adwind

Sharing

Copy URL

Twitter E-mail

General

Target

10419957019.zip
Size

7.8MB
Sample

230510-rx1jesge79
MD5

d4382a2bf9bedb470e4f8769a575f8a4
SHA1

f59bf67aa88d4f210f44a52789b627fdbd27e65b
SHA256

f65ae8f2b7540ff93010945ecba328569fa0d193545b422d02145cb92e811f9c
SHA512

5143817b684993399aab407481b4ae14590b8be5ed8718e2f501ec7e6bffd217e72e0a66b9a294a7af1f3915a1822382d3f371ba8bfe0f1e339e2b1162a722d8
SSDEEP

196608:wPdG8BWPdG8BcDWzNDth2CyMOxw4WL9eySwpDxScyCuk:wavNZ0xMWT63dpbAk

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.tcci.org.sa
Port:
587
Username:
[email protected]
Password:
Brown3044

Extracted

Credentials

Protocol: smtp
Host:
mail.tcci.org.sa
Port:
587
Username:
[email protected]
Password:
Brown3044

Extracted

Credentials

Protocol: smtp
Host:
mail.tcci.org.sa
Port:
587
Username:
[email protected]
Password:
Brown3044

Extracted

Credentials

Protocol: smtp
Host:
mail.tcci.org.sa
Port:
587
Username:
[email protected]
Password:
Brown3044

Targets

- Target
  
  137b35a1620fae21dec2f0c3a131d9a0d29cfcd9e82ce8f834eb77d4f4016d4d
- Size
  
  520KB
- MD5
  
  b315a288273055d8a43a06b32a1de187
- SHA1
  
  fc5a8b8d6db2a078c00fac9b1c3ab136f860f01f
- SHA256
  
  137b35a1620fae21dec2f0c3a131d9a0d29cfcd9e82ce8f834eb77d4f4016d4d
- SHA512
  
  5bcc6c2a26da57d43b749f35dd182b388b6f352ac70dbc74edcb7b365e79d2a7e8433421be3686276f4859d4c1cc265732bb1f48c199b3f477a8db35c164e2e7
- SSDEEP
  
  6144:nujqOoq5bS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9f:5q5QtqB5urTIoYWBQk1E+VF9mOx9Yi
Score

1^/10
behavioral1 behavioral2
- Target
  
  2030669b9dc24b34099a10012ea0850380a10205475657c3f8e2d34b5e91551f
- Size
  
  823KB
- MD5
  
  65510e95f239192ac363a192203c1d2c
- SHA1
  
  1f35acbc9389e21cfd77cc74f4b633d77b0c732d
- SHA256
  
  2030669b9dc24b34099a10012ea0850380a10205475657c3f8e2d34b5e91551f
- SHA512
  
  9c801085ad441790e8cb761fac082ba69fcb7fb47ee67773029072fd37c20c24214dc8a824a346d181cf0dec486dc4fc61162a0373e17e4ca90c5670f1316558
- SSDEEP
  
  12288:d0ueVG7/ksXLRittWVAChSaglFAk+JFuLRGzD8PjDLAvJ9e9g0EjslPYHD+e8Rx+:3eE4skttWVAJayHLoDC/ABFaNYj1
Score

10^/10

m00nd3v_logger infostealer spyware stealer
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  241b2515168df42784e10af72536a6d661d8bd483abae1931d81f11c8ebcdf7b
- Size
  
  688KB
- MD5
  
  02e2a992875b23ec7aae8081b368b779
- SHA1
  
  491b4ed14c4eccef51e4b980a59efeecea8b6dd0
- SHA256
  
  241b2515168df42784e10af72536a6d661d8bd483abae1931d81f11c8ebcdf7b
- SHA512
  
  44fec96393f437c7576f2c54cd7bb2d2fee82b3fe040240fda494ab71164301e621c2a2c54a1d2b272f89b8c9abc882b7e93d05a4a5af3cfba22ce8c3ed578c1
- SSDEEP
  
  12288:WErur6nhxWCV8OO13OzEuXZtRLe8S542pExolJgiiy:WEarKhxWCcOz7XZrLYi
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  4ae73bfefefb1e74a928827cf4f59b3f136e739775209353af6d43bb5bde0d44
- Size
  
  742KB
- MD5
  
  0c27d36bd2796e873a7f5a45915e85b3
- SHA1
  
  e6c30d3e932f6c00dac3c8d65edd59e3cb667a03
- SHA256
  
  4ae73bfefefb1e74a928827cf4f59b3f136e739775209353af6d43bb5bde0d44
- SHA512
  
  b705af364764061f7ed044771dc2ad48256bcc4a8166ef1bb3319bebdee440e172102000b02c4f8ea1b1d4f4594ba439a05efed895e033822a9462d98f8beef2
- SSDEEP
  
  12288:g/MwIMg8dyQjNrrQzo6xAFix8eylAYjzFpRgeZL7+sHKd:g/SgXvQM2DdlYjvfqd
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  4c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
- Size
  
  658KB
- MD5
  
  5e9a63f5b3d8f53478a2889c0eefd510
- SHA1
  
  d6d545146b969ac2ea389a1f11ffcda377549da2
- SHA256
  
  4c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
- SHA512
  
  2ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
- SSDEEP
  
  12288:gXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:gXQnnYsNHXR9NlgobVcUK7UXrj++
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267
- Size
  
  945KB
- MD5
  
  8c954b7b1b63e226c6997b1e0260ba69
- SHA1
  
  47676b03a41c3711842091156984754b25a4771c
- SHA256
  
  540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267
- SHA512
  
  c449ef2778e286c5add39c5bae7c9a0fd3fce23f034f68d4f49e9c0ac5373289d7d82d475253dbf984aaf4140023ba396556194de66182bcf3ab3fb71f4cbe2e
- SSDEEP
  
  12288:ZV+mzTiV2KQ4p2+fk104bYOgTY3+0dXHjVqouwYnb3pENT4a/gFDV3MzQHmVbb:Z858F+81XYHTm+GoouwCZENVgH88HmVX
Score

10^/10

adwind trojan
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral11 behavioral12
- Target
  
  5e1a82be9d8f3ed23343ff5dd356625fabb8a16fb2e8e637051913a9f05342ee
- Size
  
  908KB
- MD5
  
  d37057ddacd28e391e837d5546afcb7b
- SHA1
  
  a5991fc91e81dfcda292869010af0aa70265296a
- SHA256
  
  5e1a82be9d8f3ed23343ff5dd356625fabb8a16fb2e8e637051913a9f05342ee
- SHA512
  
  e3cb56df554309ba1d581c222f6b7ded1afb75f95f60ee13aa4c6fc153d61e03b61e9e83691f31d0dab06eba8c96cce963dba888912935b00e2357593095d5e5
- SSDEEP
  
  12288:ybz6wJ9k3IpnZvQEh3QMm8nuO+oibB1Yy9P0XE4oK0jYdCeTdvnBn:Ov9Dp1Q03g8j6Fw9SYYeTdvB
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  a9b51a1c8409470cf8204ec646aabdd91cf7aa424dfaeaf5e58447e65065925e
- Size
  
  692KB
- MD5
  
  21a98f442dc499874eee65be09e23256
- SHA1
  
  b220652614f3f561aa690ef5009c655bb31956d1
- SHA256
  
  a9b51a1c8409470cf8204ec646aabdd91cf7aa424dfaeaf5e58447e65065925e
- SHA512
  
  6dbd625a43d2da5bb9743a01e748c71c0654f9c71229ab1b5e4973a9b12f657f4d301f6a8cada418bad21009f0596b78cda4745fc896fd3bac02974c800401f0
- SSDEEP
  
  12288:ZzgmdXs3Q7Rxyb+xM3A4qte6gvV696oYd+eufXpaIJYHjDDU:5gksGcC2TxN69HY+fp/S7U
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  abbaee140815099a2d6b0d4edbc24c39f18bb451a32e67a18c511c7a164b7e19
- Size
  
  667KB
- MD5
  
  389c57aa4b5b8c0d95e6796d290f6777
- SHA1
  
  14438e62e33f94128d5c5db261b31d9608c57ec0
- SHA256
  
  abbaee140815099a2d6b0d4edbc24c39f18bb451a32e67a18c511c7a164b7e19
- SHA512
  
  9eeaec1376239284d75c096256c3183bb0951bf070905b58ac228da63f3a3c55c00d9fd496a07864691923ea8876ebe3cfa6438ab759d89b76a22abc090e9db8
- SSDEEP
  
  12288:xHV8idMlURaewENwQYSE0DMIwyVcIz3jSXlT8nHX395J7ecUppB:x8lURpmShUkslT8noc+
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  ba794fac4af75d1fb23270a772d17d36b2d84606cffb38a991e41a22a21b7cff
- Size
  
  692KB
- MD5
  
  c9dfc04b8b0c393c1fb835b1f2f20ea4
- SHA1
  
  5d91d43f27be4899646ce6cd9108c28976f03fab
- SHA256
  
  ba794fac4af75d1fb23270a772d17d36b2d84606cffb38a991e41a22a21b7cff
- SHA512
  
  f05d077693cb94eeb820127541ce06258e5dbb79aa0a9d0c613db820ed24036875377092d25a8af3ffec34159ab519d5175ccd02dcde41e2114468256552cf25
- SSDEEP
  
  12288:ZzgmdXs3Q7Rxyb+xM3A4qte6gvV696oYd+eufXpaIJYHjDD:5gksGcC2TxN69HY+fp/S7
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12
- Size
  
  679KB
- MD5
  
  7f075616272cca52e731c11080d0f3ef
- SHA1
  
  b5142fe556fc114eb221c4b14ad9d19c9e83fe83
- SHA256
  
  c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12
- SHA512
  
  f9fe3bb4f04138c8c924a74f35c293cbe3e777a6f2993c0352e4de9f6677807fcb982190d2a070925ee7a6810a136f2f7c1358babe5e8087736513f6b77982a7
- SSDEEP
  
  12288:WXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:WXQnnYsNHXR9NlgobVcUK7UXrj++
Score

4^/10
behavioral21 behavioral22
- Target
  
  e42d6acc643608d3be98a986efbb2ae23865c200b4f029182943a8b6447acf6d
- Size
  
  667KB
- MD5
  
  8d923060ac86ddf3131462a79e04f36d
- SHA1
  
  0f8361129ca20a043a4f94ac41966455e7dce031
- SHA256
  
  e42d6acc643608d3be98a986efbb2ae23865c200b4f029182943a8b6447acf6d
- SHA512
  
  6fe596e89589edff232ff30d757de76c3bb71789013f612614bda2fa518e12a331989a80300ff6c79ff82e966c9dee6cf86fc2ad2b234fa892205fe788078c5b
- SSDEEP
  
  12288:kStGqjTO/gykX58BC0MA9dtDoMASkQgT9QFaI7jcQHWbb4E2VVmY:hjuTFMysFSa9kjcs7E2
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral23 behavioral24

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

M00nd3v_Logger

M00nD3v Logger payload

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

HawkEye

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Adds Run key to start application

Drops desktop.ini file(s)

Looks up external IP address via web service

Suspicious use of SetThreadContext

HawkEye

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Adds Run key to start application

Drops desktop.ini file(s)

Looks up external IP address via web service

Suspicious use of SetThreadContext

HawkEye

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Adds Run key to start application

Drops desktop.ini file(s)

Looks up external IP address via web service

Suspicious use of SetThreadContext

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Looks up external IP address via web service

HawkEye

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts