MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adwind


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139
SHA3-384 hash: e5e8551e6735cd48cea742f596d7efb8ff583fb3136415d4d318c2c0c1ecf0acf1077885511b189e658f3ab97774c086
SHA1 hash: c9abc4dcf85b771ba80b03fb9a14cc26f3894dec
MD5 hash: 2f0fa28e3873af01baa196498b4b0cbf
humanhash: bravo-bluebird-kitten-paris
File name:D42926EB5339410141C90BAD9B9B0B3C5CC00FCF0E1A4.exe
Download: download sample
Signature Adwind
Create hunting rule
File size:4'591'104 bytes
First seen:2022-02-21 20:30:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6dcf25955d3bf0b0e381bffce3f1ff2a (1 x Adwind)
ssdeep 49152:uwyyq+0dGMCDxiM9wRGtqyXyhc7W//FRLevTHb/ALeazm+lu8ncN3CipRT:uwj
Threatray 7'719 similar samples on MalwareBazaar
TLSH T127260B565D5264DED75125B8B8A277C03FB05C1CFB8AC0622740F837BCAAC34E6A53B6
File icon (PE):PE icon
dhash icon 9d89cb8d8dcb899d (1 x Adwind)
Reporter abuse_ch
Tags:Adwind exe


Avatar
abuse_ch
Adwind C2:
http://molinolatebaida.com/basic-jquery-slider-8ffe118/js/lib/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://molinolatebaida.com/basic-jquery-slider-8ffe118/js/lib/five/fre.php https://threatfox.abuse.ch/ioc/390011/

Intelligence

File Origin
# of uploads :
1
# of downloads :
671
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Xtreme
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243046/
Detection(s):
SecuriteInfo.com.Inject4.CJZX.6315.20223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Creating a file in the Windows subdirectories
Launching a process
Creating a process with a hidden window
Setting a keyboard event handler
Running batch commands
DNS request
Using the Windows Management Instrumentation requests
Forced system process termination
Launching cmd.exe command interpreter
Moving a file to the %AppData% subdirectory
Creating a file
Searching for the window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Enabling autorun
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6896/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit greyware keylogger lokibot remcos
Link:
https://www.filescan.io/uploads/6213f68da2660f3bb91e3134/reports/1ad6e7f7-7213-4ea4-a4a8-e9bafe76fc13/overview
Result
Verdict:
MALICIOUS
Malware family:
XtremeRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc6d827d-2ba8-4dcb-b68d-31b3f511ed12
Result
Threat name:
ADWIND Xtreme RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943478
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected ADWIND Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Exploit detected, runtime environment starts unknown processes
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs Xtreme RAT
Java source code contains strings found in CrossRAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses process hollowing technique
Sigma detected: Adwind RAT / JRAT
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AdWind RATs dll
Yara detected Xtreme RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 575956 Sample: D42926EB5339410141C90BAD9B9... Startdate: 21/02/2022 Architecture: WINDOWS Score: 100 112 shigra.sytes.net 2->112 126 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for dropped file 2->130 132 17 other signatures 2->132 11 D42926EB5339410141C90BAD9B9B0B3C5CC00FCF0E1A4.exe 1 2 2->11         started        15 Skype.exe 2->15         started        17 Server.exe 2->17         started        signatures3 process4 file5 108 C:\Users\user\AppData\Roaming\...\Skype.exe, PE32 11->108 dropped 110 C:\Users\user\...\Skype.exe:Zone.Identifier, ASCII 11->110 dropped 142 Detected unpacking (changes PE section rights) 11->142 144 Detected unpacking (overwrites its own PE header) 11->144 146 Creates multiple autostart registry keys 11->146 148 Injects a PE file into a foreign processes 11->148 19 D42926EB5339410141C90BAD9B9B0B3C5CC00FCF0E1A4.exe 3 12 11->19         started        150 Antivirus detection for dropped file 15->150 152 Multi AV Scanner detection for dropped file 15->152 154 Machine Learning detection for dropped file 15->154 156 Sample uses process hollowing technique 15->156 22 chrome.exe 17->22         started        signatures6 process7 file8 84 C:\Users\user\AppData\Local\Temp\server.exe, PE32 19->84 dropped 24 server.exe 5 20 19->24         started        29 javaw.exe 24 19->29         started        process9 dnsIp10 114 shigra.sytes.net 24->114 98 C:\Windows\InstallDir\Server.exe, PE32 24->98 dropped 100 C:\Users\user\AppData\Local\...\424nxiz.exe, PE32 24->100 dropped 102 C:\Users\user\AppData\...\424nxiz.exe.exe, data 24->102 dropped 134 Antivirus detection for dropped file 24->134 136 Multi AV Scanner detection for dropped file 24->136 138 Found evasive API chain (may stop execution after checking mutex) 24->138 140 15 other signatures 24->140 31 svchost.exe 1 24->31         started        34 chrome.exe 24->34         started        36 explorer.exe 24->36         started        45 20 other processes 24->45 116 192.168.2.1 unknown unknown 29->116 104 C:\Users\...\Retrive349917766176395466.vbs, ASCII 29->104 dropped 106 C:\Users\...\Retrive3105476164396221922.vbs, ASCII 29->106 dropped 38 xcopy.exe 29->38         started        41 java.exe 13 29->41         started        43 cmd.exe 29->43         started        47 2 other processes 29->47 file11 signatures12 process13 file14 158 Contain functionality to detect virtual machines 31->158 160 Drops executables to the windows directory (C:\Windows) and starts them 31->160 49 Server.exe 31->49         started        86 C:\Users\user\AppData\Roaming\...\zip.dll, PE32 38->86 dropped 88 C:\Users\user\AppData\...\wsdetect.dll, PE32 38->88 dropped 90 C:\Users\user\AppData\...\w2k_lsa_auth.dll, PE32 38->90 dropped 96 128 other files (none is malicious) 38->96 dropped 92 C:\Users\...\Retrive6004009705945667357.vbs, ASCII 41->92 dropped 94 C:\Users\...\Retrive4397611998994422562.vbs, ASCII 41->94 dropped 52 cmd.exe 41->52         started        54 cmd.exe 41->54         started        56 conhost.exe 41->56         started        58 conhost.exe 43->58         started        60 cscript.exe 43->60         started        62 conhost.exe 47->62         started        64 conhost.exe 47->64         started        66 cscript.exe 47->66         started        signatures15 process16 signatures17 118 Found evasive API chain (may stop execution after checking mutex) 49->118 120 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 49->120 122 Contain functionality to detect virtual machines 49->122 124 Contains functionality to inject threads in other processes 49->124 68 chrome.exe 49->68         started        70 explorer.exe 49->70         started        72 chrome.exe 49->72         started        82 7 other processes 49->82 74 conhost.exe 52->74         started        76 cscript.exe 52->76         started        78 conhost.exe 54->78         started        80 cscript.exe 54->80         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2018-05-07 13:07:40 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
33 of 43 (76.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qusn22thfaqcqojbowzxgylhromad6pbynem7lvgzy4kzzuge4q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
07cd5128e0d8dba2bf9917891e8e4d3685b58a09df51101a872ebf41a7043418
Adwind
0bb97dce40fb704d418bf56eaac0d0d8a62457920f57f20474d1b05a6e8bcf36
Adwind
1b81bb8eba4f537a34f2ca2ab55b98b28eda558e2ef11a3fcf2f167f4ef6b66c
Adwind
5a9be6ab91b206446ee357cb8cad8c2ec9fb0727e895b679886fd35bddc4ae9b
Adwind
7b3038c1373ca79b19dc5789778a1a0cf38d49a0fcda94d9288be6f648d9d269
Adwind
9f8d88733008dd5f32990c118fda0dc2ed6d9dde6ba86a911d9f1f03b64d243f
Adwind
a018379d343600dab5b728e46d2ee4e12d3853837fcf129d6831a57787d9d00c
Adwind
af504337b51f5fb5bcc3c779afc95bf5b167431660ebd8b71fcfdff1ec9e227a
Adwind
c121b14316a1f7976c4337f37c29acd3a1efeff592617736b1ae1e6d3bf04b09
Adwind
c8b1cce5ae65d68b7ca2a419b1499d7bec6e4e3d1e04d3e3f040eeaeb6080146
Adwind
+ 7'709 additional samples on MalwareBazaar
Result
Malware family:
xtremerat
Create hunting rule
Score:
  10/10
Tags:
family:adwind family:lokibot family:xtremerat collection persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/220221-zaqdyabhek/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
AdWind
Detect XtremeRAT Payload
Lokibot
XtremeRAT
Malware Config
C2 Extraction:
http://molinolatebaida.com/basic-jquery-slider-8ffe118/js/lib/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
5cf01992e4a2dc36d8608046c0cc7e85ae082e8a9762dc92ef134d6b7f07e226
MD5 hash:
b5d61fd1f13fc2dd72479742784cecb7
SHA1 hash:
0a3691e1aa156ea6f2dd08ed7c72c1fe912c675d
Detections:
win_extreme_rat_w0
Create hunting rule
win_extreme_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/81421c4a-acf0-4628-b6a6-b1301d251d78/
SH256 hash:
0371ce58cb60e376e0ffd2e294157b4ce1fc25b4ebac624455a9b02c491c47d8
MD5 hash:
917f186504203f8cff0989cac0ed7be8
SHA1 hash:
8991400e75d97d0fa0eab8fb97633a2ee60724df
Link:
https://www.unpac.me/results/81421c4a-acf0-4628-b6a6-b1301d251d78/
SH256 hash:
364a4d1ccfe32b0234553bf0f628d30a76c4ec6ba91767ea83a58e9c97369ca5
MD5 hash:
13aa520ca41990b17685426c859642bf
SHA1 hash:
de0f5949f9978ccf97424fcf965d7c4455bbdfa6
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/81421c4a-acf0-4628-b6a6-b1301d251d78/
SH256 hash:
d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139
MD5 hash:
2f0fa28e3873af01baa196498b4b0cbf
SHA1 hash:
c9abc4dcf85b771ba80b03fb9a14cc26f3894dec
Link:
https://www.unpac.me/results/81421c4a-acf0-4628-b6a6-b1301d251d78/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Xtreme RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243046/

Comments