NETWIRE Dynamic Configuration Extraction — Elastic Security Labs
Tags
attack-pattern: Data Active Setup - T1547.014 Domains - T1583.001 Domains - T1584.001 Ip Addresses - T1590.005 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID 564d81b2-d50e-4824-a49c-7e2af6cae57f
Fingerprint 54716fab3d39da94
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 30, 2023, midnight
Added to db Nov. 19, 2023, 6:21 a.m.
Last updated Dec. 19, 2024, 12:04 a.m.
Headline NETWIRE Dynamic Configuration Extraction
Title NETWIRE Dynamic Configuration Extraction — Elastic Security Labs
Detected Hints/Tags/Attributes 31/1/70
Source URLs
Redirection Url
Details Source https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction
Details Source https://www.elastic.co/security-labs/netwire-dynamic-configuration-extraction?ultron=esl:_threat_research%2Besl_blog_post&blade=twitter&hulk=social&utm_content=8787629064&linkId=199502402
URL Provider
Details Provider Source level domain
Details elastic.co www.elastic.co
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 306 Elastic Security Labs https://www.elastic.co/security-labs/rss/feed.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1 
20220627.duckdns.org
Details Domain 1 
admin96.hopto.org
Details Domain 2 
alice2019.myftp.biz
Details Domain 1 
asorock1111.ddns.net
Details Domain 5 
banqueislamik.ddrive.online
Details Domain 1 
betterday.duckdns.org
Details Domain 1 
bigman2021.duckdns.org
Details Domain 1 
blazeblaze.ddns.net
Details Domain 1 
chongmei33.myddns.rocks
Details Domain 1 
clients.enigmasolutions.xyz
Details Domain 1 
gracedynu.gleeze.com
Details Domain 1 
ingobea.hopto.org
Details Domain 2 
iphanyi.edns.biz
Details Domain 1 
iphy.strangled.net
Details Domain 1 
kimlee11.duckdns.org
Details Domain 1 
loffgghh.duckdns.org
Details Domain 1 
megaton.gleeze.com
Details Domain 2 
moran101.duckdns.org
Details Domain 1 
netuwaya.servecounterstrike.com
Details Domain 1 
nowancenorly.ddns.net
Details Domain 1 
podzeye.duckdns.org
Details Domain 1 
podzeye2.duckdns.org
Details Domain 1 
recoveryonpoint.duckdns.org
Details Domain 1 
redlinea.top
Details Domain 1 
roller.duckdns.org
Details Domain 1 
rozayleekimishere.duckdns.org
Details Domain 1 
sani990.duckdns.org
Details Domain 1 
saturdaylivecheckthisout.duckdns.org
Details Domain 1 
uhie.hopto.org
Details Domain 1 
uhie2020.duckdns.org
Details Domain 1 
wcbradley.duckdns.org
Details Domain 1 
xman2.duckdns.org
Details Domain 1 
zonedx.ddns.net
Details File 1 
image5.jpg
Details File 1 
output.nd
Details IPv4 1 
139.28.38.235
Details IPv4 1 
149.102.132.253
Details IPv4 1 
184.75.221.115
Details IPv4 1 
185.136.165.182
Details IPv4 1 
185.140.53.139
Details IPv4 1 
185.140.53.144
Details IPv4 1 
185.140.53.154
Details IPv4 1 
185.140.53.61
Details IPv4 1 
185.216.71.251
Details IPv4 1 
194.36.111.59
Details IPv4 1 
194.5.98.126
Details IPv4 1 
194.5.98.178
Details IPv4 1 
194.5.98.188
Details IPv4 1 
194.5.98.65
Details IPv4 1 
212.193.29.37
Details IPv4 5 
212.193.30.230
Details IPv4 1 
213.152.161.249
Details IPv4 1 
217.151.98.163
Details IPv4 1 
23.105.131.166
Details IPv4 1 
37.0.14.199
Details IPv4 1 
37.0.14.203
Details IPv4 2 
37.0.14.206
Details IPv4 1 
37.0.14.208
Details IPv4 1 
37.0.14.214
Details IPv4 1 
37.120.217.243
Details IPv4 1 
51.161.104.138
Details IPv4 1 
54.145.6.146
Details IPv4 1 
80.66.64.136
Details IPv4 1 
85.209.134.105
Details IPv4 1 
85.31.46.78
Details IPv4 1 
94.156.35.40
Details Yara rule 1 
rule Windows_Trojan_Netwire_1 {
	meta:
		author = "Elastic Security"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "Netwire"
		threat_name = "Windows.Trojan.Netwire"
	strings:
		$a = { 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C }
	condition:
		all of them
}
Details Yara rule 1 
rule Windows_Trojan_Netwire_2 {
	meta:
		author = "Elastic Security"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "Netwire"
		threat_name = "Windows.Trojan.Netwire"
	strings:
		$a1 = "[%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword
		$a2 = "\\Login Data"
		$a3 = "SOFTWARE\\NetWire" fullword
	condition:
		2 of them
}
Details Yara rule 1 
rule Windows_Trojan_Netwire_3 {
	meta:
		author = "Elastic Security"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "Netwire"
		threat_name = "Windows.Trojan.Netwire"
	strings:
		$a = { C9 0F 44 C8 D0 EB 8A 44 24 12 0F B7 C9 75 D1 32 C0 B3 01 8B CE 88 44 }
	condition:
		all of them
}
Details Yara rule 1 
rule Windows_Trojan_Netwire_4 {
	meta:
		author = "Elastic Security"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "Netwire"
		threat_name = "Windows.Trojan.Netwire"
	strings:
		$a1 = "http://%s%ComSpec" ascii fullword
		$a2 = "%c%.8x%s" ascii fullword
		$a3 = "%6\\6Z65dlNh\\YlS.dfd" ascii fullword
		$a4 = "GET %s HTTP/1.1" ascii fullword
		$a5 = "R-W65: %6:%S" ascii fullword
		$a6 = "PTLLjPq %6:%S -qq9/G.y" ascii fullword
	condition:
		4 of them
}