MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa7af6b88b54a5210f0ce1e5415024049ce296a6736cfdbfe6364b548f16b2d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetWire

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 2 File information Comments

SHA256 hash:	fa7af6b88b54a5210f0ce1e5415024049ce296a6736cfdbfe6364b548f16b2d5
SHA3-384 hash:	2844f15c5f16f0de0e30fe8bab6a5f180993c9a4c64def446668114d358ccd97f120a7de3309279b818baac76065e899
SHA1 hash:	18e98f49b44046fed0ae7ee23d29653d6f40f09e
MD5 hash:	0f7acac42bf200953c39a59dc526abf4
humanhash:	muppet-early-beer-delaware
File name:	PAYMENT.EXE.exe
Download:	download sample
Signature	NetWire Create hunting rule
File size:	747'520 bytes
First seen:	2022-07-28 09:45:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:00rcvxg+ugGp3/BxTGfZCeRUMr4/8r4fJf4UcbLljC3smrs7eSTktyKninqt2+C:PuxgP9JxTGfNQP3AoFs7eSqrinqBC
TLSH	T184F4DF51B5A88B22E66EE7F8947421102BF17C2A392AE34D7EC134CE08B3F544E75E53
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe NetWire RAT

abuse_ch

NetWire C2:
37.0.14.199:3374

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
37.0.14.199:3374	https://threatfox.abuse.ch/ioc/839940/

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/294879/

Detection(s):

SecuriteInfo.com.Trojan.Zmutzy.Pong.2-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d84e9ce-a587-4c35-8ea5-e89642fc59ec

Result

Threat name:

NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1042399

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Netwire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa7af6b88b54a5210f0ce1e5415024049ce296a6736cfdbfe6364b548f16b2d5/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2022-07-28 09:46:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7j5pnoelkssscdym4hsucubeasooffvgonwp3p7ggzfvjdywwlkq._file

Result

Malware family:

netwire

Score:

10/10

Tags:

family:netwire botnet rat stealer

Link:

https://tria.ge/reports/220728-lrl6ysagf3/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

NetWire RAT payload

Netwire

Malware Config

C2 Extraction:

37.0.14.199:3374
37.0.14.199:3377

Unpacked files

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/eafcaef3-ea99-43dc-a3a5-1c02281d766e/

SH256 hash:

0ada68d5539032941b83747a64254f0bc971433a6573ad28034d474dbc7fb20b

MD5 hash:

57b8d12e012b3a7f42912e59afc84998

SHA1 hash:

d3e7adac5392143264383e8a5872612c1640f820

Detections:

win_netwire_g1

Link:

https://www.unpac.me/results/eafcaef3-ea99-43dc-a3a5-1c02281d766e/

SH256 hash:

10258856734ac77bb093cc58f9b23fe92246be91f6bcd1da470e0f362dc69459

MD5 hash:

222648410070cecda41f4c7437410d26

SHA1 hash:

531b030df67c286b19494774fd608018fa150767

Link:

https://www.unpac.me/results/eafcaef3-ea99-43dc-a3a5-1c02281d766e/

SH256 hash:

a9c5b2c628a47247402ff05d399855caf6f6a22146d44cd0fd9d7fc05a65ba66

MD5 hash:

228ff1006be83039e4de2b5e0475a5b0

SHA1 hash:

3adef5cc343067fa6b9d5e712114dc619c867a72

Link:

https://www.unpac.me/results/eafcaef3-ea99-43dc-a3a5-1c02281d766e/

SH256 hash:

0fc167bde33e621adfb65776a059a08c9a4a2788ca40680896bcccf7e9955302

MD5 hash:

10e88fd68e9a04a70077782dd7ebc7e3

SHA1 hash:

33ffbd9142d125fb8f567ec6889e6765e2df8ebf

Detections:

win_netwire_g1

win_netwire_auto

Link:

https://www.unpac.me/results/eafcaef3-ea99-43dc-a3a5-1c02281d766e/

SH256 hash:

fa7af6b88b54a5210f0ce1e5415024049ce296a6736cfdbfe6364b548f16b2d5

MD5 hash:

0f7acac42bf200953c39a59dc526abf4

SHA1 hash:

18e98f49b44046fed0ae7ee23d29653d6f40f09e

Link:

https://www.unpac.me/results/eafcaef3-ea99-43dc-a3a5-1c02281d766e/

Malware family:

Netwire

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fa7af6b88b54/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/294879/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample