MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d
SHA3-384 hash: 9396d6bf7512a5f6ac5ed5216f3d38d8be640a7ae44236799c17cd745b59c40beffffdf4ba174447ea059c4910eff032
SHA1 hash: e0e21df731ac7e2bcaa1fa1ca0a3f12936a111a4
MD5 hash: 39354b7b1d0dda28b95785b967621c07
humanhash: jupiter-fix-bulldog-mirror
File name:PO-13918.jpeg.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:833'536 bytes
First seen:2021-07-14 05:57:20 UTC
Last seen:2021-07-14 06:47:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:btojrHrNls9XOd4+QC1KREDMALh+GMsoh4cN3K18GJTEMUzI/z55qs3IuQTL5QKL:btEKGDXh+GMsoXN3S8Gb/WyIZ
Threatray 477 similar samples on MalwareBazaar
TLSH T162057C6C23FEA709F233FF346FA1A7489FA666B59215DD0D1DC4024B4821C85AEA7D31
Reporter lowmal3
Tags:exe NetWire

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-13918.jpeg.exe
Verdict:
Malicious activity
Analysis date:
2021-07-14 05:59:32 UTC
Tags:
trojan netwire rat
Link:
https://app.any.run/tasks/658303dc-0e43-4cbf-b263-86882ad706c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171554/
Detection(s):
SecuriteInfo.com.Artemis39354B7B1D0D.530.5814.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWire RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3dfe2ed3-63c6-4a41-8dec-f20f858e958f
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/816007
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
netwire
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 05:58:06 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74zospf6vs7nujbxcwp4sdq4bjfwwhl7ufqksmp6qcabxjxdgeoq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0538554b73f98f395950af81f30e4fc99407e991babdce510bb61f9f9b56f23e
NetWire
3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078
NetWire
42949a2f912c87695ebffdd714eae9ae470935a2323f75a937fa3521155b3701
NetWire
482a6a0bf95d313de664dec7523d7487995d5f26e1a30b8bc62c0a5e1431fbd7
NetWire
7511c244b32ec5bc59ff7173ee5aa83a764ea6607522b79cc99c5537907e50e7
NetWire
b5ee8f5810eb5518c8481f845d0bbbdb3e7e1709baeafc3ef7479affd314e91f
NetWire
c2d01f23413e651226add970b8737c03777c0e2717f13c4a4c4ee29231e8832e
NetWire
d79ea371b04796b7433a6143387517306bc37835c4cf4c6962e0844325c018ee
NetWire
faf52d09b9f2a833c0fa7093cb9dd25d820aa06de68747ff2499f653a982dab1
NetWire
fcfc89b5ad3b4e406664cdd8408f56fe8b0c9a9eeb50fc821f2e89a9785c9f3e
NetWire
+ 467 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:netwire botnet rat stealer
Link:
https://tria.ge/reports/210714-tnkb1m82le/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
netwire.linkpc.net:6000
Unpacked files
SH256 hash:
96dbc52f7173a36475fb500a6f70f1b73481913999b17e8dbf88a6e7a59fe92e
MD5 hash:
2c66e6079eb63b33e3fa960d73fa1d58
SHA1 hash:
e1b23f173e76349f0185fa474cc3750b981a2817
Link:
https://www.unpac.me/results/f91a783a-68eb-4364-a5ba-fea0027a4fd3/
SH256 hash:
2b54fd77d3e3518a7ce2f64dc1c337fdcac47e2bab44572fee3ca4f3ab082d56
MD5 hash:
cd270aeba0537566f8f9d7bc09f64357
SHA1 hash:
d486f722eec37e4c49b670a1fb8ce948e2f50b94
Detections:
win_netwire_g1
Create hunting rule
win_netwire_auto
Create hunting rule
Link:
https://www.unpac.me/results/f91a783a-68eb-4364-a5ba-fea0027a4fd3/
SH256 hash:
5e694edc155ca22f66c84012318bf4d60c91a8d17f3b342090c1b0ce462f8f8e
MD5 hash:
5b64cb77ca135a566f0e6e6b432414d1
SHA1 hash:
8d3c5f7d36c118cf5a626407508448c4dcd8389d
Link:
https://www.unpac.me/results/f91a783a-68eb-4364-a5ba-fea0027a4fd3/
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/f91a783a-68eb-4364-a5ba-fea0027a4fd3/
SH256 hash:
ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d
MD5 hash:
39354b7b1d0dda28b95785b967621c07
SHA1 hash:
e0e21df731ac7e2bcaa1fa1ca0a3f12936a111a4
Link:
https://www.unpac.me/results/f91a783a-68eb-4364-a5ba-fea0027a4fd3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:MALWARE_Win_NetWire
Create hunting rule
Author:ditekSHen
Description:Detects NetWire RAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.netwire.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

Executable exe ff32e93cbeacbeda2437159fc90e1c0a4b6b1d7fa160a931fe80801ba6e3311d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/171554/

Comments