adwind | f25d6b99e30f5c689eb4e8112d5fa8a58529aeb36d6d9b7905b9e5eec94bdac4 | Triage

Sharing

General

Target

yWorAvKu.exe
Size

1.0MB
Sample

250207-r7dgmsvney
MD5

acf7ad3cd2ff2f71d7aeaf8a78ee641e
SHA1

2c2dd1a2a5b9703737db85c2f5374955f0af5f06
SHA256

f25d6b99e30f5c689eb4e8112d5fa8a58529aeb36d6d9b7905b9e5eec94bdac4
SHA512

7db0d59d63e9d92c234fb9c374b910c7cfcec972e874a57a41e014d7786dea5da63d7a686750ac73a9c1ed568fff2a1f5426730bc953077c8f7851fb118dfd53
SSDEEP

24576:ZrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9Tva0h5z:Z2EYTb8atv1orq+pEiSDTj1VyvBa0h

Score

10^/10

adwind discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/BagelsTR23

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/PopUp2023TR.pdf

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/jre-1.8.zip

Targets

- Target
  
  yWorAvKu.exe
- Size
  
  1.0MB
- MD5
  
  acf7ad3cd2ff2f71d7aeaf8a78ee641e
- SHA1
  
  2c2dd1a2a5b9703737db85c2f5374955f0af5f06
- SHA256
  
  f25d6b99e30f5c689eb4e8112d5fa8a58529aeb36d6d9b7905b9e5eec94bdac4
- SHA512
  
  7db0d59d63e9d92c234fb9c374b910c7cfcec972e874a57a41e014d7786dea5da63d7a686750ac73a9c1ed568fff2a1f5426730bc953077c8f7851fb118dfd53
- SSDEEP
  
  24576:ZrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9Tva0h5z:Z2EYTb8atv1orq+pEiSDTj1VyvBa0h
Score

10^/10

discovery execution adwind persistence trojan
- AdWind
  A Java-based RAT family operated as malware-as-a-service.
  trojan adwind
- Adwind family
  adwind
- Class file contains resources related to AdWind
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

adwinddiscoveryexecutionpersistencetrojan