Netwire is a remote access trojan type malware. A RAT is a malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infect machines and can attack multiple systems including Windows, Apple’s MacOS, and Linux.

  • Type
  • Origin
    ex-USSR territory
  • First seen
    1 January, 2012
  • Last seen
    21 November, 2019
Global rank
Week rank
Month rank

What is Netwire malware?

Netwire is a remote access trojan type malware. A RAT is a malware used to control an infected machine remotely. This particular RAT can perform over 100 malicious actions on infect machines and can attack multiple systems including Windows, Apple’s MacOS, and Linux.

Netwire is available for purchase on the darknet in the underground hacking communities where attackers can buy this RAT for the price of 40 to 140 USD. In addition, Netwire can be purchased on the surface internet for a price of 180 USD. Notably, in 2016 Netwire received an update which added the functionality to steal data from devices connected to the infected machine, such as USB credit card readers, allowing Netwire to perform POS attacks.

General description of Netwire

Netwire Trojan core functionality allows this malware to take remote control of infected PCs, record keyboard strokes and mouse behavior as well as take screenshots, check system information and create fake HTTP proxies.

The keylogger functionally allows Netwire to record a variety of personal data that is imputed on a computer connected to the internet or to a corporate network. Combined with the ability to steal credit card information and operate undetected for extended periods of time, Netwire RAT is truly capable of inflicting serious dangers to organizations.

In some malicious campaigns, Netwire was used to target healthcare and banking businesses. The malware was also documented being used by a group of scammers from Africa who utilized Netwire to take remote control of infected machines.

Netwire creators have put in a lot of work into ensuring that researchers have a hard time analyzing this malware, as a lot of precautions are taken to complicate the research process, including techniques like multiple data encryption layers and string obfuscation. In addition, the malware uses a custom C2 binary protocol that is also encrypted, and so is the relevant data before transmission.

During one campaign researchers have observed Netwire being distributed as “TeamViewer 10” – named so in an effort to trick victims into thinking that they have downloaded the legitimate remote assistance software. Once the execution process began, this version would drop an .EXE file and proceed to start establishing persistence right away. The malware created a Windows shortcut in the Startup menu, to make sure that Netwire would always run when the user would log into the system. Interestingly, another trick designed to keep the malware hidden actually gave it away during this particular campaign. The malware would inject it’s code into the Notepad.exe, unveiling its presence since it’s not normal for the notepad to have an always active network connection. Only after decoding the data prepared for transmission to the C2, the sensitive nature of the stolen information was discovered. Unfortunately, researches did not reveal what the organization was targeted in this particular attack.

Netwire malware analysis

A video simulation recorded on ANY.RUN enables researchers to study the lifecycle of the Netwire in a lot of detail.

process graph of the netwire execution Figure 1: Process graph generated by ANY.RUN allows to visualize the life cycle of Netwire

a text report of a netwire analysis Figure 2: A text report generated by ANY.RUN is a great tool to share the research results

Netwire execution process

As far as malware execution goes, Netwire isn't as exciting as some other malicious programs can be. It makes its way into the device mostly in the form of a payload.

The user receives a spam email with an attached Microsoft Word file. After the user downloads and opens this file, the executable is being dropped or downloaded onto the machine. After that, the executable start performing the main malicious activity such as writing itself in autorun, connecting to C2 servers and stealing information from an infected device. Netwire also has the ability to inject into unsuspicious processes from which it can perform malicious activities.

Distribution of Netwire

Netwire RAT is usually being distributed in email phishing campaigns in the form of a malicious Microsoft Office document. The victim must enable macros in order for the RAT to enter an active state. The macros then proceed to download Netwire, allowing the malware to start the execution process.

How to export data from the analysis of Netwire malware using ANY.RUN?

If analysts want to do additional work with events from tasks or just want to share them with colleagues thay can export to different formats. Just click on the "Export" button and choose the most suitable format in the drop-down menu.

Export options for netwire malware Figure 3: Export options for netwire malware


Diverse information stealing feature set combined with the ability to target multiple operating systems and steal data from credit cards which are being used in an infected system make Netwire Trojan a highly dangerous remote access trojan.

Despite its impressive functionality, the malware is fairly accessible, “retailing” on underground forums for as little as 40 dollars in some select cases. The situation is further worsened by the fact that creators of Netwire have implemented several features designed to complicate the analysis as much as possible.

However, researchers can take advantage of interactive malware hunting services, such as ANY.RUN, that allow to influence the simulation at any point and get much purer research results.


IP addresses


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More