{
	"id": "b107da2d-e84d-491b-90e3-f65f264cb127",
	"created_at": "2026-04-06T00:15:19.147968Z",
	"updated_at": "2026-04-10T13:12:55.44135Z",
	"deleted_at": null,
	"sha1_hash": "523aba3a70a9f0b86f0cb78f8593dfae1086c632",
	"title": "CIRCL » TR-23 Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 100550,
	"plain_text": "CIRCL » TR-23 Analysis\r\nArchived: 2026-04-05 16:08:21 UTC\r\nOverview\r\nCIRCL analyzed a malware sample which was only sporadically detected by just a handful antivirus engines,\r\nbased on heuristic detection. CIRCL analyzed the entire command structure of the malware and was able to\r\nattribute this specific malware to the malware NetWiredRC. The malware is a feature-rich Remote Access Tool,\r\nand compared to the identified predecessors, this specific version even implements more features.\r\nPre-Analysis\r\nSample A\r\nHashes:\r\nType of Hash Hash\r\nMD5 37e922093d8a837b250e72cc87a664cd\r\nSHA1 c4d06a2fc80bffbc6a64f92f95ffee02f92c6bb9\r\nSHA-256 3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62\r\nVirusTotal results for sample A\r\nEngine Result\r\nMcAfee Artemis!37E922093D8A\r\nTrendMicro-HouseCall TROJ_GEN.F47V0407\r\nComodo TrojWare.Win32.Amtar.JEI\r\nMcAfee-GW-Edition Artemis!37E922093D8A\r\nESET-NOD32 Win32/Spy.Agent.NYU\r\nIkarus Backdoor:Signed.Agent\r\nAVG BackDoor.Agent.AWYR\r\nScanned: 2014-04-07 - 49 scans - 7 detections  \r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 1 of 13\n\nSignature check for sample A\r\nVerified Signed\r\nSigners Avira Operations GmbH \u0026 Co. KG\r\n  VeriSign Class 3 Code Signing 2010 CA\r\n  VeriSign Class 3 Public Primary Certification Authority - G5\r\nSigning date 10:52 AM 6/25/2012\r\nPublisher Avira Operations GmbH \u0026 Co. KG\r\nDescription Avira Notification Tool\r\nProduct Avira Free Antivirus\r\nVersion 12.3.0.34\r\nFile version 12.3.0.34\r\nImport table\r\nKERNEL32.dll\r\nUSER32.dll\r\nGDI32.dll\r\nADVAPI32.dll\r\nSHELL32.dll\r\nCOMCTL32.dll\r\nSHLWAPI.dll\r\nole32.dll\r\nOLEAUT32.dll\r\nVERSION.dll\r\nSections\r\nSections attributes in the file reveal a first hint on the maliciousness of the file: the .text section is writable and\r\nthus allows self-modifying code:\r\nSECTION 1 (.text ):\r\n virtual size : 000314DA ( 201946.)\r\n virtual address : 00001000\r\n section size : 00031600 ( 202240.)\r\n offset to raw data for section: 00000400\r\n offset to relocation : 00000000\r\n offset to line numbers : 00000000\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 2 of 13\n\nnumber of relocation entries : 0\r\n number of line number entries : 0\r\n alignment : 0 byte(s)\r\n Flags E0000020:\r\n text only\r\n Executable\r\n Readable\r\n Writable\r\nSECTION 2 (.rdata ):\r\n virtual size : 0000E238 ( 57912.)\r\n virtual address : 00033000\r\n section size : 0000E400 ( 58368.)\r\n offset to raw data for section: 00031A00\r\n offset to relocation : 00000000\r\n offset to line numbers : 00000000\r\n number of relocation entries : 0\r\n number of line number entries : 0\r\n alignment : 0 byte(s)\r\n Flags 40000040:\r\n data only\r\n Readable\r\nSECTION 3 (.data ):\r\n virtual size : 00003A5C ( 14940.)\r\n virtual address : 00042000\r\n section size : 00002200 ( 8704.)\r\n offset to raw data for section: 0003FE00\r\n offset to relocation : 00000000\r\n offset to line numbers : 00000000\r\n number of relocation entries : 0\r\n number of line number entries : 0\r\n alignment : 0 byte(s)\r\n Flags C0000040:\r\n data only\r\n Readable\r\n Writable\r\nSECTION 4 (.rsrc ):\r\n virtual size : 000064D0 ( 25808.)\r\n virtual address : 00046000\r\n section size : 00006600 ( 26112.)\r\n offset to raw data for section: 00042000\r\n offset to relocation : 00000000\r\n offset to line numbers : 00000000\r\n number of relocation entries : 0\r\n number of line number entries : 0\r\n alignment : 0 byte(s)\r\n Flags 40000040:\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 3 of 13\n\ndata only\r\n Readable\r\nDebugging Sample A\r\nWe’re not going into detail about all the obfuscation layers and extraction routines sample A is using, but briefly\r\noutline the concept. After an anti-emulation stage, stage 2 decrypts the final malware, using the key\r\n0x5A4C4D4D4C4D, which in ASCII is ZLMMLM.\r\nStage 2 (xor):\r\n.text:0040227A xor:\r\n.text:0040227A lodsb\r\n.text:0040227B xor al, [ebx+edx]\r\n.text:0040227E inc edx\r\n.text:0040227F jmp short loc_40229B\r\n.text:00402281 loc_402281:\r\n.text:00402281 stosb\r\n.text:00402282 mov eax, edx\r\n.text:00402284 xor edx, edx\r\n.text:00402286 mov ebp, 6\r\n.text:0040228B\r\n.text:0040228B loc_40228B:\r\n.text:0040228B div ebp\r\n.text:0040228D loop xor\r\n.text:0040228F mov eax, ebx\r\n.text:00402291 add esp, 6\r\n.text:00402294 pop ebx\r\n.text:00402295 pop esi\r\n.text:00402296 pop edi\r\n.text:00402297 pop ebp\r\n.text:00402298 push eax\r\n.text:00402299 jmp short loc_4022A8\r\n.text:0040229B ; ---------------------------------------\r\n.text:0040229B\r\n.text:0040229B loc_40229B:\r\n.text:0040229B test edx, edx\r\n.text:0040229D jnz short loc_402281\r\n...\r\n.text:004022A8 call $+5\r\n.text:004022AD pop ebp\r\nFrom the memory segment the code has been decrypted to, it is being written back to the .text section. Additional\r\nlibraries are being loaded:\r\nC:\\WINDOWS\\system32\\crypt32.dll\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 4 of 13\n\nC:\\WINDOWS\\system32\\msasn1.dll\r\nC:\\WINDOWS\\system32\\winmm.dll\r\nC:\\WINDOWS\\system32\\ws2_32.dll\r\nC:\\WINDOWS\\system32\\ws2help.dll\r\nFinally, the instruction pointer is pointing back to the .text section at 0x00401FEC, which is the original entry\r\npoint of this malware.\r\nThis binary has been isolated, extracted and named sample B:\r\nSample B\r\nHashes:\r\nType of Hash Hash\r\nMD5 759545ab2edad3149174e263d6c81dce\r\nSHA1 2182ff6537f38a4e8c273316484c2c84872633d0\r\nSHA-256 34d88b04956cbed54190823c94753b0dc6d8c19339d22153127293433b398cf1\r\nVirusTotal results for sample B\r\nVirusTotal result for hash: 759545ab2edad3149174e263d6c81dce -\u003e Hash was not found on VirusTotal.\r\nSignature check for sample B\r\nFile is not signed.\r\nUpon start, sample B, the actual malware, initializes memory, sets up Winsock by calling WSAStartup and\r\ndecrypts the following strings:\r\nString Use\r\nVM Vmware check? Not used\r\n37.252.120.122:3360 Communication channel\r\n- literally as “-“\r\nPassword literally as this string\r\nHostId-%Rand% format string for identifier file\r\nmJhcimNA Name of mutex\r\n%AppData%\\Microsoft\\Crypto\\Office.exe Filename when made persistent\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 5 of 13\n\nOffice Registry key\r\n- literally as “-“\r\n%AppData%\\Microsoft\\Crypto\\Logs\\  \r\n105 ?\r\n001 ?\r\nThen it starts to communicate with the Command and Control server, waiting for commands.\r\nThe commands are listed in the following table.\r\nAll commands have return codes. In case of success, the return code corresponds to command code. If the\r\ncommand fails, usually the return code is the incremented command code.\r\nCommand switch:\r\nThe following table shows the commands of the malware. If there is an interesting return code, it is mentioned\r\nwith (r):\r\nCode Command\r\n1 (r) heartbeat (send back return code 1)\r\n2 (r) socket created\r\n3 (r) registered\r\n4 (r) setting password failed\r\n5 set password, identifier and fetch computer information (user, computername, windows version)\r\n6 create process from local file or fetch from URL first and create process\r\n7 create process from local file and exit (hMutex = CreateMutexA(0, 1, “mJhcimNA”))\r\n8 (r) failed to create process\r\n9 stop running threads, cleanup, exit\r\nA stop running threads, cleanup, sleep\r\nB stop running threads, delete autostart registry keys, cleanup, exit\r\nC add identifier (.Identifier) file\r\nD threaded: get file over HTTP and execute\r\nE fetch and send logical drives and types\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 6 of 13\n\nCode Command\r\n10 locate and send file with time, attributes and size\r\n12 find file\r\n13 (r) file information\r\n14 unset tid for 0x12\r\n14 (r) file not found (?)\r\n15 send file\r\n16 write into file\r\n17 close file (see 0x1F)\r\n18 copy file\r\n19 execute file\r\n1A move file\r\n1B delete file\r\n1C create directory\r\n1D file copy\r\n1E create directory or send file to server\r\n1F close file (see 0x17)\r\n20 start remote shell\r\n21 write into WritePipe\r\n22 reset tid for remote shell\r\n22 (r) terminated remote shell\r\n23 (r) failed to start remote shell\r\n24 collect client information and configuration\r\n25 (r) failed to get client information and configuration\r\n26 get logged on users\r\n26 (r) send logged on users\r\n27 (r) failed to send logged on users\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 7 of 13\n\nCode Command\r\n28 get detailed process information\r\n29 (r) failed to get detailed process information\r\n2A terminate process\r\n2B enumerate windows\r\n2B (r) send windows\r\n2C make window visible, invisible or show text\r\n2D get file over HTTP and execute\r\n2E (r) HTTP connect failed\r\n2F set keyboard event “keyup”\r\n30 set keyboard event $event\r\n31 set mouse button press\r\n32 set cursor position\r\n33 take screenshot and send\r\n35 (r) failed to take screenshot\r\n36 locate and send file from log directory with time, attributes and size\r\n38 check if log file exists\r\n39 delete logfile\r\n3A read key log file and send\r\n3C (r) failed to read key log file\r\n3D fetch and send stored credentials, history and certificates from common browsers\r\n3E fetch and send stored credentials, history and certificates from common browsers\r\n3F fetch and send chat (Windows Live and/or Pidgin) credentials\r\n40 fetch and send chat (Windows Live and/or Pidgin) credentials\r\n41 fetch and send mail (Outlook and/or Thunderbird) credentials and certificates\r\n42 fetch and send mail (Outlook and/or Thunderbird) credentials and certificates\r\n43 socks_proxy\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 8 of 13\n\nCode Command\r\n44 get audio devices and formats\r\n44 (r) audio devices and formats\r\n45 (r) failed to get audio devices\r\n46 start audio recording\r\n47 (r) error during recording\r\n48 stop audio recording\r\n49 find file get md5\r\n4C unset tid for find file get md5 (0x49)\r\nNetwork\r\nCommunication is performed via TCP/IP. First, the client registers itself at the server by sending\r\n41 00 00 00 03 (...)\r\nto the server, which in return replies with\r\n41 00 00 00 05 (...)\r\nThere is a hearbeat communication going on by sending\r\n01 00 00 00 02\r\nto the remote site.\r\nOutgoing communication can be detected by Network Intrusion Detection systems in order to detect compromised\r\nmachines. Suricata rules are included in this report.\r\nIOCs\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nvalue:Office\r\ndata:%AppData%\\Microsoft\\Crypto\\Office.exe\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\r\nvalue:-\r\ndata:%AppData%\\Microsoft\\Crypto\\Office.exe\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 9 of 13\n\nMutex name “mJhcimNA”\r\n%AppData%\\Microsoft\\Crypto\\Logs\\\r\nlogfile per day, format DD-MM-YYYY (without extension)\r\n%AppData%\\Microsoft\\Crypto\\Office.exe\r\n%AppData%\\Microsoft\\Crypto\\Office.exe.Identifier\r\nIP 37.252.120.122\r\nTCP port 3360\r\nA MISP XML file is available if you want to import the indicators into MISP or any other threat indicators sharing\r\nplatform.\r\nNIDS\r\nThe following Suricata rule can be used to detect heartbeat and registration messages from a compromised client\r\nto the C\u0026C server. The rules have only been tested mildly against live traffic and may produce a bunch of false\r\npositives. While keeping this fact in mind, you could limit the destination to the IP address and port given in this\r\nreport. On the downside, you will lose the ability to track server/port changes the attacker may apply.\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any ( \\\r\n msg:\"NetWiredRC heartbeat\"; \\\r\n pkt_data; \\\r\n content:\"|01 00 00 00 02|\"; \\\r\n offset:0; \\\r\n depth:10; \\\r\n reference:url,https://www.circl.lu/pub/tr-23/; \\\r\n sid:70023;\\\r\n rev:1;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any ( \\\r\n msg:\"NetWiredRC registration\"; \\\r\n pkt_data; content:\"|41 00 00 00 03|\"; \\\r\n offset:0; \\\r\n depth:10; \\\r\n reference:url,https://www.circl.lu/pub/tr-23/; \\\r\n sid:70123;\\\r\n rev:1;)\r\nSimilarity by network connection (same IP:PORT), strings\r\nMD5: 4af801e0de96814e9095bf78be790003\r\nSHA1: b2beb80f0b1ed9b1ccbb9ae765b68d6db432a532\r\nAttribution: Backdoor:Win32/NetWiredRC.B\r\nSimilarity by network connection (same IP:PORT)\r\nMD5: 1d2f110f37c43a05407e8295d75a1974\r\nSHA1: d199349a3811c508ca620195327123600e1d9392\r\nBy name NetWiredRC\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 10 of 13\n\nhttp://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?\r\nName=Backdoor:Win32/NetWiredRC.B#tab=2\r\nMD5: 1e279c58a4156ef2ae1ff55a4bc3aaf6\r\nSHA1: 40e8e3b5fce0cd551106ccb86fc83a0ca03c9349\r\nQuick analysis: previous version of this malware\r\nmissing features: SOCKS, audio recording, find file by MD5\r\nDecrypting NetWire C2 traffic\r\nNetWire uses a proprietary protocol with encryption by default (AES-256-OFB). The Palto Alto Network threat\r\nintelligence team did a report on how to decrypt the traffic (as long as you know the key or you extracted it from\r\nthe malware). The NetWiredDC Decoder is available on GitHub.\r\nRecommendations\r\nCIRCL recommends to review the IOCs of this report and compare them with servers in the infrastructure\r\nof your organization which produce log files including proxies, A/V and system logs.\r\nIn the case you have an infection, we recommend to capture the network traffic with the full payload as\r\nsoon as possible. You might be able to decrypt the traffic later on.\r\nIsolate the machine infected. Acquire memory (especially to get a malware sample and a potential\r\nencryption key) and disk. Reinstall the system after the forensic acquisition.\r\nServer intel\r\nThe server (37.252.120.122) used for this campaign is hosted at\r\ninetnum: 37.252.120.0 - 37.252.120.255\r\nnetname: TILAA\r\ndescr: Tilaa\r\ndescr: This space is statically assigned\r\ncountry: NL\r\nadmin-c: TLRL-RIPE\r\ntech-c: TLRL-RIPE\r\nstatus: ASSIGNED PA\r\nmnt-by: TILAA-MNT\r\nsource: RIPE # Filtered\r\nrole: Tilaa admin role\r\naddress: Februariplein 14\r\naddress: 1011MT Amsterdam\r\naddress: The Netherlands\r\nabuse-mailbox: abuse@tilaa.net\r\nadmin-c: TLDK-RIPE\r\nadmin-c: TLGV-RIPE\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 11 of 13\n\nadmin-c: TLRK-RIPE\r\ntech-c: TLDK-RIPE\r\ntech-c: TLGV-RIPE\r\ntech-c: TLRK-RIPE\r\nnic-hdl: TLRL-RIPE\r\nmnt-by: TILAA-MNT\r\nsource: RIPE # Filtered\r\n% Information related to '37.252.120.0/21AS196752'\r\nroute: 37.252.120.0/21\r\ndescr: Routed by Tilaa\r\norigin: AS196752\r\nmnt-by: TILAA-MNT\r\nsource: RIPE # Filtered\r\nand reveals several open ports:\r\n3360/tcp open unknown\r\n3389/tcp open ms-wbt-server\r\n5985/tcp open wsman\r\n47001/tcp open unknown\r\n49152/tcp open unknown\r\n49153/tcp open unknown\r\n49154/tcp open unknown\r\n49155/tcp open unknown\r\n49158/tcp open unknown\r\n49159/tcp open unknown\r\n49160/tcp open unknown\r\nDevice type: general purpose\r\nRunning (JUST GUESSING): Microsoft Windows 2008 (92%)\r\nOS CPE: cpe:/o:microsoft:windows_server_2008::sp1\r\nOS fingerprint not ideal because: Host distance (11 network hops) is greater than five\r\nAggressive OS guesses: Microsoft Windows Server 2008 SP1 (92%)\r\nNo exact OS matches for host (test conditions non-ideal).\r\nTCP/IP fingerprint:\r\nSCAN(V=6.40%E=4%D=4/23%OT=3360%CT=1%CU=32387%PV=N%DS=11%DC=I%G=N%TM=5357A5F8%P=x86_64-apple-darwin13.1.0)\r\nSEQ(SP=104%GCD=1%ISR=10C%TI=I%TS=7)\r\nOPS(O1=M5ACNW8ST11%O2=M5ACNW8ST11%O3=M5ACNW8NNT11%O4=M5ACNW8ST11%O5=M5ACNW8ST11%O6=M5ACST11)\r\nWIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)\r\nECN(R=Y%DF=Y%T=80%W=2000%O=M5ACNW8NNS%CC=Y%Q=)\r\nT1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)\r\nT2(R=N)\r\nT3(R=N)\r\nT4(R=N)\r\nT5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 12 of 13\n\nT6(R=N)\r\nT7(R=N)\r\nU1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=I%RUCK=0%RUD=G)\r\nIE(R=N)\r\nUptime guess: 54.768 days (since Thu Feb 27 18:11:41 2014)\r\nPorts might be used for several purposes/campaigns. Probing the ports gives the following result:\r\n3360/tcp - C\u0026C port for this campaign\r\n3389/tcp - no reaction to crafted requests\r\n5985/tcp - HTTP port\r\n47001/tcp - HTTP port\r\n49152/tcp - no reaction to crafted requests\r\n49153/tcp - no reaction to crafted requests\r\n49154/tcp - no reaction to crafted requests\r\n49155/tcp - no reaction to crafted requests\r\n49158/tcp - no reaction to crafted requests\r\n49159/tcp - no reaction to crafted requests\r\n49160/tcp - no reaction to crafted requests\r\nThe ports not reacting to crafted requests might be used for different campaigns for the same malware or for\r\ndifferent versions of the malware family or even for other malware. We were not able to find a different sample of\r\nthe malware that connects to a different port.\r\nStarting of Friday 25 April, the C\u0026C port is not active as the ISP took the appropriate action.\r\nClassification of this document\r\nTLP:WHITE information may be distributed without restriction, subject to copyright controls.\r\nAcknowledgment\r\nCIRCL thanks CERT Société Générale for sharing Sample A.\r\nRevision\r\nVersion 1.1 November 26, 2014 Decrypting NetWire C2 Traffic reference added\r\nVersion 1.0 April 25, 2014 C\u0026C (for the known TCP port) is no more active\r\nVersion 0.9 April 23, 2014 Initial version (TLP:WHITE)\r\nSource: https://www.circl.lu/pub/tr-23/\r\nhttps://www.circl.lu/pub/tr-23/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.circl.lu/pub/tr-23/"
	],
	"report_names": [
		"tr-23"
	],
	"threat_actors": [],
	"ts_created_at": 1775434519,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/523aba3a70a9f0b86f0cb78f8593dfae1086c632.pdf",
		"text": "https://archive.orkl.eu/523aba3a70a9f0b86f0cb78f8593dfae1086c632.txt",
		"img": "https://archive.orkl.eu/523aba3a70a9f0b86f0cb78f8593dfae1086c632.jpg"
	}
}