NetWire is a publicly-available Remote Access Trojan that is a part of the NetWiredRC malware family used by cybercriminals since 2012. Its primary functionality is focused on credentials stealing and keylogging, but it also has remote control capabilities. Adversaries often distribute NetWire through malspam and phishing emails. 

In a recent campaign, cybercriminals targeted users in Germany and disguised phishing emails as German courier, parcel, and express mail service DHL. The attackers used MS Excel documents as a malicious attachment. It activates a PowerShell command to download two files from Pastebin and perform character replacements on them to decode the DLL file, download obfuscated NetWire RAT, and then use decoded DLL to inject trojan into the legitimate process. 

New threat hunting rule by Osman Demir uncovers PowerShell command to download malicious files and process injection into a legitimate Windows file.

Netwire RAT via and MS Excel

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Command and Control

Techniques: Remote Access Tools (T1219)

You can also check the community rule Netwire RAT detection via WScript:


Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts