MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d1bd80e9ec2560a482520bad73232921285cf0b47af37b873f56be90498fc7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 3d1bd80e9ec2560a482520bad73232921285cf0b47af37b873f56be90498fc7e
SHA3-384 hash: 8c62c4edbcab1bf8c109e73c94d6115065ab946b040f4d59681b43cb6e9a7b499e71f9201132e273195e4edadfb5d405
SHA1 hash: b530f9db4bbab82dfcd4896498cc751e639d305b
MD5 hash: 2f774f15add4f97cb391452846d017ab
humanhash: virginia-potato-don-bravo
File name:Quote.jar
Download: download sample
Signature Adwind
File size:408'978 bytes
First seen:2020-07-31 11:45:00 UTC
Last seen:Never
File type:Java file jar
MIME type:application/java-archive
ssdeep 12288:Bqe7s8m1vrHkIw1S3UgqF4aImNyEUDgecS+bVh5:5Ib1vrEISS3UgIVImNOL0B
TLSH A09423097D5CC876D8A2EF3D504F9E6714992996F2D28819F23CC19E0E17F403D82AED
Reporter @abuse_ch
Tags:Adwind jar nVpn RAT


Twitter
@abuse_ch
Malspam distributing Adwind:

HELO: nkppharma.com
Sending IP: 155.94.211.46
From: Anil Nair <anil.nair@nkppharma.com>
Subject: RFQ
Attachment: Quote.jar

Adwind RAT C2:
silviaburtontrade.duckdns.org:20986 (185.140.53.142)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
43
Origin country :
FR FR
Mail intelligence
Geo location:
CH Switzerland
Volume:
Low
Geo location:
Global
Volume:
High
Vendor Threat Intelligence
Gathering data
Result
Threat name:
AdWind JRat
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Creates autostart registry keys to launch java
DLL side loading technique detected
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Sigma detected: Get antivirus details via WMIC query
Sigma detected: Powershell add exclusion path, extension and process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Yara detected AdWind RAT
Yara detected JRat
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255339 Sample: Quote.jar Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 52 silviaburtontrade.duckdns.org 2->52 58 Sigma detected: Powershell add exclusion path, extension and process 2->58 60 Yara detected AdWind RAT 2->60 62 Yara detected JRat 2->62 64 6 other signatures 2->64 9 cmd.exe 2 2->9         started        signatures3 process4 process5 11 java.exe 2 290 9->11         started        16 conhost.exe 9->16         started        dnsIp6 54 silviaburtontrade.duckdns.org 185.140.53.142, 20986, 49743, 49745 DAVID_CRAIGGG Sweden 11->54 56 192.168.2.1 unknown unknown 11->56 44 C:\Users\user\Oracle\bin\javaw.exe, PE32 11->44 dropped 46 C:\Users\user\FVKwo\WbZqr.class, Java 11->46 dropped 48 C:\Users\user\Oracle\bin\zip.dll, PE32 11->48 dropped 50 130 other files (none is malicious) 11->50 dropped 70 Creates autostart registry keys to launch java 11->70 72 Uses cmd line tools excessively to alter registry or file data 11->72 74 Exploit detected, runtime environment starts unknown processes 11->74 18 cmd.exe 1 11->18         started        20 cmd.exe 1 11->20         started        22 reg.exe 11->22         started        25 14 other processes 11->25 file7 signatures8 process9 signatures10 27 WMIC.exe 1 18->27         started        30 conhost.exe 18->30         started        32 WMIC.exe 1 20->32         started        34 conhost.exe 20->34         started        66 Creates an undocumented autostart registry key 22->66 36 conhost.exe 25->36         started        38 conhost.exe 25->38         started        40 conhost.exe 25->40         started        42 9 other processes 25->42 process11 signatures12 68 DLL side loading technique detected 27->68
Threat name:
ByteCode-JAVA.Trojan.AdWind
Status:
Malicious
First seen:
2020-07-31 11:46:06 UTC
AV detection:
22 of 48 (45.83%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence discovery evasion trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Drops file in System32 directory
Drops file in System32 directory
Adds Run key to start application
Drops desktop.ini file(s)
Checks installed software on the system
Drops desktop.ini file(s)
Checks installed software on the system
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Sets file execution options in registry
Sets file execution options in registry
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender Real-time Protection settings
Threat name:
Adwind
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Adwind

Java file jar 3d1bd80e9ec2560a482520bad73232921285cf0b47af37b873f56be90498fc7e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments