MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0c19fb043afddb209e0a9fa6dc031946c6b7e38f16abba430125009744fd966. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adwind


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0c19fb043afddb209e0a9fa6dc031946c6b7e38f16abba430125009744fd966
SHA3-384 hash: 84f2ea33154aca00146c60245416553aabeded1dd6876f7ce4f27c5c248b799162278b081a11be248c0e4d1755c84054
SHA1 hash: f22b21a49c6970ff49311db887caf84f5aeb6c68
MD5 hash: 7fa312580c3c018d76dd7ccb90fe8824
humanhash: texas-potato-sierra-zulu
File name:NEW ORDER.jar
Download: download sample
Signature Adwind
Create hunting rule
File size:646'417 bytes
First seen:2026-02-18 09:05:11 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 12288:2c87rMhXetL36sWny/UN2sTfMpjOR3FEi0TtKmWYPg6YrRHKFdPccNL:B87rKXetL36bMi0paERpWipYrkFdka
TLSH T134D423EEE7AD3EEAB768795210933BB1D7EB0AC80E3C12D2981DA519E6F53300F54500
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika zip
Reporter abuse_ch
Tags:Adwind jar


Avatar
abuse_ch
Adwind C2:
158.94.209.22:35541

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
158.94.209.22:35541 https://threatfox.abuse.ch/ioc/1750328/

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
STRRAT
Details
Link:
https://research.acce.ciphertechsolutions.com/results/eb62bcc6-8b1b-4e80-a45e-c0a0d0d0721d/
Malware family:
n/a
ID:
1
File name:
NEW ORDER.jar
Verdict:
No threats detected
Analysis date:
2026-02-18 09:06:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2af0795b-bce5-41a3-8624-35b8ea3db4da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53673/
Detection(s):
YARA.obfuscated_eval.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-2309.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699580dc1ebe863df485155e
Tags:
obfusc shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm banload evasive exploit jrat masquerade nemucod obfuscated rat
Link:
https://www.filescan.io/uploads/699580d710e80629d4e866c7/reports/48545d15-592a-4e66-9671-554b30145327/overview
Verdict:
Malicious
Labled as:
Java.Trojan.GenericA
Link:
https://www.hybrid-analysis.com/sample/b0c19fb043afddb209e0a9fa6dc031946c6b7e38f16abba430125009744fd966
Verdict:
Malicious
File Type:
jar
Detections:
HackTool.VBS.Agent.c Backdoor.Java.QRat.sb Backdoor.Java.Adwind.sb Trojan.Java.Agent.qh Trojan.Java.Agent.qf HEUR:Trojan.Java.Agent.gen Backdoor.Win64.Agent.ky HEUR:Backdoor.Java.Generic Trojan-Spy.Win32.Agent.derv Trojan-Dropper.Java.Agent.sb HEUR:Trojan-Dropper.Java.Agent.gen HackTool.VBS.Agent.d Backdoor.Java.JRat.m HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic Exploit.Java.Agent.os Backdoor.Java.Adwind.er Backdoor.Java.Adwind.cu Trojan-Dropper.JS.SDrop.sb Trojan.WinREG.Small.g HEUR:Trojan-Dropper.Script.Generic
Link:
https://opentip.kaspersky.com/b0c19fb043afddb209e0a9fa6dc031946c6b7e38f16abba430125009744fd966/results?tab=lookup
Result
Threat name:
ADWIND
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1870975
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Detected ADWIND Rat
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Disables Windows system restore
Disables zone checking for all users
Excessive usage of taskkill to terminate processes
Exploit detected, runtime environment starts unknown processes
Java source code contains strings found in CrossRAT
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Adwind RAT / JRAT File Artifact
Sigma detected: Potential Attachment Manager Settings Associations Tamper
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Processes Spawned by Java.EXE
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses regedit.exe to modify the Windows registry
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AdWind RAT
Yara detected AdWind RATs dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1870975 Sample: NEW ORDER.jar Startdate: 18/02/2026 Architecture: WINDOWS Score: 100 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 Antivirus detection for dropped file 2->91 93 13 other signatures 2->93 11 cmd.exe 2 2->11         started        process3 signatures4 111 Uses regedit.exe to modify the Windows registry 11->111 14 java.exe 4 11->14         started        17 conhost.exe 11->17         started        process5 file6 83 C:\Users\user\jettgmwxfv.js, ASCII 14->83 dropped 19 wscript.exe 1 2 14->19         started        process7 signatures8 95 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->95 97 WScript reads language and country specific registry keys (likely country aware script) 19->97 22 javaw.exe 23 19->22         started        process9 dnsIp10 85 158.94.209.22, 35541 JANETJiscServicesLimitedGB United Kingdom 22->85 65 C:\...\dMWUuMPGev9008027998911957226.reg, ASCII 22->65 dropped 67 C:\Users\...\Retrive789208328929923937.vbs, ASCII 22->67 dropped 69 C:\Users\...\Retrive3370019354523850515.vbs, ASCII 22->69 dropped 107 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->107 109 Excessive usage of taskkill to terminate processes 22->109 27 xcopy.exe 22->27         started        30 cmd.exe 22->30         started        32 java.exe 9 22->32         started        34 23 other processes 22->34 file11 signatures12 process13 file14 71 C:\Users\user\AppData\Roaming\...\zip.dll, PE32 27->71 dropped 73 C:\Users\user\AppData\...\wsdetect.dll, PE32 27->73 dropped 75 C:\Users\user\AppData\...\w2k_lsa_auth.dll, PE32 27->75 dropped 81 132 other malicious files 27->81 dropped 36 conhost.exe 27->36         started        38 regedit.exe 30->38         started        41 conhost.exe 30->41         started        77 C:\Users\...\Retrive4668248654693783326.vbs, ASCII 32->77 dropped 79 C:\Users\...\Retrive2255085423441386251.vbs, ASCII 32->79 dropped 43 cmd.exe 32->43         started        45 cmd.exe 32->45         started        47 xcopy.exe 32->47         started        49 conhost.exe 32->49         started        51 cscript.exe 1 34->51         started        53 24 other processes 34->53 process15 signatures16 99 Creates an undocumented autostart registry key 38->99 101 Disables zone checking for all users 38->101 103 Creates a Image File Execution Options (IFEO) Debugger entry 38->103 105 3 other signatures 38->105 55 conhost.exe 43->55         started        57 cscript.exe 43->57         started        59 conhost.exe 45->59         started        61 cscript.exe 45->61         started        63 conhost.exe 47->63         started        process17
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/b0c19fb043afddb209e0a9fa6dc031946c6b7e38f16abba430125009744fd966
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0c19fb043afddb209e0a9fa6dc031946c6b7e38f16abba430125009744fd966/
Verdict:
Malicious
Threat:
Family.ADWIND
Link:
https://tip.neiki.dev/file/b0c19fb043afddb209e0a9fa6dc031946c6b7e38f16abba430125009744fd966
Threat name:
Script-JS.Trojan.Acsogenixx
Create hunting rule
Status:
Malicious
First seen:
2026-02-18 08:52:24 UTC
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdaz7mcdv7o3ecpavh5g3qbrsrwgw7ry6fvlxjbqcjias5cp3fta._file
Result
Malware family:
adwind
Create hunting rule
Score:
  10/10
Tags:
family:adwind defense_evasion execution persistence trojan
Link:
https://tria.ge/reports/260218-k2drwsew6h/
Behaviour
Kills process with taskkill
Runs .reg file with regedit
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
AdWind
Adwind family
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b0c19fb043afddb209e0a9fa6dc031946c6b7e38f16abba430125009744fd966

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_STRRAT_javascripts_Malware
Create hunting rule
Author:daniyyell
Description:Detects obfuscated JavaScript code indicative of STRRAT malware.
Rule name:QBOT_HTMLSmuggling_a
Create hunting rule
Author:Ankit Anubhav - ankitanubhav.info
Description:Detects QBOT HTML smuggling variants
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53673/

Comments