MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7859fd95c60a0d76fa99eb42277501b20f76a377c1395b504acff5dd22533027. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Adwind


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments

SHA256 hash: 7859fd95c60a0d76fa99eb42277501b20f76a377c1395b504acff5dd22533027
SHA3-384 hash: 294a8e6c57076ca84d63dd05020bc6325fb32a078712222a2224943529078bad189503443a3958e338779d9850ac8764
SHA1 hash: 2cc6471245901e51565ad69df6b8586629965cf1
MD5 hash: 7e8133cf5f56adcfafb9bc91390c9fe7
humanhash: zebra-comet-hot-snake
File name:12-09-2022 SİPARİŞ.docx
Download: download sample
Signature Adwind
File size:258'604 bytes
First seen:2022-09-12 11:43:07 UTC
Last seen:2022-09-13 14:31:10 UTC
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 6144:CsjU1vruW+UztmXtb2wDayQ7B4Y6/EcKbiCW:tjaumMXtb2w+yM4YhVWCW
TLSH T109442358C8204D84D8654636A8A9B9F392EF9020B322C11B7F5CC6EDDF6272E47AE513
TrID 64.7% (.TMDX/TMVX) SoftMaker TextMaker text Document (84519/2/13)
18.0% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
13.4% (.ZIP) Open Packaging Conventions container (17500/1/4)
3.0% (.ZIP) ZIP compressed archive (4000/1)
0.7% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter @adrian__luca
Tags:Adwind doc

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump
Sections: 5

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
A172 bytesCompObj
A220 bytesOle
A3165046 bytesOle10Native
A46 bytesObjInfo

Intelligence


File Origin
# of uploads :
2
# of downloads :
1'936
Origin country :
n/a
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12-09-2022 SİPARİŞ.docx
Verdict:
Malicious activity
Analysis date:
2022-09-12 11:42:29 UTC
Tags:
ole-embedded

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Verdict:
Malicious
File Type:
OOXML Word File with Embedding Objects
Behaviour
SuspiciousEmbeddedObjects detected
Document image
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
banload
Label:
Malicious
Suspicious Score:
  8.5/10
Score Malicious:
85%
Score Benign:
15%
Result
Threat name:
Detection:
malicious
Classification:
troj.expl.evad
Score:
80 / 100
Signature
Document contains OLE streams which likely are hidden ActiveX objects
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Yara detected AdWind RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 701320 Sample: 12-09-2022 S#U0130PAR#U0130... Startdate: 12/09/2022 Architecture: WINDOWS Score: 80 34 Document contains OLE streams which likely are hidden ActiveX objects 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected AdWind RAT 2->38 40 Document exploit detected (process start blacklist hit) 2->40 7 WINWORD.EXE 310 42 2->7         started        process3 file4 32 C:\Users\user\AppData\Local\Temp\a0v2H8.jar, Zip 7->32 dropped 42 Document exploit detected (creates forbidden files) 7->42 11 javaw.exe 2 7->11         started        13 javaw.exe 2 7->13         started        signatures5 process6 process7 15 WMIC.exe 11->15         started        18 WMIC.exe 11->18         started        20 WMIC.exe 11->20         started        22 WMIC.exe 11->22         started        24 WMIC.exe 13->24         started        26 WMIC.exe 13->26         started        28 WMIC.exe 13->28         started        30 WMIC.exe 13->30         started        signatures8 44 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->44
Threat name:
ByteCode-JAVA.Trojan.AdWind
Status:
Malicious
First seen:
2022-09-12 06:51:34 UTC
File Type:
Document
Extracted files:
31
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Adwind

Word file doc 7859fd95c60a0d76fa99eb42277501b20f76a377c1395b504acff5dd22533027

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments