Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_ |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_ |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_ |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_ |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_ |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000000.1644544695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: Detects unspecified malware sample Author: Florian Roth |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_ |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 70E80000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 71E50000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 73A90000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 77040000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 72E20000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 76860000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 73610000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 74A60000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 75550000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 73810000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 74C60000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 75100000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 752C0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 75750000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 76360000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 73910000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 75200000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 753C0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 75850000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 76460000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 765D0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 76C60000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 73990000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 758D0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 75AF0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 75B70000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 764E0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 76CE0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 76E20000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 76520000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\ytgzVtg25k.exe |
Memory allocated: 76650000 page read and write |
Jump to behavior |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1 |
Source: ytgzVtg25k.exe, type: SAMPLE |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1 |
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1 |
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1 |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1 |
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000000.1644544695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1 |
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR |
Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.6.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.6.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.6.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.6.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: ytgzVtg25k.exe, 00000000.00000002.2061663525.00000000007BE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.6.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.6.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.6.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.6.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.6.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |