MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b3f7e36e864c21af17bb9a7d0bfecbbbdb0a5fb7b36fa1e86dbb28e159eae04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 4b3f7e36e864c21af17bb9a7d0bfecbbbdb0a5fb7b36fa1e86dbb28e159eae04
SHA3-384 hash: b1916a71d0743106cff10a424e9d1d6c465851f216d48ef34f4c2ee520d7a947b8ac3e78ddc65fa1d5d943e96d531a55
SHA1 hash: c89b5d7ec693ba7dafb6836dc38912f90719754f
MD5 hash: a130fcf39bda045ad6ae50b94e72459c
humanhash: item-paris-wyoming-equal
File name:PAYMENT BALANCE.jar
Download: download sample
Signature Adwind
File size:408'786 bytes
First seen:2020-07-31 11:49:12 UTC
Last seen:Never
File type:Java file jar
MIME type:application/java-archive
ssdeep 12288:VFrF9sNx6CT8zYGeqr3rHgp0CbSly327NlXbQ2AUKYS:7G6dzfeUDc0bNZst9
TLSH A7942364DFB712DBE81EBE35EC2AF4B5C2351AFADB0054EC6421D038C7094E593266C9
Reporter @abuse_ch
Tags:Adwind jar nVpn RAT


Twitter
@abuse_ch
Malspam distributing Adwind:

HELO: mactec.com
Sending IP: 155.94.211.46
From: nakkad@mactec.com
Reply-To: info.moboea@gmail.com
Subject: PAYMENT BALANCE
Attachment: PAYMENT BALANCE.jar

Adwind RAT C2:
silviaburtontrade.duckdns.org:20986 (185.140.53.142)

Pointing to nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@privacyfirst.sh'

inetnum: 185.140.53.0 - 185.140.53.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU3
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-07-28T20:56:03Z
source: RIPE

Intelligence


File Origin
# of uploads :
1
# of downloads :
44
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
High
Vendor Threat Intelligence
Gathering data
Result
Threat name:
AdWind JRat
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Creates autostart registry keys to launch java
DLL side loading technique detected
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Sigma detected: Get antivirus details via WMIC query
Sigma detected: Powershell add exclusion path, extension and process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Yara detected AdWind RAT
Yara detected JRat
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255347 Sample: PAYMENT BALANCE.jar Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 52 silviaburtontrade.duckdns.org 2->52 54 g.msn.com 2->54 60 Sigma detected: Powershell add exclusion path, extension and process 2->60 62 Yara detected AdWind RAT 2->62 64 Yara detected JRat 2->64 66 6 other signatures 2->66 9 cmd.exe 2 2->9         started        signatures3 process4 process5 11 java.exe 2 290 9->11         started        16 conhost.exe 9->16         started        dnsIp6 56 silviaburtontrade.duckdns.org 185.140.53.142, 20986, 49732, 49733 DAVID_CRAIGGG Sweden 11->56 58 192.168.2.1 unknown unknown 11->58 44 C:\Users\user\Oracle\bin\javaw.exe, PE32 11->44 dropped 46 C:\Users\user\FVKwo\WbZqr.class, Java 11->46 dropped 48 C:\Users\user\Oracle\bin\zip.dll, PE32 11->48 dropped 50 130 other files (none is malicious) 11->50 dropped 72 Creates autostart registry keys to launch java 11->72 74 Uses cmd line tools excessively to alter registry or file data 11->74 76 Exploit detected, runtime environment starts unknown processes 11->76 18 cmd.exe 1 11->18         started        20 cmd.exe 1 11->20         started        22 reg.exe 11->22         started        25 13 other processes 11->25 file7 signatures8 process9 signatures10 27 WMIC.exe 1 18->27         started        30 conhost.exe 18->30         started        32 WMIC.exe 1 20->32         started        34 conhost.exe 20->34         started        68 Creates an undocumented autostart registry key 22->68 36 conhost.exe 25->36         started        38 conhost.exe 25->38         started        40 conhost.exe 25->40         started        42 7 other processes 25->42 process11 signatures12 70 DLL side loading technique detected 27->70
Threat name:
ByteCode-JAVA.Trojan.AdWind
Status:
Malicious
First seen:
2020-07-31 11:51:05 UTC
AV detection:
14 of 31 (45.16%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence discovery
Behaviour
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Drops file in System32 directory
Drops file in System32 directory
Drops desktop.ini file(s)
Adds Run key to start application
Checks installed software on the system
Checks installed software on the system
Adds Run key to start application
Drops desktop.ini file(s)
Loads dropped DLL
Loads dropped DLL
Sets file execution options in registry
Sets file execution options in registry
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender Real-time Protection settings
Threat name:
Suspicious File
Score:
0.35

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Adwind

Java file jar 4b3f7e36e864c21af17bb9a7d0bfecbbbdb0a5fb7b36fa1e86dbb28e159eae04

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments