MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f88a9fa1a660c17e7b87f87f9f298af97112a44a99fd7803d2c20b4a2615abfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f88a9fa1a660c17e7b87f87f9f298af97112a44a99fd7803d2c20b4a2615abfe
SHA3-384 hash: 17159a55bf1588401e42f660bccb58312b4eb57c1f0c7167a7140b15afd1ec15147152eda96969ca6092a8a22e350752
SHA1 hash: 47528582bbe64442e046cdd33c1ce1d596ee8f9f
MD5 hash: 9b872961ab4a64e825c06b4ebe5b6351
humanhash: double-sad-montana-earth
File name:011382843.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:818'176 bytes
First seen:2022-05-25 06:14:49 UTC
Last seen:2022-05-30 07:46:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:FqucPjIpxz+9BKVov/Yqb39k2sud/bMgzvj2aRu3npnj1obLvmECMt/8XshGdkrW:S8pxy9scvbhsuhb/UpnKLj958DT
Threatray 1'352 similar samples on MalwareBazaar
TLSH T17C05F1047696EE03C36813B6C0D3545423B19556AB33E68B3EC922E51E437F6ADCA78F
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2961d3133038ee8 (24 x AgentTesla, 18 x FormBook, 8 x Loki)
Reporter lowmal3
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
5
# of downloads :
363
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
netwire
Create hunting rule
ID:
1
File name:
011382843.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 06:36:47 UTC
Tags:
trojan rat netwire
Link:
https://app.any.run/tasks/9f3cdbf3-304d-4ca0-b25a-77a443dfd3c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274353/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/628dc9743223462f89e0b2d7/reports/8f2ffbed-94fa-42c5-860c-191f6c351023/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d0c2fb2-bee3-40e4-88ee-36d7ae3c2cef
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1001286
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f88a9fa1a660c17e7b87f87f9f298af97112a44a99fd7803d2c20b4a2615abfe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 09:49:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cfj7ingmdax464h7b7z6kmk7fyrfjckth6xqa6syifuujqvvp7a._file
Verdict:
malicious
Similar samples:
248b5eeaa5a7e8f3269532fd94ef555ebbaeae792c67f8186df0884f343050e9
NetWire
36e16131ddd6cacceae23ff435bbc0d9ad35b16ba8152a7a1a22a9683ab51475
NetWire
59b5802d4efc538c8ab9b3abb00eca4d4f7d3f7b1127c247e6f06788f356fc81
NetWire
5bf9f321e795da8caa68cef487b457a673fc98aca56cbbcf70fdf7f180d32ec9
NetWire
8a506634172c4318cdfbe692fa43504b122562c1c601bd7b0a279635b6e4ac43
NetWire
91436d16bb81f8f3c2aea5b7f7ad0cdda2e3e327d65554b527b81f7e117bfce8
NetWire
bf313b3f5ba3c607ff160d216623797b06ce270ea0555c6cf85b52210d448b85
NetWire
c0be03e6f0a42e6f33d79770d3908e0aec566867892df5af5275991706baa4c5
NetWire
c9ead75d0d9084665d004c3d42a3ffc3c87bb826c79d33f5852df1caddf10755
NetWire
+ 1'342 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/220525-gzwm5sggd6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
b492908138d5d67723c87105198402590cf8e1e8443be1403b3fbf3592094223
MD5 hash:
beae0c080745b351c5a7107d38c51d1a
SHA1 hash:
d2101fcb327ada8ee3c8325ef30876502876b706
Link:
https://www.unpac.me/results/96ae081a-ce2d-41f9-b762-7747b908028a/
SH256 hash:
a4c66a66c5b540b535305ab9daebf8cbbd5d54ec5cc306eca78f7031cf9d3e42
MD5 hash:
92b53497230d7eb03b0d184e26b93fc1
SHA1 hash:
3e4dc28768172632571de93008ca3fae3395ae31
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/96ae081a-ce2d-41f9-b762-7747b908028a/
Parent samples :
09c5712ccf983f5013d3cd1157a15050b909b9f5f6318334e9f7da2174385015
f88a9fa1a660c17e7b87f87f9f298af97112a44a99fd7803d2c20b4a2615abfe
a5140fceb2803eef7a1c8081c3428310baaa0dea404ef86e5d2d4a96b80fe538
SH256 hash:
72c91fdad59e06742ab11408962929f766b4fbe34e6b4e730dfb02707c08a430
MD5 hash:
06b823e64681bae033de886e22f0c8b6
SHA1 hash:
0791fc63e09cf5b5e77ebebf46271b7e66a39c7c
Link:
https://www.unpac.me/results/96ae081a-ce2d-41f9-b762-7747b908028a/
SH256 hash:
09949c7536d913c6ca407701cea9fadc758bb2a43b7479afa56c08a0f3c0913e
MD5 hash:
7b84dde596e6d63e1e3797f091340b48
SHA1 hash:
f004b8e7496f94ca884950db7932a788822037ad
Link:
https://www.unpac.me/results/96ae081a-ce2d-41f9-b762-7747b908028a/
SH256 hash:
54c94f5468406a26dfdbebfbbe972c2fc2c32c60da78e110d9b7e4d8f328d997
MD5 hash:
6b8c828f0dc84fc1b8d78ff2dc4568b5
SHA1 hash:
da6e2ba0e50f8e02e5a7734ffd637381b35bd824
Link:
https://www.unpac.me/results/96ae081a-ce2d-41f9-b762-7747b908028a/
SH256 hash:
f88a9fa1a660c17e7b87f87f9f298af97112a44a99fd7803d2c20b4a2615abfe
MD5 hash:
9b872961ab4a64e825c06b4ebe5b6351
SHA1 hash:
47528582bbe64442e046cdd33c1ce1d596ee8f9f
Link:
https://www.unpac.me/results/96ae081a-ce2d-41f9-b762-7747b908028a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f88a9fa1a660c17e7b87f87f9f298af97112a44a99fd7803d2c20b4a2615abfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe f88a9fa1a660c17e7b87f87f9f298af97112a44a99fd7803d2c20b4a2615abfe

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274353/

Comments