Rewterz Threat Alert – NetWire RAT Malware – Active IOCs

Severity

High

Analysis Summary

NetWire is a remote access Trojan focused on password stealing and keylogging, as well as including remote control capabilities. This threat has been used by malicious groups since 2012 and distributed through various social engineering campaigns (malspam). Recently, NetWire has been distributed as a second payload using Microsoft Word documents via GuLoader phishing waves. These days, NetWire is often launched via social engineering campaigns or as a later payload of another malware chain. Criminals send emails with malicious files attached to a wide number of users and expect at least someone to open the infected file. Once a victim clicks on it, the malware file is downloaded onto the victim’s computer. The shared files often used by crooks are PDF, Word, and IMG files.

Impact

• Information Theft
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• f13ea972b900402696a1f51fb1bf5df7
• 4bcc352698b1e1ad6be66d1b91b9a26c
• ebf758901fb663efbefb029119f1268d
• 786bdb27f2eca2315e8c36302630dab8
• adfcea78d75201b3e076ad5cd5e03024
• efa94719f0d14b3f8f330e5c7949dd2f

SHA-256

• 25cf559d1de914a23563ad710eb291840283e5e9963b3941e51799220cc09ea5
• 7ce5e8a8e1662576b886631f8ad09bed03a917bcad5fb8714e9b116fe66fcbf1
• 8da08a2702d91029011f6aa8d209c706e2763dd10af4597953af58e14bca1677
• 460834ec55aa694ab0d984921534e5b7111bcb024abb36f7bace052fdeb448e5
• 6ca83be643d77af8da636b80200781881cb6c4a9a1ad60d910c65d354478b7db
• 98f868900b27ba82ac18f919dc551ea15dc310813eb1538ebf2d0ab3afaa8328

SHA-1

• 9c65c21911835ecf925bf63c251fed98bc9b3023
• 99aaec93bd913e1c583c1ead8186e722c21bb958
• b5927738a9cb79fd87a52425c527ec4823cb9812
• 5522bef42cb4d78d5a3096383cf7300513b4e142
• 078a991833264fbd26fbe36368a8e5b7d80451fd
• 6232070998c6d992941b4a5be9008efaf4af2370

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.