Netwire

25
Global rank
31
Month rank
28
Week rank
5160
IOCs

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Trojan
Type
ex-USSR territory
Origin
1 January, 2012
First seen
29 May, 2023
Last seen
Also known as
Recam

How to analyze Netwire with ANY.RUN

Trojan
Type
ex-USSR territory
Origin
1 January, 2012
First seen
29 May, 2023
Last seen

IOCs

IP addresses
209.25.141.212
91.193.75.178
192.169.69.26
212.193.30.230
79.134.225.22
3.17.7.232
147.185.221.212
3.14.182.203
3.134.125.175
192.169.69.25
79.134.225.43
3.13.191.225
91.192.100.4
3.22.30.40
79.134.225.121
3.127.253.86
52.28.112.211
52.14.18.129
79.134.225.96
198.44.237.131
Hashes
f0c72caa378310037f0d9cdc0d3eb14255f242b273a030a91b3f1540876865ab
47fe8af42f4b7360f7d6dcd89b161c1bec308d6598c17262d8bf234e1871b39a
3c02f2f6edc7650ab3f81f75029de05df7e421516e3aaf32edbf97105595eee1
f358a2336be9becbc626b254495a296064eace91e14721252bcd3c65f9447a2a
c687dcb5a0a34be93b34f8a28fdd70c929aa92815480383640b4c8f79edd4e1d
6ace19befa598ac3913865abf5fea0eac3d66b77425a9700274094d58b50630f
e5bd5dada092f0be8180fdef6b72c447c73ec160e04bb9bd41b85122d6ff56ef
08aa66b720a8f0f5344b46b8d2a70d19fa96d236abf8e6524d546b312987ebb7
2b9deb8ac5e81a7dab9a62ab926820281d5f91d8bf4b301eaa2508a66f3c3642
a5ed19ab0b32f3c9b758484a530b5159536c7b9e2d040e54d794caec8af49c4e
c6351d7b4633c50099e89576b0f9d767bee68b23e30a170db99ed308c2faac29
e7de1326af0d239c39acb80ce433319a01ea106bc3dfa6c335fc0ed9f2cf9537
8280ae0f658012a4fad6f3d1371818e8667488ea20af33549746e291d103c841
3952d20010784df9f80ca5f283a2784a23e301b64c76e8a05225a7421d905fbc
6225618a1a969ce2d3249a4e603dd88316e0c5c8b838b317a2d1c4b4d58c45c1
c772adb1ae48b589e5c9d462ee70df482918b8c99576a7f2a6a1e2b1352301dd
f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b
64802522441eef7fbcd72444b5a500e7a97f8f9f7653e7463772b4a909cb3d25
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
b73d87e4d062ea2634b6d3ac6319ffdf39cc4603df7948045a7fbb785ab03ec3
Domains
vcctggqm3t.dattolocal.net
elx01.knas.systems
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
fevertoxs.duckdns.org
adenere.duckdns.org
fevertox.duckdns.org
8.tcp.ngrok.io
frederikkempe.com
majul.com
qxq.ddns.net
isns.net
krupskaya.com
m-onetrading-jp.com
thuocnam.tk
ys.kic-software.de
move-concepts.at.ply.gg
booking.msg.bluhotels.com
booking.msg.bluhotels.com
192-168-100-87.abcdefghijklmnopqrstuvwxyz012345.plex.direct
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 311
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5387
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3240
comments 3

What is Netwire RAT?

Netwire is a remote access trojan-type malware. A RAT is malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infected machines and can attack multiple systems, including Windows, Apple’s MacOS, and Linux.

Netwire malware is available for purchase on the darknet in the underground hacking communities, where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update that added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire RAT

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior, take screenshots, check system information, and create fake HTTP proxies.

The keylogger functionally allows Netwire to record various personal data imputed on a computer connected to the internet or a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, the Netwire trojan was used to target healthcare and banking businesses. The malware was also documented as being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire RAT creators have put in a lot of work to ensure that researchers have a hard time analyzing this malware, as many precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign, researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and start establishing persistence right away. The malware created a Windows shortcut in the Startup menu to ensure that the Netwire trojan would always run when the user logged into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject its code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire RAT malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail and works like a tutorial.

process graph of the Netwire execution Figure 1: Process graph generated by ANY.RUN allows visualizing the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire RAT execution process

Netwire isn't as exciting as some other malicious programs can be as far as malware execution goes. It makes its way into the device, mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is dropped or downloaded onto the machine. After that, the executable starts performing the main malicious activity such as writing itself in autorun, connecting to C2 servers, and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire RAT

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export Netwire data using ANY.RUN?

If analysts want to do additional work with events from tasks or share them with colleagues for tutorials, they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu. Export of any kind of malware research is available including Predator the Thief or Qbot.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature sets combined with the ability to target multiple operating systems and steal data from credit cards used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire RAT have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, which allows to influence the simulation at any point and get much purer research results.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy