adwind

Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

Sharing

Copy URL

Twitter E-mail

General

Target

7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb
Size

289.5MB
Sample

240422-1xtwbagh68
MD5

405394c381ca2000e01428e79d03cecb
SHA1

cb41f1d9e06c1b783378a43486c7d997a3635b68
SHA256

7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb
SHA512

40266c79a3d2c010882cfc4b237c6d27989dc385fd23d8bafe89e4ff329a181fed4ba44dac91187ffd2698d51af44454917e901375aa0dc87624ec956f12f80d
SSDEEP

6291456:BN08aneiYsmfO6eRtz+WmPn4auzQgHDXuDFHVfuc1Fyn6RQuj3jN31S:j08aneo2eTTI2NHDXuDjxPyn6zj3jN3M

Malware Config

Extracted

Family

gafgyt

94.156.64.4:42516

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

blacknet

Botnet

HacKed

http://botnetera.pagekite.me/

Mutex

BN[pjClIrDI-2470224]

Attributes

antivm
true
elevate_uac
true
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
35dcbc7eb742dd4f1edfbccf7826c724
startup
false
usb_spread
false

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

xworm

involved-hurt.gl.at.ply.gg:35238

Attributes

Install_directory
%LocalAppData%
install_file
WindowsHealthSystem.exe

Extracted

Family

redline

Botnet

cheat

0.tcp.eu.ngrok.io:18950

Extracted

Family

mirai

hoiiaz.iaz.coby

Extracted

Family

redline

Botnet

163.5.112.53:51523

Extracted

Family

stealc

http://185.216.70.109

Attributes

url_path
/eb488f9cb9d466ca.php

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

MIRAI

client.orxy.space

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

lumma

https://interferencesandyshiw.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://affordcharmcropwo.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Extracted

Family

mirai

Botnet

SORA

Targets

- Target
  
  0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf
- Size
  
  115KB
- MD5
  
  864bda0dc36b639210f886e6968394b7
- SHA1
  
  6e5d6d3cfeae7f5b0cb4987ea35fbfc4ea100527
- SHA256
  
  0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7
- SHA512
  
  37cfcf70855ad24970cd76e911d39ddd788090f1e0bb8815b8d41af00b38dd66e6bcd57ab3102cac3a2e896c135ea7a9f3b1ed50839373056b3037261d80a87b
- SSDEEP
  
  3072:6oLEcVdOAnowHfbEqyas7J3UPwenmvI0PDGnSQNER:6oLEcPOAnowLyaoJ3ajnmvI0PDGnSQNM
Score

1^/10
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26.exe
- Size
  
  2.7MB
- MD5
  
  853a9918a66c6de88c9d8577726f2605
- SHA1
  
  36b6e43bcd91cdb0ca35c48a3b8644ba0d51f305
- SHA256
  
  068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26
- SHA512
  
  7980da87d70698ea26bf2109174cdbad041ff1c35ef19beb29985fa6a9ffeaa17df920b7ad9331700863cf7cc7b492e06fa1b9ff06a35e14779b742559d04489
- SSDEEP
  
  24576:W0FRFbz9JmGF6uabHxZ2/AVWcE1+APcSs+x4HRjcKx+Afz0bRK+m4pGAhiBLqx7I:Wc5/mGJae/AJcBPcRjcA+AYDZLx7acT
Score

8^/10
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  087421ac222e935579dfd3b7a5120451fd9d9a663d3d1872c04b6154b238c894.elf
- Size
  
  29KB
- MD5
  
  caa62fc5426fda5bb51dd6dcfc804b5b
- SHA1
  
  c1648ab78484ea318efa729b41f0fff80772a8b3
- SHA256
  
  087421ac222e935579dfd3b7a5120451fd9d9a663d3d1872c04b6154b238c894
- SHA512
  
  5b6678cc985a4e180032c2ef9ecc094b22ea2c7de3ab2cc9bfa265ef444c13582bcb3183125ab1193d9f5a45ceee46ff49d5773532242f8821d8ba845b39a460
- SSDEEP
  
  768:Mqa+lipfbBFUDuQZHAOrvWj6rRjrM1u2BYiQnUWsx:0bB2aQZJvWjyhL2BY7nix
Score

10^/10

mirai sora botnet
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
behavioral7
- Target
  
  0c4791a6b47491a0c43cea0ba54357e391a3c8b23aa28025489bbe43bb9ea6ea.elf
- Size
  
  50KB
- MD5
  
  386982ad3916c76d79d706af4d8639fc
- SHA1
  
  9b4e80785492dbbfc8c585587851bce3844f48a2
- SHA256
  
  0c4791a6b47491a0c43cea0ba54357e391a3c8b23aa28025489bbe43bb9ea6ea
- SHA512
  
  24ba01f9473a9fd5d5e8e0056952147f5ac2a9b166552dfc25fccf36b3b82e2eb608f0fc6994a92546617586cba82ef9469e9785d48e7f8d4875d2492c90ea1f
- SSDEEP
  
  1536:EFE+30g4zbPVfqnB+1F5WfLKSMdD6elLB:0E+3szbtP13sL6h9BB
Score

1^/10
behavioral8
- Target
  
  0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
- Size
  
  725KB
- MD5
  
  4b0a935fbc037ea00bf17468d4cf5b85
- SHA1
  
  169cd19c1d29bebd2c7fe5a8de25b1429f8f2aed
- SHA256
  
  0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea
- SHA512
  
  0bee469d0188505772af1fd9af4a6710c201475340045b97024102a63aaba14f940e6ee36d118d338e836b4ee7ba03387001ce81724c4f4433123f5b9d83dd4f
- SSDEEP
  
  12288:w6Wq4aaE6KwyF5L0Y2D1PqL5C38Lua13KVsrOQW60Ztsmhv3:GthEVaPqL58F2rBjmB3
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral10 behavioral9
- Target
  
  0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70.exe
- Size
  
  149KB
- MD5
  
  d466c92a9ed1b0dd7a9789d24182b387
- SHA1
  
  619c3496cb1494bcabbae38bf78bceb501608a7a
- SHA256
  
  0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70
- SHA512
  
  2fe67183a79118853f89b97bc0e43b74ce02692be8e5fa4e79e45fb09010d599b961191913c3836652536b2382321d8a5191921965aeea85616127ba2e6ac6bb
- SSDEEP
  
  3072:cs2t+jk/d1uce+aD7UKg6THMGANMemOI:E7ufgKg6TsvI
Score

1^/10
behavioral11 behavioral12
- Target
  
  10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat
- Size
  
  1.1MB
- MD5
  
  4030841f8cd4b3ac37ab0a0b9332f3a5
- SHA1
  
  6d05584de372399fbadd59a1e6a1eefee90f8725
- SHA256
  
  10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1
- SHA512
  
  a8c40c3fa3f7f9ba47eed94a55a2562719073fd568d4aa96a081a46ce150e0b068b453e812eaef3fe15cafae3b66127e23ed4d72669173c8c254ba58d32534c0
- SSDEEP
  
  24576:+NAwcGqisVN8rXpLOnM+YCftp99Jj9Pgxp1QrKDI:+NKVVsxmt9j
Score

8^/10
- Blocklisted process makes network request
behavioral13 behavioral14
- Target
  
  11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
- Size
  
  14.4MB
- MD5
  
  ecaa6f88c3b6594914a8ffde04fd5d84
- SHA1
  
  885e4370299d369f7285ba5f2c544cbcd70a5fd0
- SHA256
  
  11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432
- SHA512
  
  94712c9ceddc1e2abd7ec19dc39bf2cbea54d3430f66887e2e0861c2cdb4c4ee24c39d3140c9374e826049516b814c3fcfcf4c49402bc5c2335d87bc0ee67f83
- SSDEEP
  
  393216:hp8QGQCKH9iqYCfy8tW5MrYR0aioa4CMRmrrCZRBkyQzy:v8QGrK5GXR9ioaJMRmrrdysy
Score

10^/10

lumma stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5.exe
- Size
  
  6.9MB
- MD5
  
  755c6c74f65a7eb6fac438c71232090b
- SHA1
  
  ecd899ca1c4764a57a8a15f7ac41624196f1a4e7
- SHA256
  
  16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5
- SHA512
  
  f0dcf9c4d84708a6dd665c53d0d8b72209de79cd571836a496d9cf3dbdc757f82a69e6788b2037484720fa6e966ff5c6719be4f7faa36486561856b1f7e6379c
- SSDEEP
  
  3072:MNA/391UUU35AkH+wWtailGlIQZboLRM9ua/aHyvZRVed2idrTj4i4MzNrpFFbmO:MNALUU4T7sGlVbAP//zNCbuIQ
Score

7^/10

collection spyware stealer
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral17 behavioral18
- Target
  
  17691f0962027e7110f727ae997f8af5885dd783674d1db023d467ec478515b7.elf
- Size
  
  177KB
- MD5
  
  a34eeacb65f86c57bdea56175af169ef
- SHA1
  
  6f474269c97412679d64187a3e99eec1707b4200
- SHA256
  
  17691f0962027e7110f727ae997f8af5885dd783674d1db023d467ec478515b7
- SHA512
  
  7e763bec443a758df9c6f322087a07cf12406a5b46ba6049ddf3fd33c780f1bbe32cd7dd7e7fb19f9a43bd4d168984de1df925c525304099e6f8cd44947da432
- SSDEEP
  
  3072:Mwoe3s52Zt9nQiX/GpO1SMRpp6NWJdWQwi:MnSskZDQiX/2ObRWoDWf
Score

6^/10
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral19
- Target
  
  17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12.exe
- Size
  
  4.6MB
- MD5
  
  8ceb3a5e7da3309b307a2407298a7cee
- SHA1
  
  c7b571e5020866e068c8b780782be72cf5f8df3f
- SHA256
  
  17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12
- SHA512
  
  80a5cd2d600cee52ac02dd2534c7415a714e41d403486dac3e181706f5ea1a63f610c46b09c46035d60462f2b20bc5fdaf8e4ca1aafaa0ffaadd9430ea3b7277
- SSDEEP
  
  98304:jf3t4BNLhoAfN/BKhtrW4+UbTRS2S6A4nzSHkKZkWKR/J7gyTT:jf3t4zNoAFYhdW4ZJzfOkCkWu/dgO
Score

3^/10
behavioral20 behavioral21
- Target
  
  1816cd993ddda970b791b090e6ecb501ef923bdcc0cc5f4a99e18dcdb7093228.exe
- Size
  
  1.7MB
- MD5
  
  74a37bb794ed287696eac4495ffae13f
- SHA1
  
  0097bc646687e8441db0079c3f85320be39e4a13
- SHA256
  
  1816cd993ddda970b791b090e6ecb501ef923bdcc0cc5f4a99e18dcdb7093228
- SHA512
  
  17770d69d3792f1663d58d2d5c1b1cbcac04ac9ef85c0416bb4f69ca3410b710953f384039999e8719a798bf4cd751226a2282affb7f959197eeccb782126950
- SSDEEP
  
  24576:s7FUDowAyrTVE3U5F/9GqKVKic6QL3E2vVsjECUAQT45deRV9RZ:sBuZrEUwzKIy029s4C1eH93
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral22 behavioral23
- Target
  
  1b8cda768ba75d723b2b0b34cf955f7ec9469b4e33c6fde6494eefd60a139d8a.elf
- Size
  
  142KB
- MD5
  
  95917209bb8848eae1a1c23bc9f1d408
- SHA1
  
  6a1d24d516661a8ce45621215d567005504abdee
- SHA256
  
  1b8cda768ba75d723b2b0b34cf955f7ec9469b4e33c6fde6494eefd60a139d8a
- SHA512
  
  a210dd4775612be960fbb2850f7a4f13680e40386b37ca05605434f9670e70d535fab839df9dd5b013910056a0cd8f32f163208af9ce890af789e485fab3a480
- SSDEEP
  
  3072:PccxTBU5zIUJXXxhtn/aZ6OVCRLCSpO8BC:PciBy7JXhht/anmXpO8BC
Score

1^/10
behavioral24
- Target
  
  1df6acbc1106e17265fde3ab54b2a83fa8f6f39656d7c55481b2dbd66f1114b7.elf
- Size
  
  115KB
- MD5
  
  d465f896ac0fa592fd84f65824c424f2
- SHA1
  
  307e056622700b43eebb6bb43080708fcd6e7990
- SHA256
  
  1df6acbc1106e17265fde3ab54b2a83fa8f6f39656d7c55481b2dbd66f1114b7
- SHA512
  
  7034166cf7c3e05f9555c4356b31c1ab9d1abb3b68f3483448bf1983a3fdad5adf5f38c1f32ee5de069a8b59c5b43e48b0f4abf776ab1246265bcfa1a434794b
- SSDEEP
  
  3072:L+YUpmc5hIof5UM7XgYjykKdYmm/QcuLB126DNb:LwU1of5UMPyk2Ymm/QcuLB126DNb
Score

10^/10

adwind dcrat gafgyt irata mirai redline sectoprat stealc zgrat mirai sora tg botnet infostealer pyinstaller rat stealer trojan upx
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- Class file contains resources related to AdWind
- DCrat
  DarkCrystalrat.
  rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect ZGRat V1
- Detected Gafgyt variant
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- Irata
  Irata is an Iranian remote access trojan Android malware first seen in August 2022.
  trojan infostealer rat irata
- Irata payload
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Requests dangerous framework permissions
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral25 behavioral26 behavioral27 behavioral28
- Target
  
  1e7706ed0492572474cd866f13778cc66c42b614b3d0b1d9af35727c051a50b0.elf
- Size
  
  61KB
- MD5
  
  013c472aa24c1a90c7d3d9f7cb429acf
- SHA1
  
  c2d2332e6ae7896feb69591968752431656fac40
- SHA256
  
  1e7706ed0492572474cd866f13778cc66c42b614b3d0b1d9af35727c051a50b0
- SHA512
  
  0fc535975b93d62f32e54993413093b236d64aedb8fd76822d66988e85d9649833dca3479159b8e16dc92645a26c36b92ae9b422e642c94dacfd1c212184dd1c
- SSDEEP
  
  768:WV8SNmQEPAPJD7E9NsB8UI8t/PMJTjKxVnjDbwqctNcjvwRgIP:WhNgPE7As8x8t/ETjKx9jDbDSGKP
Score

1^/10
behavioral29 behavioral30 behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Suspicious use of SetThreadContext

Mirai

UPX packed file

AutoIT Executable

Blocklisted process makes network request

Lumma Stealer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Enumerates running processes

Executes dropped EXE

Loads dropped DLL

Class file contains resources related to AdWind

DCrat

DcRat

Detect ZGRat V1

Detected Gafgyt variant

Gafgyt/Bashlite

Irata

Irata payload

Mirai

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Stealc

ZGRat

DCRat payload

UPX packed file

Requests dangerous framework permissions

AutoIT Executable

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17