BackDoor.Wirenet

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

BackDoor.Wirenet

Post by Xylitol » Thu Aug 30, 2012 9:40 am

http://news.drweb.com/show/?i=2679&lng=en&c=14
Sample for Windows/GNU-Linux/Solaris/Mac OS X + Shellcodes in attach.
Small note, for Mac there is the Mach-O and the Application Bundle
You do not have the required permissions to view the files attached to this post.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: BackDoor.Wirenet

Post by bsteo » Sat Dec 29, 2012 10:03 am

Isn't this one NetWire RAT? Seems like it.

User avatar
maddog4012
Posts: 75
Joined: Mon Aug 04, 2014 6:53 pm

Netwire RAT

Post by maddog4012 » Fri Jan 29, 2016 9:11 pm

Here is a variant of Netwire I can across today I have included the word doc that is sent to the victim e-mail. when the doc is opened it downloads Netwire
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: BackDoor.Wirenet

Post by Xylitol » Fri Jan 29, 2016 11:36 pm

What's the password?
edit: virus

Doc file downloading

Code: Select all

http://247financedeal.com/dbust.exe
https://www.virustotal.com/en/file/ae22 ... 454114939/
Win32/Spy.Weecnaw.A (ESET) ~ http://www.virusradar.com/en/Win32_Spy. ... escription

Image

tWiCe
Posts: 49
Joined: Sat Jul 18, 2015 8:56 am

Re: BackDoor.Wirenet

Post by tWiCe » Sun Jan 31, 2016 7:12 am

Xylitol wrote:

Code: Select all

http://247financedeal.com/dbust.exe
https://www.virustotal.com/en/file/ae22 ... 454114939/
Win32/Spy.Weecnaw.A (ESET) ~ http://www.virusradar.com/en/Win32_Spy. ... escription
ESET has NetWeird name for OSX/Linux/Solaris samples, but for Windows they've picked another alias? it's strange..

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: BackDoor.Wirenet

Post by patriq » Wed Feb 03, 2016 5:59 pm

Another NetWire on the same server

Code: Select all

hxtp://247financedeal.com/cbust.exe
https://www.virustotal.com/en/file/8e27 ... 444788304/

Xyl wrote about this
http://www.xylibox.com/2012/07/netwire- ... m-rat.html

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Thu Jun 29, 2017 2:19 am

SHA256:
69f61b266fbcdbfd90b23ce4087206488f509ae3a38f356ff64e4d241e02dfad
Dateiname:
LICENS~1.EXE
Erkennungsrate:
14 / 59
https://virustotal.com/de/file/69f61b26 ... 498699772/
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Thu Jun 29, 2017 7:47 am

markusg wrote:SHA256:
69f61b266fbcdbfd90b23ce4087206488f509ae3a38f356ff64e4d241e02dfad
Dateiname:
LICENS~1.EXE
Erkennungsrate:
14 / 59
https://virustotal.com/de/file/69f61b26 ... 498699772/
not able to edit post,
its perhaps
TrojanSpy: Win32/Loyeetro.A

Antelox
Posts: 251
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Thu Jun 29, 2017 8:19 am

markusg wrote:SHA256:
69f61b266fbcdbfd90b23ce4087206488f509ae3a38f356ff64e4d241e02dfad
Dateiname:
LICENS~1.EXE
Erkennungsrate:
14 / 59
https://virustotal.com/de/file/69f61b26 ... 498699772/
It's NetWire RAT.

C2s:
85.95.184.183:33360
xdem777.duckdns.org:20000
xdem777.linkpc.net:7777
In attachment the unpacked.

BR,

Antelox
You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 319
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sat Feb 03, 2018 4:42 pm

You do not have the required permissions to view the files attached to this post.

Post Reply