PUP.Wire VPN

By CagedTech in Potentially Unwanted Programs

Table of Contents

Analysis Report

General information

Family Name:	PUP.Wire VPN
Signature status:	Hash Mismatch

Known Samples

MD5: fa9ae2976de7c01e74a0c35982d4688d

SHA1: 4338b2849fff7b24a247115f24771401b4e63863

SHA256: F2522C24CB8305432E2D160525F9516FAEDB1B381675F4D05AD1CB524C5EE80F

File Size: 8.62 MB, 8624600 bytes

MD5: bbae36f39600ae44409e7b26c8117f0b

SHA1: 0980d794d50054d448ac6bf17cd91cb40b2e8cb7

SHA256: 8EBC5121ACF8A6F3371ECAB94961A67F8F6557B5EF8AB585D0729D396D9F4337

File Size: 3.64 MB, 3637208 bytes

MD5: c0fa8b762f7044cdadc7adf4dedca1b2

SHA1: af37f1b372a19c986864b4efd66e05c874297c29

SHA256: 52251865A0CFBA1152E9952BC4D3E089D12AEE1E74E4D60927E3E7D43EAD1478

File Size: 8.54 MB, 8539552 bytes

MD5: 0bc9f0d2828549a97363266f493dc471

SHA1: a2c641e1c166b9e6ce2b6b6c7fdd259397a318e6

SHA256: 540FA0ACADA5A94C4520A35A768A22DA990F242D48D41A61DE5CD9AD0BEF7577

File Size: 3.64 MB, 3637208 bytes

MD5: e2022cedcea9b5ea81764996732a9880

SHA1: 01ef636f9627a77ae11af9af88dd52106b163422

SHA256: B7A7013B951C3CEA178ECE3363E3DD06626B9B98EE27EBFD7C161D0BBCFBD894

File Size: 350.17 KB, 350168 bytes

MD5: ef7f2effb2d8975fd16b889f29910479

SHA1: 8c607cd8058b076bd3ad240a068f211d9b698c89

SHA256: EFC560C65D1F00B602792D4ED59894F004A94BCBCB9AF26765AC1BA1AEB9A2F0

File Size: 8.62 MB, 8624600 bytes

MD5: dc271bbe20f0dfb99e3c7b821aef690f

SHA1: e166dd400514f03f17a9e46ea72edc8c70a29bd8

SHA256: F9B58C0065DA39AF091943A62515A26A48C88BB9629C287F8E561ECD2320914E

File Size: 2.39 MB, 2391000 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have exports table
File has exports table
File has TLS information
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed

IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	upWire
File Description	Wirevpn
File Version	3.6.0.1 1.0.1.2 1.0.0.6
Internal Name	Wirevpn
Legal Copyright	Copyright (C) 2011 upWire
Original Filename	Wirevpn.exe
Product Name	upWire Wirevpn
Product Version	3.6.0.3 3.6.0.1 1.0.1.2 1.0.0.6

Digital Signatures

Signer	Root	Status
JOZEAL NETWORK TECHNOLOGY CO., LIMITED	GlobalSign	Root Not Trusted
WEILAI NETWORK TECHNOLOGY CO., LIMITED	GlobalSign	Root Not Trusted
WEILAI NETWORK TECHNOLOGY CO., LIMITED	GlobalSign	Hash Mismatch

Block Information

Total Blocks:	4,288
Potentially Malicious Blocks:	296
Whitelisted Blocks:	3,962
Unknown Blocks:	30

Visual Map

0 0 0 0 x 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 x x 0 x x x x x 0 x x x x x x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 0 x x x x 0 x x 0 x x 0 x 0 x x x x x x x x x x x x x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 x 0 x x x x x x 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 x 0 x x x 0 x 0 0 x x x x x x x x x x x x x 0 0 0 0 x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 x 0 x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 0 0 0 0 x x 0 0 x x 0 0 x 0 x x 0 x 0 0 x x 0 0 x 0 x x x x x x x x 0 0 x x 0 0 0 0 0 0 0 0 x 0 0 x 0 x x x 0 x 0 x x 0 x x x x 0 x x x x 0 x 0 x x 0 x x x x x x x x 0 x x x x x x 0 0 0 x x x 0 0 x x x 0 0 x x x x x x x x x x 0 x 0 x 0 0 0 x x 0 x x x 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 x 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 x 0 0 0 x x x 0 0 x 0 x x x x x 0 0 x x x 0 x 0 0 x 0 x x 0 x 0 0 x x 0 x x x x x x x 0 x x x x 0 x 0 0 x 0 x x 0 x 0 x 0 x 0 0 x x 0 x x 0 0 0 x 0 0 x 0 0 0 0 x 0 0 0 0 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x 0 0 x x x x x 0 0 0 0 0 0 x 0 0 x 0 x x 0 x 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

... Data truncated

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

WireVPN.A

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateSection ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenProcessToken ntdll.dll!NtQueryAttributesFile Show More ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWriteFile
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess
Anti Debug	NtQuerySystemInformation
Network Winsock2	WSAStartup
Service Control	OpenSCManager OpenService StartServiceCtrlDispatcher
User Data Access	GetUserObjectInformation
Encryption Used	BCryptOpenAlgorithmProvider

Shell Command Execution


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0980d794d50054d448ac6bf17cd91cb40b2e8cb7_0003637208.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\a2c641e1c166b9e6ce2b6b6c7fdd259397a318e6_0003637208.,LiQMAxHB


							C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall delete rule name="upWire"


							C:\WINDOWS\system32\netsh.exe netsh  advfirewall firewall delete rule name="upWire"


							C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall add rule name="upWire" dir=out action=allow program="C:\Windows\SysWOW64\wire\upWire.exe"


									C:\WINDOWS\system32\netsh.exe netsh  advfirewall firewall add rule name="upWire" dir=out action=allow program="C:\Windows\SysWOW64\wire\upWire.exe"


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall add rule name="upWire" dir=in action=allow program="C:\Windows\SysWOW64\wire\upWire.exe"


									C:\WINDOWS\system32\netsh.exe netsh  advfirewall firewall add rule name="upWire" dir=in action=allow program="C:\Windows\SysWOW64\wire\upWire.exe"


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall delete rule name="wire"


									C:\WINDOWS\system32\netsh.exe netsh  advfirewall firewall delete rule name="wire"


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall add rule name="wire" dir=out action=allow program="C:\Windows\SysWOW64\wire\wire.exe"


									C:\WINDOWS\system32\netsh.exe netsh  advfirewall firewall add rule name="wire" dir=out action=allow program="C:\Windows\SysWOW64\wire\wire.exe"


									C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c netsh advfirewall firewall add rule name="wire" dir=in action=allow program="C:\Windows\SysWOW64\wire\wire.exe"


									C:\WINDOWS\system32\netsh.exe netsh  advfirewall firewall add rule name="wire" dir=in action=allow program="C:\Windows\SysWOW64\wire\wire.exe"

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

PUP.Wire VPN

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Backdoor.PSW.Agent.FWA

PUP.Video Search Tools Plus

PUP.Gamehack.GAIE

Most Viewed

Pornktube.porn

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen