SYMBOLCOMMON_NAMEaka. SYNONYMS
win.netwire (Back to overview)

NetWire RC

aka: NetWeird, NetWire, Recam

Actor(s): APT33

VTCollection     URLhaus      

Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.

Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:

for i in range(0,num_read):
buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF

References
2023-09-08Gi7w0rm
Uncovering DDGroup — A long-time threat actor
AsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-10The RegisterJessica Lyons Hardcastle
FBI and international cops catch a NetWire RAT
NetWire RC
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-05SymantecThreat Hunter Team
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
CloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT BlueBottle
2022-12-18ZAYOTEMEnes Şakir Çolak
NetWire Technical Analysis Report
NetWire RC
2022-11-06LMNTRIXLMNTRIX
Analysis Of Netwire RAT
NetWire RC
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-06-02FortiGuard LabsFred Gutierrez, Gergely Revay, James Slaughter, Shunichi Imano
Threat Actors Prey on Eager Travelers
AsyncRAT NetWire RC Quasar RAT
2022-02-18YouTube (John Hammond)John Hammond
Uncovering NETWIRE Malware - Discovery & Deobfuscation
NetWire RC
2022-02-15BleepingComputerIonut Ilascu
Unskilled hacker linked to years of attacks on aviation, transport sectors
AsyncRAT Houdini NetWire RC Parallax RAT
2022-02-15Threat PostElizabeth Montalbano
TA2541: APT Has Been Shooting RATs at Aviation for Years
AsyncRAT Houdini NetWire RC Parallax RAT
2022-02-09SentinelOneJuan Andrés Guerrero-Saade, Tom Hegel
Modified Elephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC
2022-02-09Sentinel LABSTom Hegel
ModifiedElephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC ModifiedElephant
2022-01-12CiscoChetan Raghuprasad, Vanja Svajcer
Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure
AsyncRAT Nanocore RAT NetWire RC
2021-12-13RiskIQJordan Herman
RiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2 infrastructure
AsyncRAT Nanocore RAT NetWire RC Vjw0rm
2021-10-01HPHP Wolf Security
Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm
2021-09-23TalosAsheer Malhotra, Justin Thattil, Vanja Svajcer
Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs
Ave Maria NetWire RC
2021-09-16BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: NetWire RAT is Coming Down the Line
NetWire RC
2021-09-01360 Threat Intelligence CenterAdvanced Threat Institute
APT-C-56 (Transparent Tribe) Latest Attack Analysis and Associated Suspected Gorgon Group Attack Analysis Alert
Crimson RAT NetWire RC
2021-08-05Twitter (@BaoshengbinCumt)2ero
Attacks on NCGSA, MOITT, MOD, NSCP and SCO in Pakistan
NetWire RC
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-06-10ZAYOTEMFatma Helin Çakmak, Fatma Nur Gözüküçük, Hakan Soysal, Halil Filik, Yasin Mersin
NetWire Technical Analysis Report
NetWire RC
2021-05-07MorphisecNadav Lorber
Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader
Agent Tesla AsyncRAT NetWire RC Revenge RAT
2021-05-05ZscalerAniruddha Dolas, Manohar Ghule, Mohd Sadique
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-21TalosVanja Svajcer
A year of Fajan evolution and Bloomberg themed campaigns
MASS Logger Nanocore RAT NetWire RC Revenge RAT XpertRAT
2021-04-14ZscalerAtinderpal Singh, Rohit Chaturvedi, Tarun Dewan
A look at HydroJiin campaign
NetWire RC Quasar RAT
2021-03-18CybereasonDaniel Frank
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
NetWire RC Remcos
2021-02-08Arsenal ConsultingArsenal Consulting
National Investigation Agency VS Sudhir Pralhad Dhawale & others Report 1
NetWire RC
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-11-18G DataG-Data
Business as usual: Criminal Activities in Times of a Global Pandemic
Agent Tesla Nanocore RAT NetWire RC Remcos
2020-09-22vmwareOmar Elgebaly, Takahiro Haruyama
Detecting Threats in Real-time With Active C2 Information
Agent.BTZ Cobalt Strike Dacls NetWire RC PoshC2 Winnti
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-06-15Amnesty InternationalAmnesty International
India: Human Rights Defenders Targeted by a Coordinated Spyware Operation
NetWire RC
2020-05-21MalwarebytesMalwarebytes Labs
Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-05-14SophosLabsMarkel Picado
RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-05-06YoroiDavide Testa, Luca Mella, Luigi Martire
New Cyber Operation Targets Italy: Digging Into the Netwire Attack Chain
NetWire RC
2020-04-03Palo Alto Networks Unit 42Brad Duncan
GuLoader: Malspam Campaign Installing NetWire RAT
CloudEyE NetWire RC
2020-04-01CiscoAndrea Kaiser, Shyam Sundar Ramaswami
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-05VinCSSDang Dinh Phuong
[RE011] Unpack crypter của malware Netwire bằng x64dbg
NetWire RC
2020-01-01SecureworksSecureWorks
COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2019-11-20vmwareTakahiro Haruyama
Active C2 Discovery Using Protocol Emulation Part1 (HYDSEVEN NetWire)
NetWire RC
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-09-12AvastAdolf Středa, Luigino Camastra
The tangle of WiryJMPer’s obfuscation
NetWire RC
2019-05-08Dr.WebDr.Web
A new threat for macOS spreads as WhatsApp
NetWire RC
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-01-30Samip Pokharel
Analysis of NetWiredRC trojan
NetWire RC
2017-12-06CiscoChristopher Marczewski, Holger Unterbrink
Recam Redux - DeConfusing ConfuserEx
NetWire RC
2017-09-20FireEyeJacqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser
Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware
DROPSHOT Nanocore RAT NetWire RC SHAPESHIFT TURNEDUP APT33
2016-11-28SecureworksIncident Reponse Team
NetWire RAT Steals Payment Card Data
NetWire RC
2014-11-26CIRCLCIRCL
TR-23 Analysis - NetWiredRC malware
NetWire RC
2014-08-04Palo Alto Networks Unit 42Phil Da Silva, Rob Downs, Ryan Olson
New Release: Decrypting NetWire C2 Traffic
NetWire RC
Yara Rules
[TLP:WHITE] win_netwire_auto (20241030 | Detects win.netwire.)
rule win_netwire_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.netwire."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? c7042446000000 e8???????? c7042449000000 e8???????? }
            // n = 5, score = 1200
            //   e8????????           |                     
            //   c7042446000000       | mov                 dword ptr [esp], 0x46
            //   e8????????           |                     
            //   c7042449000000       | mov                 dword ptr [esp], 0x49
            //   e8????????           |                     

        $sequence_1 = { e8???????? c7442410000000f0 c744240c01000000 c744240800000000 c744240400000000 }
            // n = 5, score = 1200
            //   e8????????           |                     
            //   c7442410000000f0     | mov                 dword ptr [esp + 0x10], 0xf0000000
            //   c744240c01000000     | mov                 dword ptr [esp + 0xc], 1
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0

        $sequence_2 = { c70424d0070000 e8???????? e9???????? e8???????? }
            // n = 4, score = 1200
            //   c70424d0070000       | mov                 dword ptr [esp], 0x7d0
            //   e8????????           |                     
            //   e9????????           |                     
            //   e8????????           |                     

        $sequence_3 = { 89442404 c70424???????? e8???????? a3???????? }
            // n = 4, score = 1200
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   c70424????????       |                     
            //   e8????????           |                     
            //   a3????????           |                     

        $sequence_4 = { 890424 e8???????? 83ec10 83f806 }
            // n = 4, score = 1200
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec10               | sub                 esp, 0x10
            //   83f806               | cmp                 eax, 6

        $sequence_5 = { c7042401000080 e8???????? c7042410000000 e8???????? }
            // n = 4, score = 1200
            //   c7042401000080       | mov                 dword ptr [esp], 0x80000001
            //   e8????????           |                     
            //   c7042410000000       | mov                 dword ptr [esp], 0x10
            //   e8????????           |                     

        $sequence_6 = { 85c0 750f c705????????05000000 e9???????? c705????????00000000 }
            // n = 5, score = 1200
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11
            //   c705????????05000000     |     
            //   e9????????           |                     
            //   c705????????00000000     |     

        $sequence_7 = { 890424 e8???????? eb11 c7042496000000 e8???????? }
            // n = 5, score = 1200
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   eb11                 | jmp                 0x13
            //   c7042496000000       | mov                 dword ptr [esp], 0x96
            //   e8????????           |                     

        $sequence_8 = { c744241000000000 c744240c00000000 c744240800000000 c744240400000000 c7042440000000 }
            // n = 5, score = 1200
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   c7042440000000       | mov                 dword ptr [esp], 0x40

        $sequence_9 = { a3???????? e9???????? c705????????00000000 e9???????? c7042410020000 }
            // n = 5, score = 1200
            //   a3????????           |                     
            //   e9????????           |                     
            //   c705????????00000000     |     
            //   e9????????           |                     
            //   c7042410020000       | mov                 dword ptr [esp], 0x210

    condition:
        7 of them and filesize < 416768
}
[TLP:WHITE] win_netwire_w0   (20170517 | NetWiredRC)
rule win_netwire_w0 {
	meta:
		description = "NetWiredRC"
		author = "Jean-Philippe Teissier / @Jipe_"
		date = "2014-12-23"
		filetype = "memory"
		version = "1.1" 
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
	strings:
		$mutex = "LmddnIkX"

		$str1 = "%s.Identifier"
		$str2 = "%d:%I64u:%s%s;"
		$str3 = "%s%.2d-%.2d-%.4d"
		$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
		$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
		
		$klg1 = "[Backspace]"
		$klg2 = "[Enter]"
		$klg3 = "[Tab]"
		$klg4 = "[Arrow Left]"
		$klg5 = "[Arrow Up]"
		$klg6 = "[Arrow Right]"
		$klg7 = "[Arrow Down]"
		$klg8 = "[Home]"
		$klg9 = "[Page Up]"
		$klg10 = "[Page Down]"
		$klg11 = "[End]"
		$klg12 = "[Break]"
		$klg13 = "[Delete]"
		$klg14 = "[Insert]"
		$klg15 = "[Print Screen]"
		$klg16 = "[Scroll Lock]"
		$klg17 = "[Caps Lock]"
		$klg18 = "[Alt]"
		$klg19 = "[Esc]"
		$klg20 = "[Ctrl+%c]"

	condition: 
		$mutex or (1 of ($str*) and 1 of ($klg*))
}
[TLP:WHITE] win_netwire_w1   (20170517 | No description)
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/

rule win_netwire_w1 {
	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		date = "2014/04"
		ref = "http://malwareconfig.com/stats/NetWire"
		maltype = "Remote Access Trojan"
		filetype = "exe"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/netwiredRC.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		
    strings:
        $string1 = "[Scroll Lock]"
        $string2 = "[Shift Lock]"
        $string3 = "200 OK"
        $string4 = "%s.Identifier"
        $string5 = "sqlite3_column_text"
        $string6 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
    condition:
        all of them
}
Download all Yara Rules