MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe5cbf37095a45e7e129e541f482adebdc55648557571eb2b9359b7376a22e11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe5cbf37095a45e7e129e541f482adebdc55648557571eb2b9359b7376a22e11
SHA3-384 hash: 8b6eb5b7df56202e006b82f2002dcb10d00885991e78a7ed33d0dde5f9db9f76c497988c74213d250e19ce6ea6da9e13
SHA1 hash: 6554335abe4119ed20defdaf2de85a036169418a
MD5 hash: dfb2279ec9467eeb783a52fbf0c9f80b
humanhash: tennessee-helium-shade-mobile
File name:FE5CBF37095A45E7E129E541F482ADEBDC55648557571.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:638'976 bytes
First seen:2022-03-22 17:12:28 UTC
Last seen:2022-03-22 18:58:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 12288:MbrCRrM16r1ZJE5uwIOX+5Hu23Fxcx+rE:MbmRrugbOcjV
Threatray 6'818 similar samples on MalwareBazaar
TLSH T1B5D4D0293FADDA48C04E7DBD6EB00065D7B2E1E7046FC726E5AB4D2D8E2E2C47B09550
File icon (PE):PE icon
dhash icon 23b7332747071617 (1 x NetWire)
Reporter abuse_ch
Tags:exe NetWire RAT


Avatar
abuse_ch
NetWire C2:
99.38.102.122:4000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
99.38.102.122:4000 https://threatfox.abuse.ch/ioc/439527/

Intelligence

File Origin
# of uploads :
2
# of downloads :
361
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NetWire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/254938/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.8.Gen.4081.6274.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623a03b3b94fb38cb4d03266/reports/b244f8e2-550b-45b0-ae60-9a01fea84206/overview
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962282
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire RAT Registry Key
Uses dynamic DNS services
Yara detected Netwire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594762 Sample: FE5CBF37095A45E7E129E541F48... Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 8 other signatures 2->61 9 FE5CBF37095A45E7E129E541F482ADEBDC55648557571.exe 2 2->9         started        12 cacls.exe 2->12         started        14 cacls.exe 2->14         started        process3 file4 49 FE5CBF37095A45E7E1...55648557571.exe.log, ASCII 9->49 dropped 16 cmd.exe 1 9->16         started        18 cmd.exe 3 9->18         started        21 cmd.exe 1 9->21         started        23 cmd.exe 9->23         started        process5 file6 25 cacls.exe 1 2 16->25         started        28 conhost.exe 16->28         started        47 C:\Users\user\AppData\Roaming\cacls.exe, PE32 18->47 dropped 30 conhost.exe 18->30         started        32 conhost.exe 21->32         started        34 conhost.exe 23->34         started        process7 signatures8 63 Antivirus detection for dropped file 25->63 65 Multi AV Scanner detection for dropped file 25->65 67 Machine Learning detection for dropped file 25->67 36 cacls.exe 2 25->36         started        39 cmd.exe 1 25->39         started        41 cmd.exe 25->41         started        process9 dnsIp10 51 qusi.duckdns.org 99.38.102.122, 4000, 49805, 49815 ATT-INTERNET4US United States 36->51 53 192.168.2.1 unknown unknown 36->53 43 conhost.exe 39->43         started        45 conhost.exe 41->45         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe5cbf37095a45e7e129e541f482adebdc55648557571eb2b9359b7376a22e11/
Threat name:
ByteCode-MSIL.Backdoor.Proyecto
Create hunting rule
Status:
Malicious
First seen:
2019-07-31 05:52:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
58
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zol6nyjljc6pyjj4va7javn5pofkzefk5lr5mvzgwnxg5vcfyiq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
03dcc84a1b2387ef18e82b9deeaa45da311890d27b3d28d022d43924201b7bcc
NetWire
060231c7729f65f39c1cc05fbe097d9c872dabd9391cc20eaf60c8d3c3cb0b5a
NetWire
1d54082d540ab23f276aafeb6bad1b8c7b0c435fc539dcda3be3f6423da0d8f4
NetWire
5054502ff8808d917e36e5d73145caa3e181f97f98ce50bb0dc30ddfe657ce0b
NetWire
5b3332c8ab54721c4b4771b748c9852b4fee0e77ca63915231e7473a827574a7
NetWire
887dc596452817d1ec48e073fd28312f0e75932e34fecf13bdc6ce68ee665f4d
NetWire
abcdd8e778aa71065141457f413012aca2a8d404e498aa15ee49332d0f33dc58
NetWire
e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13
NetWire
+ 6'808 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet persistence rat stealer
Link:
https://tria.ge/reports/220322-vreljscgdm/
Behaviour
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
qusi.duckdns.org:4000
Unpacked files
SH256 hash:
966f3e8cb3cc9ebf44d8533723b263191cd0b047e08981ed225f119d5575418c
MD5 hash:
ce142697b8724360681ce57a5263e333
SHA1 hash:
db1f99b073f02f7afffa47642e9e0b5f9f01c75c
Link:
https://www.unpac.me/results/cab79f2d-1899-4b51-8b79-59960aa8b419/
SH256 hash:
859bc8bf7f58f19d267ace2f031a9c79f55b9be166e37fad48b46be8d9a3b0c9
MD5 hash:
ef2058cd512301ab8a29c0fc8365342b
SHA1 hash:
844a3ba627bfedd81eea4c45051cade25ad9fcd4
Link:
https://www.unpac.me/results/cab79f2d-1899-4b51-8b79-59960aa8b419/
SH256 hash:
09809b97bcaa1a00ce7711d78561443196cab5e8d5d4033e989c942a52548149
MD5 hash:
45f24c023a4bca2287f0f908b3b9caa3
SHA1 hash:
79c9186d7bdf80ac1462c8d8ae74a202f5fdec3e
Link:
https://www.unpac.me/results/cab79f2d-1899-4b51-8b79-59960aa8b419/
SH256 hash:
52e536175a569a2d755e0e4aebb4a9de1d937ac2c2025d1a1203af77d1cbf1e1
MD5 hash:
974bc23c33dcac9e8e0d2d02dd17174e
SHA1 hash:
35575b536de6050c66bff52f9d559f702f8a48f1
Link:
https://www.unpac.me/results/cab79f2d-1899-4b51-8b79-59960aa8b419/
SH256 hash:
cead5bf67c1409a7e2b8146e0a5f9964e8bb42b8cd8bac156693ffa85654ed9b
MD5 hash:
b0f8b3583d838548f11c76e0b64248e3
SHA1 hash:
13e98d6dc460cce4656973525d62cb09a24e6248
Detections:
win_netwire_g1
Create hunting rule
Link:
https://www.unpac.me/results/cab79f2d-1899-4b51-8b79-59960aa8b419/
SH256 hash:
fe5cbf37095a45e7e129e541f482adebdc55648557571eb2b9359b7376a22e11
MD5 hash:
dfb2279ec9467eeb783a52fbf0c9f80b
SHA1 hash:
6554335abe4119ed20defdaf2de85a036169418a
Link:
https://www.unpac.me/results/cab79f2d-1899-4b51-8b79-59960aa8b419/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe5cbf37095a45e7e129e541f482adebdc55648557571eb2b9359b7376a22e11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/254938/

Comments