MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166
SHA3-384 hash: a24e75d7b725be6945b7c34d57edcfc2640851e73794e494f525d02b57c6d718939631104d27e19a120677e2fa0eab95
SHA1 hash: b691f69ac52107657679bd7120b374f84f42a6e3
MD5 hash: a6ffb99ff7a196d8a340faf3a8d49d51
humanhash: charlie-eleven-muppet-purple
File name:WabtecPOREQ00921.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:1'078'512 bytes
First seen:2021-02-01 14:31:01 UTC
Last seen:2021-02-01 16:29:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 699c56e4bac62bd316332ce2372bf95c (1 x Formbook, 1 x NetWire)
ssdeep 12288:bsbH80N0+CcJTs+5n9LECu3OXQUP41WVj4V688nOfqHN+3x7y6Mx+QXX1x6tcn:bAnCcbneCUFU5jXJz+DM4QVpn
Threatray 370 similar samples on MalwareBazaar
TLSH D5358E61A1604532F13367B8E81F569426A57E3F3E285F45EAE80D4E0F2F2807D6927F
Reporter James_inthe_box
Tags:exe NetWire

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WabtecPOREQ00921.exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 14:47:06 UTC
Tags:
trojan netwire
Link:
https://app.any.run/tasks/08307c28-0208-43a6-97c3-e8ec788ceede

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114962/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595464
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: NetWire
Sigma detected: Suspicious Program Location Process Starts
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 08:27:35 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lojtv32hq7tja5wgwlnl2wwilwk7mf3ki2czf267w75e2uh6fta._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
151f57078e89aa2f81fcb307bf88fe23e9f2437a4df1e37def5d0b78797e12f8
NetWire
2e54ae1fe78471492cc217d238fcd7f0158ae8f22a35e9576a91b3a6614c2d08
NetWire
2e5d08e10497cdd14499b4ae823f7d639a738d37784882db758e70fa3804e4e9
NetWire
573f11821c72786131d82bcdb3744b83d01615c25489f4cf2c46181ae6143226
NetWire
6bcd9c589b51cbd1011942b2bdaeaab62748c7380a17336b35bf589c880553b8
NetWire
7b9a1aa88be62eb638af26146fce0a1b71aec646d2495fb350dd6d56997e7582
NetWire
7c7a7c3e89daeb57bcd8fe5a895461161efafa3a5b2f111e0e23aff6b3f9535a
NetWire
af9cd43a93f367a04bfc05abe54327de1bbd7857ca85e1665828d557d6459b62
NetWire
df2688f6f88ea0e66b46d856e514adf25f8456cb4e45c849233799e17b1171e3
NetWire
e04977f7d1fbf8b3a69237bbd2170af6c3046a8ce29e2732cd7c72f079f0e0f8
NetWire
+ 360 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/210201-3h96pq7fre/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
c7385cf608325b7521aec35e1cc1d096ee6d1523f06677ee9761d5b52e9e56b6
MD5 hash:
7f252ebbd7f09b34f16e03f806db27c0
SHA1 hash:
c44771e4a7123d45261b0a87851f69f8c9d6eef6
Link:
https://www.unpac.me/results/2b86d7d1-6b9c-41af-8496-292e9c0e953f/
SH256 hash:
fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166
MD5 hash:
a6ffb99ff7a196d8a340faf3a8d49d51
SHA1 hash:
b691f69ac52107657679bd7120b374f84f42a6e3
Link:
https://www.unpac.me/results/2b86d7d1-6b9c-41af-8496-292e9c0e953f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114962/

Comments