#1 TikTok Ads Spy Tool

A Better Way to Make TikTok Ads Dropshipping & TikTok For Business

  • Find TikTok winning products & TikTok dropshipping ads.
  • Analyze TikTok advertisers
  • Get the Latest TikTok Shop Data.
Try It Free

Unmasking the Secrets of NETWIRE Malware

Published on: November 20 2023 by John Hammond

Unmasking the Secrets of NETWIRE Malware

Table of Contents

  1. Introduction
  2. The Big Fix Event by Sneak
  3. De-obfuscating the Malicious Code
  4. Exploring the VBS Loader Files
  5. Understanding the Visual Basic Script
  6. Cleaning Up the Script for Better Analysis
  7. Analyzing the PowerShell Command
  8. Decoding Hexadecimal Data
  9. Reflectively Loading the Assembly
  10. Persistence and Creating Shortcuts
  11. Analyzing the NetWire RAT
  12. Identifying NetWire's Features
  13. Analysis on Any.Run
  14. Analysis on VirusTotal
  15. Research on NetWire RAT


In this article, we will dive into the de-obfuscation and analysis of a malicious code known as the VBS Loader. This code, when executed, leads to the download and execution of the NetWire RAT (Remote Access Trojan). We will explore the various steps involved, from decoding hexadecimal data to reflectively loading an assembly. Additionally, we will examine the features and behavior of the NetWire RAT, and analyze its detection on platforms like Any.Run and VirusTotal. By the end of this article, you will have a comprehensive understanding of the threat posed by NetWire RAT and the techniques used to analyze and detect such malware.

The Big Fix Event by Sneak

Before we delve into the video, let's take a moment to discuss The Big Fix event by Sneak. Taking place in 2022, The Big Fix aims to address security vulnerabilities and make a significant impact on cybersecurity. By fixing vulnerabilities in your projects and earning swag like free t-shirts, this event aims to enhance security in the coming year. With 63,762 vulnerabilities already fixed, Sneak is hosting a 24-hour live stream on February 25th, where security experts provide support and educational sessions. Register for The Big Fix event through the link provided in the video description to get involved.

De-obfuscating the Malicious Code

In this section, we will de-obfuscate the VBS Loader code and gain a better understanding of its functionality. By analyzing the code step-by-step, we can unravel its purpose and uncover any hidden malicious activities. We will use tools like Remnux, a Linux distribution for reverse engineering malware, to navigate through the code and explore its inner workings. By renaming variables and cleaning up the code, we can make it more readable and comprehensible for analysis.

Exploring the VBS Loader Files

The VBS Loader consists of two files: "cod_2020n.vbs" and "dsfs_fdfs_blah_blah_blah.lnk". By examining these files, we can gain valuable insights into the nature of the malware. The ".vbs" file is the main script that will be executed when the user clicks on the shortcut file ".lnk". We will analyze the content of these files to understand the purpose and behavior of the malware.

Understanding the Visual Basic Script

The Visual Basic Script (.vbs) file contains the core code that is executed when the user interacts with the shortcut file. We will open the script in a text editor, such as Sublime Text, to analyze its structure and identify any potential malicious activities. We will also clean up the code by renaming variables and making it more readable for further analysis. This will enable us to understand the logic behind the script and its intended functionality.

Cleaning Up the Script for Better Analysis

To improve our analysis, we will clean up the Visual Basic Script by renaming variables and removing unnecessary code. This will make the script more readable and easier to analyze. We will also correct any naming inconsistencies and ensure that the code is properly formatted. By making these adjustments, we can focus on the critical aspects of the script and gain a clearer understanding of its purpose.

Analyzing the PowerShell Command

Within the Visual Basic Script, we encounter a PowerShell command, which appears to be obfuscated. We will decode and analyze this command to determine its intended functionality. By understanding the PowerShell syntax, we can identify any potentially malicious activities and gain insights into the overall behavior of the malware. We will also explore the use of format strings and placeholders within the PowerShell command to uncover any hidden functionalities.

Decoding Hexadecimal Data

The malware script includes hexadecimal data that is encoded and needs to be decoded for further analysis. By converting this data from hex to binary, we can reveal its true nature and gain insights into its purpose. We will use PowerShell to perform this conversion and analyze the decoded data to determine its significance in the overall execution of the malware.

Reflectively Loading the Assembly

After decoding the hexadecimal data, we discover that it is an executable file (.exe) that needs to be loaded dynamically. We will explore the process of reflectively loading this assembly using PowerShell. By dynamically loading the assembly, the malware can execute arbitrary code and perform malicious activities. We will analyze the loaded assembly to gain insights into its functionalities and understand its impact on the infected system.

Persistence and Creating Shortcuts

The malware script contains code that enables persistence on the infected system. By creating shortcuts and modifying registry keys, the malware ensures that it is executed each time the system starts up. We will examine these sections of the script to understand the techniques employed for persistence. Additionally, we will analyze the role of the Windows Script Host in executing the malware and the significance of the created shortcuts.

Analyzing the NetWire RAT

With the malware execution underway, we turn our attention to the NetWire RAT. We will explore the features and capabilities of this Remote Access Trojan, including its ability to take control of infected computers and perform various actions. Unlike many other RATs, NetWire has cross-platform capabilities, targeting Windows, Linux, and Mac operating systems. We will analyze its behavior and potential impacts on infected systems.

Identifying NetWire's Features

NetWire RAT receives commands from a command and control (C2) server, allowing threat actors to control infected systems remotely. We will examine the communication mechanism between the RAT and the C2 server to understand how commands are transmitted and executed. Additionally, we will explore features such as keylogging and password theft, which enable the theft of sensitive information from infected systems.

Analysis on Any.Run

We will run the malware on the Any.Run platform to visualize its behavior and gain insights into its impact on a system. Any.Run provides an interactive environment for dynamic malware analysis. By observing the malware's activities and interactions with the system, we can gain a comprehensive understanding of its behavior and potential risks.

Analysis on VirusTotal

VirusTotal is a popular online malware scanning platform that allows us to analyze files and URLs for potential malware detection. We will upload the malware executable to VirusTotal and analyze the detection results from various antivirus engines. This will provide us with insights into the prevalence of the malware in existing security databases and help us understand its potential risk levels.

Research on NetWire RAT

To further enhance our understanding of NetWire RAT and its significance in the cybersecurity landscape, we will research external sources and refer to expert insights. We will explore research reports, news articles, and technical findings to gather valuable information about the RAT's history, common infection vectors, and recommended detection and mitigation strategies. By combining our analysis with external research, we can paint a comprehensive picture of NetWire RAT's impact on cybersecurity.


In this article, we have examined the de-obfuscation and analysis of the VBS Loader and explored the behavior and functionalities of the NetWire RAT. By analyzing the code, decoding hexadecimal data, and understanding the techniques used, we have gained valuable insights into the inner workings of this malware. We have also utilized platforms like Any.Run and VirusTotal to visualize and analyze the malware's behavior and assess its potential risks. By conducting thorough research and referring to external resources, we have expanded our understanding of NetWire RAT's impact on cybersecurity.

Start your free trial today!

Try Pipiads free for trial, no credit card required. By entering your email,
You will be taken to the signup page.