MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetWire


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d
SHA3-384 hash: 2759ff9dcb40de6129e8513ee774eba7f3265d3c27e7c36641442273cc6a13687e178b0ea66d280351b4766e6add6b7e
SHA1 hash: 5b18da64018f2e114ab3c160e07deb28a6906233
MD5 hash: 2f8c343e41d3829aa8e24eebff7de4ab
humanhash: maine-foxtrot-stairway-river
File name:Factura.exe
Download: download sample
Signature NetWire
Create hunting rule
File size:580'608 bytes
First seen:2020-08-03 11:36:20 UTC
Last seen:2020-08-03 12:42:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c458ff2d515beb8f44158cd3636a7400 (19 x AgentTesla, 6 x NetWire, 3 x HawkEye)
ssdeep 12288:vu9iFRiZOsvpN1jB/qY25ozN3FZo+JmMy282QX8NeAGDinFBE:vu9iFRUthN3/qY25ozxo+JmMy28ta9DE
Threatray 552 similar samples on MalwareBazaar
TLSH C3C423E09791515EE00A687556377EF22213EE2D1E1A6B4C1CE2EB1928327E7E1F3607
Reporter abuse_ch
Tags:BBVA ESP exe geo NetWire RAT t-online


Avatar
abuse_ch
Malspam distributing NetWire:

HELO: mailout07.t-online.de
Sending IP: 194.25.134.83
From: Confirming.bbva@bbva.com <Zahnarztpraxis-Kugler@t-online.de>
Reply-To: Confirming.bbva@bbva.com <Zahnarztpraxis-Kugler@t-online.de>
Subject: BBVA-Confirming Factura
Attachment: Factura.uue (contains "Factura.exe")

NetWire RAT C2:
43.226.229.43:2030

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for the window
Deleting a recently created file
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/407814
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: NetWire
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256130 Sample: Factura.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 92 75 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->75 77 Yara detected NetWire RAT 2->77 79 Sigma detected: NetWire 2->79 81 2 other signatures 2->81 9 Factura.exe 3 2 2->9         started        12 Host.exe 2->12         started        14 Host.exe 2->14         started        process3 signatures4 83 Contains functionality to log keystrokes 9->83 85 Contains functionality to steal Internet Explorer form passwords 9->85 87 Contains functionality to steal Chrome passwords or cookies 9->87 89 Contains functionality to detect sleep reduction / modifications 9->89 16 Factura.exe 3 9->16         started        19 Factura.exe 9->19         started        21 AcroRd32.exe 39 9->21         started        91 Maps a DLL or memory area into another process 12->91 23 Host.exe 12->23         started        25 Host.exe 12->25         started        27 Host.exe 14->27         started        29 Host.exe 14->29         started        process5 file6 65 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 16->65 dropped 31 Host.exe 1 16->31         started        34 Factura.exe 19->34         started        37 RdrCEF.exe 68 21->37         started        40 AcroRd32.exe 7 6 21->40         started        process7 dnsIp8 93 Machine Learning detection for dropped file 31->93 95 Maps a DLL or memory area into another process 31->95 97 Contains functionality to detect sleep reduction / modifications 31->97 42 AcroRd32.exe 31->42         started        44 Host.exe 31->44         started        47 Host.exe 31->47         started        67 C:\Users\user\AppData\Local\...\Factura.pdf, PDF 34->67 dropped 49 AcroRd32.exe 34->49         started        57 2 other processes 34->57 69 192.168.2.1 unknown unknown 37->69 51 RdrCEF.exe 37->51         started        53 RdrCEF.exe 37->53         started        55 RdrCEF.exe 37->55         started        59 2 other processes 37->59 file9 signatures10 process11 dnsIp12 61 AcroRd32.exe 42->61         started        71 43.226.229.43, 2030 SOFTLAYERUS Hong Kong 44->71 63 AcroRd32.exe 49->63         started        73 80.0.0.0 NTLGB United Kingdom 51->73 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 06:02:06 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=77jexveoegqdyc37zcckck6sf2eorvlhgxmbb7glmttonsrho2gq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1c1035301c27d73a161ca96f9732f5024eb924798ce95d76d274b751ff87aa2f
NetWire
56cdf2f0adffcc195d95801f4f61da727edf5e6fe6bbbf0ac71462f733df9de9
NetWire
5741d60ead4ec57c71e274d23d6a4550650e54edf7613a180de90749a0c651ca
NetWire
5b3cc30719578d96ef64e9341e00eedb05512ee9692b2eff924aabc54e7a16e4
NetWire
608ec84d6c6d1b552b0c77210475ead69a437d02cc688d60e798cf530c02897e
NetWire
76b1a195279e01bf41f28576a23946416694d263a0d8b0db91af9d57e14ef4bf
NetWire
9f20ec0199d293e7dd83aec28d9a12669880eed778ce2132f13ce5aa54c14d3c
NetWire
a9a8374950d68997b782dca8ae2464aa81709c2f51bcc8fdb1abdcfb5b40c521
NetWire
b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715
NetWire
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
NetWire
+ 542 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200803-3tqs5lpr6a/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

NetWire

uue 3c797945540ee1629a4a6f02a4c18ea794f56ec29b6a39508097998a0e5cecde

NetWire

Executable exe ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d

(this sample)

  
Dropped by
MD5 d22d57d7338394db96c4d4c15a436775
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37745/
  
Dropped by
SHA256 3c797945540ee1629a4a6f02a4c18ea794f56ec29b6a39508097998a0e5cecde

Comments