adwind

General

Target

2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
Size

1.6MB
Sample

220622-klvqgaefa4
MD5

de415a476603c5f57cb5df5fdc781ed7
SHA1

9da0689d728b5872226a70974df036fed4ea650d
SHA256

2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
SHA512

2d31a48cda76659ed8b48a6490f14168b7e6379bf6eedbaf60693c01ad16e9808ac2389d5b3e00c80d9cc17c18d9b6e8c9011b3a034bd0482f526a98dac33c46

Score

10^/10

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

lokibot

C2

http://life-is-beautiful.in/api/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
- Size
  
  1.6MB
- MD5
  
  de415a476603c5f57cb5df5fdc781ed7
- SHA1
  
  9da0689d728b5872226a70974df036fed4ea650d
- SHA256
  
  2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
- SHA512
  
  2d31a48cda76659ed8b48a6490f14168b7e6379bf6eedbaf60693c01ad16e9808ac2389d5b3e00c80d9cc17c18d9b6e8c9011b3a034bd0482f526a98dac33c46
Score

10^/10

adwind lokibot sality xtremerat backdoor collection evasion persistence rat spyware stealer suricata trojan upx
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- Detect XtremeRAT Payload
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2