MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a018379d343600dab5b728e46d2ee4e12d3853837fcf129d6831a57787d9d00c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adwind


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a018379d343600dab5b728e46d2ee4e12d3853837fcf129d6831a57787d9d00c
SHA3-384 hash: c8ba22528c209a57cac944bf6af14308d47c1e19dba8d1228d8311166777284c1f4c77032e0e00b9fa9eea40d4b9b98a
SHA1 hash: c332abb4701fc5d0c68e24046f84950177f54292
MD5 hash: 9dd7ab6e9e579cdbaae872d5762e4cf5
humanhash: skylark-mexico-wyoming-arkansas
File name:A018379D343600DAB5B728E46D2EE4E12D3853837FCF1.exe
Download: download sample
Signature Adwind
Create hunting rule
File size:1'767'851 bytes
First seen:2021-05-28 19:45:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 24576:D2O/Gl9GWh/OM4YS+/uukBzEIhK6G9vjSfjmfw0KBUcdDB8JRgLUzTAkk8QIW3yN:e7sSuukB/8j+YoKRk8tKUXf
Threatray 50 similar samples on MalwareBazaar
TLSH FD8533223384D63AD2A324345EBF3B99F83BFC795537D505D325161FFA682825C262E2
Reporter abuse_ch
Tags:Adwind exe


Avatar
abuse_ch
Adwind C2:
http://knmedia.co.kr/wp-includes/images/app/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://knmedia.co.kr/wp-includes/images/app/five/fre.php https://threatfox.abuse.ch/ioc/66356/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A018379D343600DAB5B728E46D2EE4E12D3853837FCF1.exe
Verdict:
Malicious activity
Analysis date:
2021-05-28 20:46:20 UTC
Tags:
autoit adwind trojan lokibot stealer opendir
Link:
https://app.any.run/tasks/ea6326ca-b15d-41d5-836a-cfcf98da5852

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163051/
Detection(s):
Win.Malware.Generic-7433444-0
Create hunting rule

Win.Malware.Drkp-9860177-0
Create hunting rule

SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Creating a process from a recently created file
Sending a UDP request
Enabling the 'hidden' option for files in the %temp% directory
Creating a file
Launching the default Windows debugger (dwwin.exe)
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ADWIND Lokibot Xtreme RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794133
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected ADWIND Rat
Drops executables to the windows directory (C:\Windows) and starts them
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Installs Xtreme RAT
Java source code contains strings found in CrossRAT
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected Xtreme RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426529 Sample: A018379D343600DAB5B728E46D2... Startdate: 28/05/2021 Architecture: WINDOWS Score: 100 118 jasoiuuydealoo.zapto.org 2->118 136 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->136 138 Found malware configuration 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 15 other signatures 2->142 13 A018379D343600DAB5B728E46D2EE4E12D3853837FCF1.exe 52 2->13         started        16 wfx.exe 2->16         started        18 Server.exe 2->18         started        signatures3 process4 file5 112 C:\Users\user\AppData\Local\Temp\...\wfx.exe, PE32 13->112 dropped 20 wfx.exe 1 13->20         started        22 wfx.exe 16->22         started        process6 file7 26 wfx.exe 1 1 20->26         started        110 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 22->110 dropped 144 Sample uses process hollowing technique 22->144 146 Injects a PE file into a foreign processes 22->146 signatures8 process9 signatures10 164 Writes to foreign memory regions 26->164 166 Allocates memory in foreign processes 26->166 168 Sample uses process hollowing technique 26->168 170 Injects a PE file into a foreign processes 26->170 29 RegSvcs.exe 3 12 26->29         started        process11 file12 114 C:\Users\user\AppData\Local\Temp\server.exe, PE32 29->114 dropped 32 server.exe 5 7 29->32         started        37 javaw.exe 27 29->37         started        process13 dnsIp14 116 192.168.2.1 unknown unknown 32->116 88 C:\Windows\InstallDir\Server.exe, PE32 32->88 dropped 90 C:\Users\user\AppData\Local\Temp\854ghh.exe, PE32 32->90 dropped 92 C:\Users\user\AppData\...\854ghh.exe.exe, data 32->92 dropped 128 Antivirus detection for dropped file 32->128 130 Multi AV Scanner detection for dropped file 32->130 132 Creates an undocumented autostart registry key 32->132 134 11 other signatures 32->134 39 854ghh.exe 32->39         started        42 explorer.exe 13 32->42         started        45 svchost.exe 32->45         started        47 iexplore.exe 32->47         started        94 C:\Users\...\Retrive8397741510044813270.vbs, ASCII 37->94 dropped 96 C:\Users\...\Retrive6118030863391974108.vbs, ASCII 37->96 dropped 49 xcopy.exe 37->49         started        52 java.exe 37->52         started        54 cmd.exe 37->54         started        56 2 other processes 37->56 file15 signatures16 process17 dnsIp18 148 Antivirus detection for dropped file 39->148 150 Multi AV Scanner detection for dropped file 39->150 152 Machine Learning detection for dropped file 39->152 154 Injects a PE file into a foreign processes 39->154 58 854ghh.exe 39->58         started        120 jasoiuuydealoo.zapto.org 42->120 156 System process connects to network (likely due to code injection or exploit) 42->156 158 Contain functionality to detect virtual machines 42->158 160 Installs Xtreme RAT 42->160 162 Installs a global keyboard hook 42->162 98 C:\Users\user\AppData\Roaming\...\zip.dll, PE32 49->98 dropped 100 C:\Users\user\AppData\...\wsdetect.dll, PE32 49->100 dropped 102 C:\Users\user\AppData\...\w2k_lsa_auth.dll, PE32 49->102 dropped 108 128 other files (none is malicious) 49->108 dropped 62 conhost.exe 49->62         started        122 127.0.0.1 unknown unknown 52->122 104 C:\Users\...\Retrive7539972341724097656.vbs, ASCII 52->104 dropped 106 C:\Users\...\Retrive5329695834396308925.vbs, ASCII 52->106 dropped 64 cmd.exe 52->64         started        66 cmd.exe 52->66         started        68 cmd.exe 52->68         started        70 conhost.exe 52->70         started        74 2 other processes 54->74 72 conhost.exe 56->72         started        76 2 other processes 56->76 file19 signatures20 process21 dnsIp22 124 knmedia.co.kr 145.14.144.210, 49751, 49752, 80 AWEXUS Netherlands 58->124 126 145.14.145.84, 49753, 49754, 80 AWEXUS Netherlands 58->126 172 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 58->172 174 Tries to steal Mail credentials (via file access) 58->174 176 Tries to harvest and steal ftp login credentials 58->176 178 Tries to harvest and steal browser information (history, passwords, etc) 58->178 78 conhost.exe 64->78         started        80 cscript.exe 64->80         started        82 conhost.exe 66->82         started        84 cscript.exe 66->84         started        86 conhost.exe 68->86         started        signatures23 process24
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a018379d343600dab5b728e46d2ee4e12d3853837fcf129d6831a57787d9d00c/
Threat name:
Win32.Backdoor.XtremeRAT
Create hunting rule
Status:
Malicious
First seen:
2018-11-15 21:54:34 UTC
File Type:
PE (Exe)
Extracted files:
76
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uamdphjugyanvnnxfdsg2lxe4ewtqu4dp7hrfhliggsxpb6z2aga._file
Verdict:
malicious
Similar samples:
17a9fa26f553c56d5b03921045d684a49177b8620eb3313dfcf13d269789c4ae
Adwind
5ee970db11a1dbfeff58b1f1206045d141022d6d396d50ba571910522a2c106d
Adwind
6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da
Adwind
87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71
Adwind
a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7
Adwind
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
Adwind
bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
Adwind
c015de0626ba91b194a47d0c8d76594e1bddadae9d9a6891b26ff7c2bc0fade3
Adwind
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
Adwind
f535b46ad2452d61282f615faf35993e83b6c56c9533bf22c12f97f318242e06
Adwind
+ 40 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:adwind family:lokibot family:nanocore evasion keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210528-lmk38fykcn/
Behaviour
Kills process with taskkill
Modifies registry key
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Disables Task Manager via registry modification
Disables use of System Restore points
Executes dropped EXE
Modifies Installed Components in the registry
Sets file execution options in registry
UPX packed file
AdWind
Lokibot
NanoCore
UAC bypass
Malware Config
C2 Extraction:
http://knmedia.co.kr/wp-includes/images/app/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a018379d343600dab5b728e46d2ee4e12d3853837fcf129d6831a57787d9d00c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:RAT_Xtreme
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects Xtreme RAT
Reference:http://malwareconfig.com/stats/Xtreme
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_extreme_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_extreme_rat_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Xtrem RAT v3.5
Rule name:Xtreme_Sep17_1
Create hunting rule
Author:Florian Roth
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163051/

Comments