Dissecting Netwire Remote Access Trojan (RAT) behavior on an infected endpoint

Netwire is a Remote Access Trojan (RAT) capable of stealing passwords, keylogging, and includes remote control capabilities. Netwire RAT has been used by advanced persistent…

OpenText Security Cloud Team profile picture

OpenText Security Cloud Team

April 29, 20222 minutes read

Netwire is a Remote Access Trojan (RAT) capable of stealing passwords, keylogging, and includes remote control capabilities. Netwire RAT has been used by advanced persistent threat groups (APT) in the past.

In a recent malspam campaign, Netwire RAT was delivered via an archived zip file containing a Visual Basis script. 

OpenText Security Consulting team, as part of their threat research, continuously monitors how malware behaves on the endpoint and creates alerting content for its MxDR and Managed Security Services customers.

Infection Chain

Upon execution of the malicious Visual Basic script associated with the Netwire RAT infection, the script contacts a compromised website and downloads an updated Visual Basic script. The script then calls the PowerShell process to execute a Base64 encoded script to create persistence, download additional payloads, inject code into the ieinstall process, and communicate with the Netwire RAT command and control (C2) host. 

PowerShell spawning the ieinstall process (Abnormal behavior) 
Shown above: PowerShell spawning the ieinstall process (Abnormal behavior) 
Svchost spawaning the ieinstal process on an uninfected host (Expected behavior)
Shown above: Svchost spawaning the ieinstal process on an uninfected host (Expected behavior)
Netwire RAT creating persistence in the registry Run key pointing to the AppDataLow registry key 
Shown above: Netwire RAT creating persistence in the registry Run key pointing to the AppDataLow registry key 
The AppDataLow registry key which runs a Base64 encoded PowerShell script used to execute the Netwire RAT encrypted binary 
Shown above: The AppDataLow registry key which runs a Base64 encoded PowerShell script used to execute the Netwire RAT encrypted binary 
Injected ieinstall process communicating with Netwire RAT C2 hosts over port 3360 
Shown above: Injected ieinstall process communicating with Netwire RAT C2 hosts over port 3360 
Explorer spawning PowerShell to interact with the registry key in the AppDataLow directory 
Shown above: Explorer spawning PowerShell to interact with the registry key in the AppDataLow directory 

Content used to alert on the Netwire RAT’s behavior

Using the Unicoder.io Sigma Rule generator to alert to Explorer spawning the PowerShell process containing the registry key ‘\software\appdatalow\’ within the commandline
Shown above: Using the Unicoder.io Sigma Rule generator to alert to Explorer spawning the PowerShell process containing the registry key ‘\software\appdatalow\’ within the commandline 
Using the Unicoder.io Sigma Rule generator to alert to PowerShell spawning the ieinstal process 
Shown above: Using the Unicoder.io Sigma Rule generator to alert to PowerShell spawning the ieinstal process 

Indicators of Compromise (IoC)

MD5 Hash: 831f8bcc9aacd0570d62355010455c79 – Hash associated with initial VB script used to download Netwire RAT 

MD5 Hash: 15727c74c194a1de647552d66006ecfe – Hash associated with secondary VB script used to download the Netwire RAT 

toshiba1122.ddns[.]net – Domain associated with the Netwire RAT C2 

194.5.98[.]59 port 3360 – IP address hosting Netwire RAT C2 

197.210.226[.]83 port 3360 – IP address hosting Netwire RAT C2 

197.210.226[.]190 port 3360 – IP address hosting Netwire RAT C2 


Author: Lenny Conway, Lead Consultant

Share this post

Share this post to x. Share to linkedin. Mail to
OpenText Security Cloud Team avatar image

OpenText Security Cloud Team

See all posts

More from the author

Dissecting IcedID behavior on an infected endpoint

Dissecting IcedID behavior on an infected endpoint

IcedID, also known as BokDot, is a banking trojan that was first discovered in 2017. It targets a victim’s financial information and it is also…

March 30, 2023 4 minutes read
Technology meets tenacity

Technology meets tenacity

Technology alone won’t defeat cybercriminals. Effective cybersecurity isn’t something you buy off the shelf, set, and forget. To secure your data, you must be proactive,…

November 3, 2022 4 minutes read
OpenText MxDR platform: a team player

OpenText MxDR platform: a team player

There’s a truism in the cybersecurity sector that says enterprise technology stacks are so large because the market demanded big-stack solutions. Convenience, fiscal constraints, and…

November 1, 2022 3 minutes read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.