MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NetWire


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments

SHA256 hash: fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166
SHA3-384 hash: a24e75d7b725be6945b7c34d57edcfc2640851e73794e494f525d02b57c6d718939631104d27e19a120677e2fa0eab95
SHA1 hash: b691f69ac52107657679bd7120b374f84f42a6e3
MD5 hash: a6ffb99ff7a196d8a340faf3a8d49d51
humanhash: charlie-eleven-muppet-purple
File name:WabtecPOREQ00921.exe
Download: download sample
Signature NetWire
File size:1'078'512 bytes
First seen:2021-02-01 14:31:01 UTC
Last seen:2021-02-01 16:29:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 699c56e4bac62bd316332ce2372bf95c (1 x Formbook, 1 x NetWire)
ssdeep 12288:bsbH80N0+CcJTs+5n9LECu3OXQUP41WVj4V688nOfqHN+3x7y6Mx+QXX1x6tcn:bAnCcbneCUFU5jXJz+DM4QVpn
Threatray 370 similar samples on MalwareBazaar
TLSH D5358E61A1604532F13367B8E81F569426A57E3F3E285F45EAE80D4E0F2F2807D6927F
Reporter James_inthe_box
Tags:exe NetWire

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WabtecPOREQ00921.exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 14:47:06 UTC
Tags:
trojan netwire

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: NetWire
Sigma detected: Suspicious Program Location Process Starts
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.BestaFera
Status:
Malicious
First seen:
2021-02-01 08:27:35 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Result
Malware family:
netwire
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
NetWire RAT payload
Netwire
Unpacked files
SH256 hash:
c7385cf608325b7521aec35e1cc1d096ee6d1523f06677ee9761d5b52e9e56b6
MD5 hash:
7f252ebbd7f09b34f16e03f806db27c0
SHA1 hash:
c44771e4a7123d45261b0a87851f69f8c9d6eef6
SH256 hash:
fadc99d77a3c3f3483b63596d5ead642ecafb0bb52342c975efdbfd26a87f166
MD5 hash:
a6ffb99ff7a196d8a340faf3a8d49d51
SHA1 hash:
b691f69ac52107657679bd7120b374f84f42a6e3
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments