BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
24
Global rank
58 infographic chevron month
Month rank
51 infographic chevron week
Week rank
803
IOCs

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Trojan
Type
ex-USSR territory
Origin
1 January, 2012
First seen
11 April, 2024
Last seen
Also known as
Recam

How to analyze Netwire with ANY.RUN

Type
ex-USSR territory
Origin
1 January, 2012
First seen
11 April, 2024
Last seen

IOCs

IP addresses
213.152.162.89
213.152.162.104
213.152.162.94
213.152.162.170
213.152.161.211
213.152.161.35
213.152.162.109
37.233.101.73
213.152.180.5
109.232.227.133
109.232.227.138
199.249.230.27
185.82.202.154
212.193.30.230
178.159.4.20
67.215.9.235
88.150.189.103
185.81.157.169
154.16.93.178
178.32.72.136
Hashes
0ad637fd2f6be43b412315027c0e2636329b7da0f51a40e80e9ad8c76558bb6b
0e641303fd8c91cd4899f40686ccf957802f8ce4bc205f2003e4543d029b1645
3f848f17bdd80ecd2ccdb890e5eb56a7e4dfda5c4a1db97ce4793a22de205cd9
93e9e0b438bfaa0c8c140019adb0f683d7c9cf068b900fe9ce3ee319daa4071a
d08f75542680080f9d3393fc3bb0ced3c30335db5030c1f38a8d7a7aadb15794
fe7f4532e262c755c8d9b5cfda2e56bbe4ec4c53d4ec492cd26ae599065b8956
c70241a5411951a3ba6a815cd446ddff2e5656a8a3d5a297588ec6d22c59745a
6b4401690cb0a07ee98ff3c5fc351b20c6e0a4ba7474c6ad858e5dc69a60b36f
e502fcf4ae5b5af00d0d58b55295cff685f473f8d57e750bfde618161d3ba006
f5bfab4964130d337bfe4819fea5c093f1e73f6545ca270cfd4d60e32f2b4abb
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
21b720127c08d4ba7b5fe44f6c1f555db9b2b98a3adc53b9f63a2fe63e6e5ead
a19b2cd3ea8c79684ba85dfe7167c5afa9a739cfceac75f79a9c0132ae0bc7b3
84530ed1bbd58c38b85fc93e447d14251cda335b3de5fe9216cf3386758cb0ee
498a094625e95ae19de0ba2a17fc5096775b78f4585dd207e854feb446aa5d9f
849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e
3fbbbb45c3e1650eb1bd1570da96c3d77f52bbe3d1dc0f549ddaae50241e0160
5a5f7721885adee7adf0d453d5f05b7cb25881bf7fbf8dd9646625b2c964008f
c532e31a0165320b71ca805752f8fa4e712c91ac0f7f88f59e34841d87ca41ec
3e657c935cb9314281e5989f4a6bda06aef10786d13f87d21f0cbf4fea163711
Domains
harold.ns01.info
pentester0.accesscam.org
wealthyme.ddns.net
wealthy2019.com.strangled.net
dunlop.hopto.org
vbchjfssdfcxbcver.ru
tamerimia.ug
winx.xcapdatap.capetown
emberluck.duckdns.org
october-rent.at.ply.gg
haija.mine.nu
updatewin.ddns.net
alice2019.myftp.biz
s2awscloudupdates.com
teamviewer.ddns.me
teamviewer.ddns.net
optic.cable-modem.org
logmein.loginto.me
local.cable-modem.org
extensions14718.sytes.net
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 166
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 553
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 301
comments 0

What is Netwire RAT?

Netwire is a remote access trojan-type malware. A RAT is malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infected machines and can attack multiple systems, including Windows, Apple’s MacOS, and Linux.

Netwire malware is available for purchase on the darknet in the underground hacking communities, where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update that added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire RAT

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior, take screenshots, check system information, and create fake HTTP proxies.

The keylogger functionally allows Netwire to record various personal data imputed on a computer connected to the internet or a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, the Netwire trojan was used to target healthcare and banking businesses. The malware was also documented as being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire RAT creators have put in a lot of work to ensure that researchers have a hard time analyzing this malware, as many precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign, researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and start establishing persistence right away. The malware created a Windows shortcut in the Startup menu to ensure that the Netwire trojan would always run when the user logged into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject its code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire RAT malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail and works like a tutorial.

process graph of the Netwire execution Figure 1: Process graph generated by ANY.RUN allows visualizing the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire RAT execution process

Netwire isn't as exciting as some other malicious programs can be as far as malware execution goes. It makes its way into the device, mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is dropped or downloaded onto the machine. After that, the executable starts performing the main malicious activity such as writing itself in autorun, connecting to C2 servers, and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire RAT

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export Netwire data using ANY.RUN?

If analysts want to do additional work with events from tasks or share them with colleagues for tutorials, they can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu. Export of any kind of malware research is available including Predator the Thief or Qbot.

Export options for netwire malware Figure 3: Export options for netwire malware

Conclusion

Diverse information stealing feature sets combined with the ability to target multiple operating systems and steal data from credit cards used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire RAT have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, which allows to influence the simulation at any point and get much purer research results.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy