adwind

General

Target

9e9fec3ff4dce17a719345d12573d1a0_JaffaCakes118
Size

4.4MB
Sample

240611-sqzh8a1gjd
MD5

9e9fec3ff4dce17a719345d12573d1a0
SHA1

9b00aac448f2578dbe3ad1fa6ad881dce088ee4f
SHA256

0b09172121446ef773c5a6b3e69054aa830d7d7f030b716674972c80717a65f8
SHA512

a40ba2f5fb8ba6dcb8f2013ac2b165ecb6d5d545da85531aa4d20a64e6577e2edd68c8dfecf1b7d9133ab2b62e99cd0ef6237d10fc76509c25b164038d37b651
SSDEEP

49152:BwCbthWW8/fe+sz1KDkfMSnvmc4+2ZnA2p2BUEfK5vbVQQb/ur2Z:5VQb6ZfMSvmFnBcBUE4baa/d

Score

10^/10

Malware Config

Extracted

Family

xtremerat

C2

jasoiuuydealoo.zapto.org

Extracted

Family

latentbot

C2

jasoiuuydealoo.zapto.org

Targets

- Target
  
  9e9fec3ff4dce17a719345d12573d1a0_JaffaCakes118
- Size
  
  4.4MB
- MD5
  
  9e9fec3ff4dce17a719345d12573d1a0
- SHA1
  
  9b00aac448f2578dbe3ad1fa6ad881dce088ee4f
- SHA256
  
  0b09172121446ef773c5a6b3e69054aa830d7d7f030b716674972c80717a65f8
- SHA512
  
  a40ba2f5fb8ba6dcb8f2013ac2b165ecb6d5d545da85531aa4d20a64e6577e2edd68c8dfecf1b7d9133ab2b62e99cd0ef6237d10fc76509c25b164038d37b651
- SSDEEP
  
  49152:BwCbthWW8/fe+sz1KDkfMSnvmc4+2ZnA2p2BUEfK5vbVQQb/ur2Z:5VQb6ZfMSvmFnBcBUE4baa/d
Score

10^/10

adwind hawkeye latentbot lokibot xtremerat collection evasion keylogger persistence rat spyware stealer trojan upx discovery
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- Class file contains resources related to AdWind
- Detect XtremeRAT payload
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- UAC bypass
  evasion trojan
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2