adwind

General

Target

RNSM00319.7z
Size

12.2MB
Sample

241112-xqzlfaskhl
MD5

e653fa79ad8314e2aa0168025a42c82d
SHA1

b56f8b3110d72c77e54ba7dd273537a99accf7ef
SHA256

84c78672f9e5510ef56bb2ee04a2e50b5a42272f534e2acb120ff0153026055f
SHA512

eca11e36ea634f772c9ecb1a14ab8a09e811e08ae67acf8fb311b3bd3cf58f3538b0e91d188e159626f065d0ddf1e3b67504487807ec006c54ed73b0c587e1b6
SSDEEP

196608:U1ltYMKrBYEDnnl6SGKvSIlkYYDAhU8EVg7pSkawU2tTKRq2yU2vQx:UBYJtDl/htrYYCg1S3LRq2yUsQ

Score

10^/10

Malware Config

Extracted

Family

xtremerat

C2

shigra.sytes.net

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\!HELP_YOUR_FILES.HTML

Ransom Note

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN''http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'/><title>DECRYPT YOUR FILES</title><style type='text/css'>html, body {margin: 0;padding: 0;margin-left: 0px;margin-top: 0px;margin-right: 0px;margin-bottom: 0px;background-color: #bfbfbf;height: 100%;}a {color: #426BBD;font-family: Tahoma, Verdana, Arial, Helvetica;font-size: 12px;}td {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f0f0f0;font-size: 14px; }.style1 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 48px;}.style3 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 60px;}.style4 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #28caf9;font-size: 14px;}.style5 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #f5e700;font-size: 14px; }.style6 {font-family: Verdana, Arial, Helvetica, sans-serif;font-weight: bold;color: #d7001e;font-size: 14px;}.style7 {width: 685px;height: 30px;background-color: #393838;border: 1px solid #565656;font-family: Courier New;font-weight: bold;color: #f0f0f0;font-size: 26px;}</style></head><body><div align='center'><table width='700' height='100%' border='0' cellpadding='0' cellspacing='0' bgcolor='#000000'><tr><td width='415' valign='top'><div align='center' class='style1'>WARNING!<br/></div><div align='center'>Your personal files are encrypted.<br/></div><div align='center' class='style3' id='fe_text'></div></p></td></tr><tr><td colspan='2' align='center'><table width='97%' border='0' cellpadding='0' cellspacing='0'><tr><td colspan='2' align='left'><br/>Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.<br/><br/></td></tr><tr><td width='7%' nowrap='nowrap' align='left'>Open </td><td width='93%' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7%'></td><td width='93%' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a>or</td></tr><tr><td width='7%'></td><td width='93%' align='left'><a href='http://y5mogzal2w25p6bn.ml' class='style4'>http://y5mogzal2w25p6bn.ml</a></td></tr><tr><td colspan='2' align='left'>in your browser. They are public gates to the secret server.<br/>The website can help you complete the decryption work automatically.<br/>You could also send <span class='style5'>0.05 BTC</span> to <span class='style5'>1cimKyzS64PRNEiG89iFU3qzckVuEQuUj</span><br/>and contact this email <span class='style5'>[email protected]</span> with below ID.<br/><br/><span class='style5'>Write in the following personal ID in the input from on server:<br/><br/></span><div align='center'><textarea class='style7'>EE2D5B19CF2C40446A8F2B58</textarea> <br/></div><br/></td></tr></table></td></tr></table></div></body></html>

Emails

class='style5'>[email protected]</span>

URLs

http-equiv='Content-Type

Extracted

Family

lokibot

C2

http://molinolatebaida.com/basic-jquery-slider-8ffe118/js/lib/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  RNSM00319.7z
- Size
  
  12.2MB
- MD5
  
  e653fa79ad8314e2aa0168025a42c82d
- SHA1
  
  b56f8b3110d72c77e54ba7dd273537a99accf7ef
- SHA256
  
  84c78672f9e5510ef56bb2ee04a2e50b5a42272f534e2acb120ff0153026055f
- SHA512
  
  eca11e36ea634f772c9ecb1a14ab8a09e811e08ae67acf8fb311b3bd3cf58f3538b0e91d188e159626f065d0ddf1e3b67504487807ec006c54ed73b0c587e1b6
- SSDEEP
  
  196608:U1ltYMKrBYEDnnl6SGKvSIlkYYDAhU8EVg7pSkawU2tTKRq2yU2vQx:UBYJtDl/htrYYCg1S3LRq2yUsQ
Score

10^/10

adwind gandcrab lokibot xtremerat backdoor collection discovery evasion persistence privilege_escalation ransomware rat spyware stealer trojan upx vmprotect
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- Adwind family
  adwind
- Class file contains resources related to AdWind
- Detect XtremeRAT payload
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Modifies visiblity of hidden/system files in Explorer
  evasion
- UAC bypass
  evasion trojan
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Renames multiple (164) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Modifies Windows Firewall
  evasion
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1