743CIRCL2014-04-232OSINT - NetWiredRC - A feature-rich Remote Access Tool.05357b40a-cf1c-49b7-bacc-4b1a950d2109212139826044831CIRCL0042124filenameArtifacts dropped15357b7a4-8610-4256-9ab4-a037950d210974331398257572logfile per day, format DD-MM-YYYY (without extension)%AppData%\Microsoft\Crypto\Logs\42125filenameArtifacts dropped15357b7a4-7e18-49cb-baad-a037950d210974331398257593%AppData%\Microsoft\Crypto\Office.exe42126filenameArtifacts dropped15357b7a4-3c9c-4906-8b34-a037950d210974331398257607%AppData%\Microsoft\Crypto\Office.exe.Identifier42123mutexArtifacts dropped15357b763-27d4-4f0c-8ffa-a538950d210974331398257507mJhcimNA42121regkey|valueArtifacts dropped15357b748-db74-4f8d-93b2-bf58950d210974331398257480HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |Office42122regkey|valueArtifacts dropped15357b748-b764-4b5d-8ff6-bf58950d210974331398257480HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components|-42131linkExternal analysis05357b956-0f80-40d4-ac53-5840950d210974331398258006CIRCL TR-23 Analysis - NetWiredRC malwarehttps://www.circl.lu/pub/tr-23/231commentExternal analysis15357b956-0f80-40d4-ac53-5840950d210974342131CIRCL TR-23 Analysis - NetWiredRC malwareCERT.athttps://www.circl.lu/pub/tr-23/ not working42134linkExternal analysis05357ba41-a670-4d50-8403-be22950d210974331398258254http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/NetWiredRC.B#tab=242120ip-dstNetwork activity15357b4f7-8804-4974-92e7-5840950d210974331398256887Sample B37.252.120.12242148snortNetwork activity15357c2e0-d484-4b2e-9922-ce64950d210974331398260448alert tcp $HOME_NET any -> $EXTERNAL_NET any ( \ msg:"NetWiredRC registration"; \ pkt_data; content:"|41 00 00 00 03|"; \ offset:0; \ depth:10; \ reference:url,https://www.circl.lu/pub/tr-23/; \ sid:70123;\ rev:1;)42147snortNetwork activity15357c2ca-5d28-49cf-89ad-aca9950d210974331398260426alert tcp $HOME_NET any -> $EXTERNAL_NET any ( \ msg:"NetWiredRC heartbeat"; \ pkt_data; \ content:"|01 00 00 00 02|"; \ offset:0; \ depth:10; \ reference:url,https://www.circl.lu/pub/tr-23/; \ sid:70023;\ rev:1;)42114md5Payload delivery15357b442-5fe0-46e9-beed-bf58950d210974331398256706Sample A37e922093d8a837b250e72cc87a664cd42127md5Payload delivery15357b832-2c04-474a-8791-a036950d210974331398257829Similarity by network connection (same IP:PORT), strings, attribution: NetWiredRC4af801e0de96814e9095bf78be79000342128md5Payload delivery15357b832-4a8c-4a76-a0b1-a036950d210974331398257839Similarity by network connection (same IP:PORT), strings, attribution: NetWiredRC1d2f110f37c43a05407e8295d75a197442129md5Payload delivery15357b8f8-874c-426d-81ac-be18950d210974331398257912Quick analysis: previous version of this malware - missing features: SOCKS, audio recording, find file by MD51e279c58a4156ef2ae1ff55a4bc3aaf642115sha1Payload delivery15357b45b-2684-4508-a65d-be18950d210974331398256731Sample Ac4d06a2fc80bffbc6a64f92f95ffee02f92c6bb942130sha1Payload delivery15357b91d-10fc-4fdd-a6fd-ce64950d210974331398257949Quick analysis: previous version of this malware - missing features: SOCKS, audio recording, find file by MD540e8e3b5fce0cd551106ccb86fc83a0ca03c934942116sha256Payload delivery15357b46c-b9a0-446c-bb3d-b035950d210974331398256748Sample A3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f6242117md5Payload installation15357b483-3278-47d5-b413-5845950d210974331398256771Sample B759545ab2edad3149174e263d6c81dce42118sha1Payload installation15357b491-f69c-47be-830f-588f950d210974331398256785Sample B2182ff6537f38a4e8c273316484c2c84872633d042119sha256Payload installation15357b49d-7ee0-4f05-a7d5-ce64950d210974331398256797Sample B34d88b04956cbed54190823c94753b0dc6d8c19339d22153127293433b398cf1718CIRCL2014-04-04UndefinedCIRCL UNKCAMP (Not actionable -> no takedown request or no active probing)315342b584-4c9c-406b-94da-4b54950d210931CIRCL1396965601200213970720612.2.0