Potential NetWire RAT Activity - Registry

 1title: Potential NetWire RAT Activity - Registry
 2id: 1d218616-71b0-4c40-855b-9dbe75510f7f
 3status: test
 4description: Detects registry keys related to NetWire RAT
 5references:
 6    - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
 7    - https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
 8    - https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
 9    - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
10    - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
11author: Christopher Peacock
12date: 2021-10-07
13modified: 2023-02-07
14tags:
15    - attack.persistence
16    - attack.defense-evasion
17    - attack.t1112
18logsource:
19    product: windows
20    category: registry_add
21detection:
22    selection:
23        EventType: CreateKey
24        # The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
25        TargetObject|contains: '\software\NetWire'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

• New NetWire RAT Malware Variant Being Spread Via Phishing | FortiGuard Labs

  

  FortiGuard Labs recently discovered a new NetWire RAT malware variant spreading via phishing email. Read this for a deep dive of how this new NetWire RAT malware variant works.…

  
  Read More

• https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/

  
  Read More

• GuLoader: Malspam Campaign Installing NetWire RAT

  

  An overview of how NetWire, a publicly-available RAT, was discovered being distributed through a file downloader called GuLoader.

  
  Read More

• Threat Thursday: NetWire RAT is Coming Down the Line

  

  NetWire is a publicly available, multi-platform Remote Access Trojan (RAT) that is designed to perform surveillance or take control of the infected system.

  
  Read More

• Analysis 1006ff92e3892ac95548a7fc0764deeaa0078ff153dcd6053d889cf9aad19f4b (MD5: 4EB5B6684C39595331F022A4265B8FB8) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

Related rules

• Activate Suppression of Windows Security Center Notifications
• Add DisallowRun Execution to Registry
• Allow RDP Remote Assistance Feature
• Blackbyte Ransomware Registry
• Blue Mockingbird