MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85214124920f091cb6a7c4ec3f7a3a1ee6fda2bca74024d27bf0195659d4e3c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adwind


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85214124920f091cb6a7c4ec3f7a3a1ee6fda2bca74024d27bf0195659d4e3c5
SHA3-384 hash: 5fd5c41334633c5f20cec16f6207d58819c6b6f6204625b7710083214b746807cf246c1da06954dcc9a8a0ae05249f8d
SHA1 hash: c73c502a0f2dddf1f7c609ecf799cb84e88c9538
MD5 hash: 9468e52b7db9abd87f4ad0ea4d6b7094
humanhash: floor-hamper-berlin-kansas
File name:lpo0803023.js
Download: download sample
Signature Adwind
Create hunting rule
File size:967'545 bytes
First seen:2023-03-08 21:05:10 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:NquDUbRxMdDpPwIVED6pqLooV6Ffpz9As6h1e1+CexLMEfvPFHF7Bp1VsdTSFRe0:NuRxMbPREDv0m6FfpZoh7C4LHvBHCcx1
TLSH T11C25CF09F8481F59C9FC600990AB2F3FD2F6AA0A1131D85566F65F8FAB57E8C530A74C
Reporter abuse_ch
Tags:Adwind js

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28995.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
50%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6408f8bef1a68c396b2dd6df/reports/1cad212d-0d0e-4503-9d72-f4edab8c5b6b/overview
Verdict:
Malicious
Labled as:
Trojan.JS.Agent.JS
Link:
https://www.hybrid-analysis.com/sample/85214124920f091cb6a7c4ec3f7a3a1ee6fda2bca74024d27bf0195659d4e3c5
Result
Verdict:
MALICIOUS
Result
Threat name:
ADWIND
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189858
Signature
Antivirus detection for dropped file
Creates autostart registry keys to launch java
Detected ADWIND Rat
Exploit detected, runtime environment starts unknown processes
Java source code contains strings found in CrossRAT
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Potential malicious VBS/JS script found (suspicious encoded strings)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
Yara detected AdWind RATs dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 822732 Sample: lpo0803023.js Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 133 xazkib.camdvr.org 2->133 149 Antivirus detection for dropped file 2->149 151 Multi AV Scanner detection for submitted file 2->151 153 Detected ADWIND Rat 2->153 155 6 other signatures 2->155 11 wscript.exe 2 2->11         started        15 javaw.exe 2->15         started        18 javaw.exe 2->18         started        signatures3 process4 dnsIp5 99 C:\Users\user\AppData\Roaming\qtjnizr.txt, Java 11->99 dropped 161 JScript performs obfuscated calls to suspicious functions 11->161 20 javaw.exe 27 11->20         started        139 xazkib.camdvr.org 15->139 101 C:\Users\...\Retrive7568482048614761694.vbs, ASCII 15->101 dropped 103 C:\Users\...\Retrive2459462292596666795.vbs, ASCII 15->103 dropped 25 java.exe 15->25         started        27 consent.exe 15->27         started        141 xazkib.camdvr.org 18->141 105 C:\Users\...\Retrive6592639191786243035.vbs, ASCII 18->105 dropped 107 C:\Users\...\Retrive6156476005368513483.vbs, ASCII 18->107 dropped file6 signatures7 process8 dnsIp9 135 192.168.2.1 unknown unknown 20->135 89 C:\Users\user\...\UmrSRxROMmN.QRRzSw, Java 20->89 dropped 91 C:\Users\...\Retrive4001489023295218331.vbs, ASCII 20->91 dropped 93 C:\Users\...\Retrive2304560772774044193.vbs, ASCII 20->93 dropped 157 Uses cmd line tools excessively to alter registry or file data 20->157 29 xcopy.exe 20->29         started        32 javaw.exe 20->32         started        36 java.exe 13 20->36         started        40 6 other processes 20->40 95 C:\Users\...\Retrive8468863172991035319.vbs, ASCII 25->95 dropped 97 C:\Users\...\Retrive4340955459586677967.vbs, ASCII 25->97 dropped 38 conhost.exe 25->38         started        159 Writes to foreign memory regions 27->159 file10 signatures11 process12 dnsIp13 109 C:\Users\user\AppData\Roaming\...\zip.dll, PE32 29->109 dropped 111 C:\Users\user\AppData\...\wsdetect.dll, PE32 29->111 dropped 113 C:\Users\user\AppData\...\w2k_lsa_auth.dll, PE32 29->113 dropped 125 128 other files (82 malicious) 29->125 dropped 42 conhost.exe 29->42         started        131 xazkib.camdvr.org 91.193.75.168, 49707, 49712, 49719 DAVID_CRAIGGG Serbia 32->131 115 C:\...\kvdYfNTTNh7215177882353398454.reg, ASCII 32->115 dropped 117 C:\Users\...\Retrive8108595737620083270.vbs, ASCII 32->117 dropped 119 C:\Users\...\Retrive1047417756417763109.vbs, ASCII 32->119 dropped 143 Detected ADWIND Rat 32->143 44 java.exe 32->44         started        49 cmd.exe 32->49         started        51 cmd.exe 32->51         started        57 5 other processes 32->57 121 C:\Users\...\Retrive6680513315187098733.vbs, ASCII 36->121 dropped 123 C:\Users\...\Retrive1753462700138344683.vbs, ASCII 36->123 dropped 53 cmd.exe 1 36->53         started        55 cmd.exe 36->55         started        59 2 other processes 36->59 145 Creates autostart registry keys to launch java 40->145 147 Uses regedit.exe to modify the Windows registry 40->147 61 8 other processes 40->61 file14 signatures15 process16 dnsIp17 137 127.0.0.1 unknown unknown 44->137 127 C:\Users\...\Retrive7832037962096610209.vbs, ASCII 44->127 dropped 129 C:\Users\...\Retrive7524128514574756631.vbs, ASCII 44->129 dropped 163 Detected ADWIND Rat 44->163 63 cmd.exe 44->63         started        65 cmd.exe 44->65         started        67 conhost.exe 44->67         started        71 3 other processes 49->71 73 2 other processes 51->73 75 2 other processes 53->75 77 2 other processes 55->77 79 5 other processes 57->79 69 conhost.exe 59->69         started        file18 signatures19 process20 process21 81 conhost.exe 63->81         started        83 cscript.exe 63->83         started        85 conhost.exe 65->85         started        87 cscript.exe 65->87         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85214124920f091cb6a7c4ec3f7a3a1ee6fda2bca74024d27bf0195659d4e3c5/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ququcjesb4erznvhytwd66r2d3tp3iv4u5acjut36amvmwou4pcq._file
Result
Malware family:
adwind
Create hunting rule
Score:
  10/10
Tags:
family:adwind trojan
Link:
https://tria.ge/reports/230308-zxqyzsga8t/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
AdWind
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85214124920f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85214124920f091cb6a7c4ec3f7a3a1ee6fda2bca74024d27bf0195659d4e3c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments