{"id":2025,"date":"2024-09-25T10:55:17","date_gmt":"2024-09-25T10:55:17","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2025"},"modified":"2025-07-29T03:16:06","modified_gmt":"2025-07-29T03:16:06","slug":"analysis-of-netwire-rat","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-netwire-rat\/","title":{"rendered":"Analysis of Netwire RAT"},"content":{"rendered":"
\n
\"Beware
Beware of Neware RAT<\/figcaption><\/figure>\n<\/div>\n\n\n

The NetWire RAT is malicious remote access trojan that emerged in the wild in 2012. This multi-platform malware was developed by World Wired Labs, and the program has since undergone several developmental upgrades. It is capable of infecting Windows, Linux, Mac OS operating systems. The malware developers have another program called PWNDROID released in mid-2020, for the Android platform. A company advertising the remote access tool frequently used by criminals and, nation-state threats may be serving as a front for Chinese hacking groups, according to new research published recently.<\/p>\n\n\n\n

The PWNDROID Android malware type, which can be used to listen in on targets’ phone calls, capture audio, send and receive text messages, and track victims’ geolocation. Multiple groups with possible ties to the Chinese government, is thought to have used it, according to LMNTRIX CDC.<\/p>\n\n\n\n

Recent APT attacks which leverage and drop the NetWire payload get distributed via social engineering e-mails. This Trojan (RAT) is mainly focused on password stealing and keylogging, as well as including remote control capabilities. Recently, NetWire has been distributed via Microsoft office documents and spreading their secondary payload attacks especially GuLoader campaigns.<\/p>\n\n\n\n

Target OS: Windows, Linux, Mac OS<\/p>\n\n\n\n

Motivation: Remote Access Tool & APT Campaigns<\/p>\n\n\n\n

Threat Actors: APT33, The White Company & Silver Terrier groups potentially use the Netwire RAT.
<\/strong><\/p>\n\n\n\n

Static Analysis<\/u><\/strong><\/h3>\n\n\n\n

Sample: NetWire Remote Access Tool<\/p>\n\n\n\n

SHA256: e4029ef5d391b9a380ed98a45f3e5a01eece6b7a1120ab17d6db0f8bb1309a47<\/p>\n\n\n\n

Filetype: Portable Executable (EXE)<\/p>\n\n\n\n

Common Anti-Debugging Methods Used<\/strong><\/p>\n\n\n\n

When the sample was loaded into Ollydbg, and we got the disassembly to start with, NetWire displayed the following error message. In addition to this error message, the malware uses NtWow64ReadVirtualMemory64 from NTDLL to query the PEB (process environment block), and a timing based check such as GetTickCount from Kernel32.DLL are used to thwart debugging.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

 <\/p>\n\n\n\n

Keylogger Functions<\/strong><\/p>\n\n\n\n

Based on the familiar CPP functions & a lot of functions being imported from MSVBVM60, MSVCRT and MSCOREE DLL files, we believe the developers may be using Microsoft VC++ and\/or Delphi for NetWire RAT.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

GetUserName, GetSecurityInfo, GetMonitorInfoA, GetLogonSessionData, and Key Press Events are monitored by the NetWire malware sample. A logged on user’s session data, encoded base 64 strings, key state, key press and keyboard events being monitored could hint at keylogging functionality.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After dumping the strings from our sample PE file, and decoding them with IDAPython, we can realize that the keylogger also records and sends login data from popular web browers such as Firefox, Chrome and Internet Explorer to the NetWire Admin Workstation. The NetWire keylogger module encodes the keystrokes logged after stealing credentials from the logged on user, prior to sending it to NetWire Admin Workstation. You can find a copy of the NetWire log decoder from GitHub.<\/p>\n\n\n\n

Refer https:\/\/github.com\/ArsenalRecon\/NetWireLogDecoder<\/a><\/p>\n\n\n\n

 <\/p>\n\n\n\n

Payment Data Being Stolen<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

LMNTRIX CDC analysts discovered payment being collected for exfiltration by NetWire trojan while investigating the keylogger module further.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

Remote Access Tool (RAT)<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Netwire Developers from World Wired Labs have implemented the remote access tool functionality using a simple TCP Client-Server model with sockets.
<\/strong><\/p>\n\n\n\n

Dynamic Analysis<\/u><\/strong><\/u><\/h3>\n\n\n\n

Infection Chain<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

NetWire infects its victims using initial infection vectors of the mal-spam variety with e-mail attachment (EML). It contains a Microsoft Office (Excel) document with VBA macro enabled content. The malware tricks the user to enable the macros to perform malicious actions. Once the user enables the macro content, using Wscript file to drop a payload file in the %temp% folder, it then invokes a web-request and connects with the designated C2 server for further infection.<\/p>\n\n\n\n

Sample Information<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Technical Analysis of XLS<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once the user opens the attached document, there\u2019s a fake Excel template displaying a message \u201cDocument created in earlier version of MS Excel\u201d upon enabling the content, the victim now views the content. With the help of this malware the threat actor can trick the user to view the document, and infect them for further malicious actions.<\/p>\n\n\n\n

Embedded Macro Content: Screenshot 1<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Embedded Macro Content: Screenshot 2<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

VBA code in the screenshot (above) is obfuscated with random functions in order to hide the exact code. It\u2019s one of the tricks used by the malware author. Macros is a programmable pattern which translates a certain sequence of input into a preset sequence of output. Macros can make tasks less repetitive automating a complicated sequence of keystrokes, mouse movements, commands, or other types of user input.<\/p>\n\n\n\n

Macro-Enabled, Process Tree<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once the macros are enabled, using the Wscript shell to execute and drop the payload file in %temp% folder [ Actual, file will be BIN[.]exe].
<\/strong><\/p>\n\n\n\n

Dropped VBS Script<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Here the command is very straight forward, using the cmd[..]exe the malware connects to the malicious domain and drops the payload file in the Windows %temp% folder. The dropped vbs file gets executed in %temp% folder as well.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

Dropped Payload file<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Initial – Indicator of Compromises [IOC]<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once communicating with the malicious URL, it\u2019s silently drops a .VBS script file in the %AppData% folder to perform further malicious actions.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

Preventive Measures<\/strong><\/h3>\n\n\n\n
    \n
  • Usage of anti-malware software such as antivirus or, any endpoint protection such as LMNTRIX EDR \/ EPP with updates.<\/li>\n\n\n\n
  • Beware of e-mails from unknown contacts or, untrusted external sources.<\/li>\n\n\n\n
  • Always make it a practice to scan attachments that you may find suspicious, especially when the e-mails are related to financial or delivery correspondence, documents, and URLs.<\/li>\n\n\n\n
  • Use a strong password, preferably 16 to 18 characters, or more with a combination of alphabets, numbers and symbols.<\/li>\n\n\n\n
  • We recommend using multi factor authentication for website login \/ passwords for all websites.<\/li>\n<\/ul>\n\n\n\n

     <\/p>\n\n\n\n

    Indicators of Compromise to detect NetWire RAT<\/strong><\/h3>\n\n\n\n

     <\/p>\n\n\n\n

    IP Addresses<\/p>\n\n\n\n

    94[[.]]237[[.]]28[[.]]110<\/p>\n\n\n\n

    194[[.]]5[[.]]98[[.]]48<\/p>\n\n\n\n

    185[[.]]183[[.]]98[[.]]166<\/p>\n\n\n\n

    185[[.]]222[[.]]57[[.]]164<\/p>\n\n\n\n

    194[[.]]5[[.]]98[[.]]188<\/p>\n\n\n\n

    171[[.]]22[[.]]30[[.]]21<\/p>\n\n\n\n

    185[[.]]140[[.]]53[[.]]252<\/p>\n\n\n\n

    194[[.]]147[[.]]140[[.]]4<\/p>\n\n\n\n

    87[[.]]66[[.]]106[[.]]20<\/p>\n\n\n\n

    71[[.]]81[[.]]62[[.]]106<\/p>\n\n\n\n

    31[[.]]41[[.]]244[[.]]150<\/p>\n\n\n\n

    154[[.]]118[[.]]25[[.]]216<\/p>\n\n\n\n

    79[[.]]134[[.]]225[[.]]28<\/p>\n\n\n\n

    104[[.]]168[[.]]148[[.]]85<\/p>\n\n\n\n

    185[[.]]140[[.]]53[[.]]61<\/p>\n\n\n\n

    79[[.]]134[[.]]225[[.]]10<\/p>\n\n\n\n

    185[[.]]140[[.]]53[[.]]183<\/p>\n\n\n\n

    184[[.]]75[[.]]221[[.]]171<\/p>\n\n\n\n

    45[[.]]137[[.]]22[[.]]101<\/p>\n\n\n\n

    213[[.]]152[[.]]161[[.]]133<\/p>\n\n\n\n

    185[.]29[.]9[.]11<\/p>\n\n\n\n

     <\/p>\n\n\n\n

    Hashes<\/p>\n\n\n\n

    07336CC7355B9C4A1553A93D24EBB30A502053339E05FFB57476890D2967B6FC<\/p>\n\n\n\n

    2387DFD712B954C865BB4927F0628C54BF30B9A115B2383C2DFF63456885463A<\/p>\n\n\n\n

    F488FEAC7359DABA38B793855A5D2369404956892CA23DB7530DC04D77530490<\/p>\n\n\n\n

    F6226702EC3DED25EC5E0D7D1CBAAE386540E990857EC7604EC93284113B4897<\/p>\n\n\n\n

    0005A4FB06BB5CACCA4A89B372543A3EFFB0931AF26B0B17D8661B691B401811<\/p>\n\n\n\n

    E4029EF5D391B9A380ED98A45F3E5A01EECE6B7A1120AB17D6DB0F8BB1309A47<\/p>\n\n\n\n

    DCAC7C0A08250B164343C102EF9D863A49C44343C6CE3E0CD1197CB7E3198937<\/p>\n\n\n\n

    8F24221CAEF706D4502572968C0CF1317E632EBCB64157A5A1DAFBDDE7FC642C<\/p>\n\n\n\n

    1F8B6EBC0FBDB35C0B214652B69360C8DD78B569C9AF9C1B355DD11F277624E2<\/p>\n\n\n\n

    BC0A8E730EBBE66A98F6AA755671661158A982983898E45D306F79EC608250FE<\/p>\n\n\n\n

    50050A189F878A24B57ACEDF046ACFE5011DAE30F50A21054A75FCDA2947FF5B<\/p>\n\n\n\n

    459A609FFDE4325A1E55F7B9A788AB5CF978D3E07C54349B9F9E50F1E6875C89<\/p>\n\n\n\n

    F631EF4CE81B9A0984D44A9468DB2AE30CB37BDAD67AAEB43F53D50039D8C5AA<\/p>\n\n\n\n

    0CDC6A0C287876DBCFC14A93CAE8EB6FEB6938142814A9FB4E403F000D469CAB<\/p>\n\n\n\n

    3AFEECA8EE5FA67BF62BB84C10E02FE82032CBE034CCB4588708367FD5D66E8F<\/p>\n\n\n\n

    45CFB912F4CEED9DCF0EEE01F36A1C581A0E881301D73A2E1E459E48488B95BA<\/p>\n\n\n\n

    A21C8EF38B35EDA08AF936729863498EAD8F750DE997BC2D55FF9DA429872E33<\/p>\n\n\n\n

    848A8084A39B1BFA98C65B0E55BF91460B82470A3F9F5B31D7464C400A9DA355<\/p>\n\n\n\n

    637E17723EA88878915BA42095680EE5438C22A88A4538137B3174DD4E2E8C6A<\/p>\n\n\n\n

    4C01CC3DD96C524054207F6B37A334C62549857F<\/p>\n\n\n\n

     <\/p>\n\n\n\n

    Domains<\/p>\n\n\n\n

    8ea1042a1912[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    e0fb-34-121-202-111[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    d61a2ce46962[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    2d9076b51d13[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    8ef628b4602c[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    ebc79a7f69ed[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    3a47ff971faf[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    30fdb4c296af[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    192913f09fa8[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    52e0ff58833f[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    ce47174fc1d2[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    9ea2ac777bb9[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    4651479e198f[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    6856dac09e83[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    0b1a1cdfc942[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    c5040e5692cf[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    e5d6f8fc0027[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    jcole-lms[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    877de57c5ace[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    e5927c359c3c[[.]]ngrok[[.]]io<\/p>\n\n\n\n

    love82[.]duckdns[.]org<\/p>\n\n\n\n

     <\/p>\n\n\n\n

    Registry Entry<\/p>\n\n\n\n

    HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/p>\n\n\n\n

    HKEY_CURRENT_USER\\Software\\NetWire<\/p>\n\n\n\n

    HKEY_CURRENT_USER\\Software\\NetWire\\HostId<\/p>\n\n\n\n

     <\/p>\n\n\n\n

    MITRE ATT&CK Tactics & Techniques<\/strong><\/h3>\n\n\n\n
    ID<\/td>Tactic<\/td>Technique<\/td><\/tr>
    TA0001<\/td>Initial Access<\/td>T1566.001 \u2013 Spearphishing Attachment T1566.002 \u2013 Spearphishing Link<\/td><\/tr>
    TA0002<\/td>  Execution<\/td>T1027 \u2013 Obfuscated Files or Information T1059.005 \u2013 Visual Basic T1204.002 \u2013 Malicious File<\/td><\/tr>
    TA0003<\/td>        Persistence<\/td>T1053.005 \u2013 Scheduled Task T1547.001 \u2013 Registry Run Keys \/ Startup Folder<\/td><\/tr>
    TA0004<\/td>Privilege Escalation<\/td>T1053.005 \u2013 Scheduled Task<\/td><\/tr>
    TA0005<\/td>  Defense Evasion<\/td>T1027.002 \u2013 Software Packing T1055 \u2013 Process Injection T1055.012 \u2013 Process Hollowing T1497.001 \u2013 System Checks<\/td><\/tr>
    TA0006<\/td>  Credential Access<\/td>T1003 \u2013 OS Credential Dumping T1110.001 \u2013 Password Guessing T1555.003 \u2013 Credentials from Web Browsers<\/td><\/tr>
    TA0007<\/td>Discovery<\/td>T1016 \u2013 System Network Configuration Discovery<\/td><\/tr>
    TA0011<\/td>  C&C Server<\/td>T1071.001 \u2013 Web Protocols T1090 \u2013 Proxy T1090.002 \u2013 External Proxy<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

    The NetWire RAT is malicious remote access trojan that emerged in the wild in 2012. This multi-platform malware was developed by World Wired Labs, and the program has since undergone several developmental upgrades. It is capable of infecting Windows, Linux, Mac OS operating systems. The malware developers have another program called PWNDROID released in mid-2020, […]<\/p>\n","protected":false},"author":1,"featured_media":2043,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2025","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2025","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2025"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2025\/revisions"}],"predecessor-version":[{"id":4199,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2025\/revisions\/4199"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2043"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2025"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2025"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2025"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}