foreign processes 15->50 25 MORE INFORMATIONS.doc.exe 6 15->25         started        29 schtasks.exe 1 15->29         started        signatures8 process9 file10 42 C:\Users\user\AppData\...\QOqPpxsRSrpfJY.exe, PE32 25->42 dropped 60 Injects a PE file into a foreign processes 25->60 31 MORE INFORMATIONS.doc.exe 2 25->31         started        34 schtasks.exe 1 25->34         started        36 MORE INFORMATIONS.doc.exe 25->36         started        38 conhost.exe 29->38         started        signatures11 process12 dnsIp13 48 djohn-fax.home-webserver.de 217.182.15.130, 1020, 49724 OVHFR France 31->48 40 conhost.exe 34->40         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f847c4abf2105e997260161da48567968b7be870ae8e92e2ec6e5959e556bb5e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-15 06:04:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bd4jk7scbpjs4tacyo2jblhs2fxx2dqv2hjfyxmnzmvtzkwxnpa._file
Verdict:
suspicious
Similar samples:
0bf6ccdd920a50186f7318c51564ecc8f502302b084a5fda3feadb0d51e40f24
NetWire
117cca28917405c65fd9e824b381006f453618e5d8c2e080482c1df59a6b8848
NetWire
2f9d83d844287396dcaf52b5c15c1dacc92bc4ae2e2777d24c8d09465037ace3
NetWire
5042521b58a756c07c9b4d6546b2d6a33c16c49ec60e65d190f17fdb7db006f8
NetWire
6011714f77a9cfdf682b04df3490a0ca227d9a64074946304b8ccd0c83e6264e
NetWire
ac88ad4f977c60a4e265cb5390c408c8979da9d1bb3c9b5c0a3698f359366bbe
NetWire
af2c5c77ba52532806daae8bffadb2c5a4073009e0f485302d2c816ff315a8a7
NetWire
ca2ac9192f0d9fe769d59b389543d410921d56b2231a639fd99ae5ffc9c275ef
NetWire
da7f542b91835ba3090350c2936641058c361e332eda9222f0674dfcbefd4ce9
NetWire
e1cc292b3eb8e646e0c778966a3150d2f278e1394059cf31106301bb003d273f
NetWire
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200815-bf6k1h1wga/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/f847c4abf2105e997260161da48567968b7be870ae8e92e2ec6e5959e556bb5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

zip 7707bead406041ea234d7249f0fc9cbb3e311794856ad6446e04d0e1062cd637

NetWire

Executable exe f847c4abf2105e997260161da48567968b7be870ae8e92e2ec6e5959e556bb5e

(this sample)

  
Dropped by
MD5 beadc5793699fe8d3db502245f5a23db
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46232/
  
Dropped by
SHA256 7707bead406041ea234d7249f0fc9cbb3e311794856ad6446e04d0e1062cd637

Comments