netwire

# Copyright (c) 2014 Palo Alto Networks. All rights reserved.

The netwire decoder is used to decrypt the traffic generated by a the Netwire Remote Administration Tool (RAT) or the NetwiredRC family of malware. The traffic is AES 256 bit encrypted between the client and the server. The tool will generate the keys based on the seed values in the traffic and dump the decrypted payloads along with the command information.

The supported input types are: * TCP

For an overview of the communication protocol check: http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/

Thanks to the circl.lu folks for the list of commands: http://www.circl.lu/pub/tr-23/