MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78506861635b537bdfd939c5fad8265ee1e0153c59aabac5d3aad5da8b9d8aaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara Comments

SHA256 hash: 78506861635b537bdfd939c5fad8265ee1e0153c59aabac5d3aad5da8b9d8aaa
SHA3-384 hash: 8cb119ed2adb21863287ea26955174a0b073aefd9d540dbd8e471caa64d1bba367368e0afeccbd493e9a326ead81303f
SHA1 hash: 8be576b34f77727f67c2c3ba8d26b425ff673122
MD5 hash: ca5d430caea361879fcfb90e54cc2510
humanhash: delaware-nuts-one-equal
File name:BankCopy672335.jar
Download: download sample
Signature Adwind
File size:415'764 bytes
First seen:2020-06-30 05:54:52 UTC
Last seen:Never
File type:Java file jar
MIME type:application/java-archive
ssdeep 6144:qvxWLxFlDzcR3TN/F0ETm6yS6jD2kEQ7kluDCpttiur4LgnURVAxfjzDfRPa:qY/pzqThF0ETm5S6jx7kwy4LCGVgjz1y
TLSH 4B94238359EDCB70D08259313400F825AAE35435ECD8FCBE76A6AC7696E1491E7B30E7
Reporter @abuse_ch
Tags:Adwind jar nVpn RAT


Twitter
@abuse_ch
Malspam distributing Adwind:

HELO: www1.webmail.pair.com
Sending IP: 209.68.6.94
From: Anita Chen <Anita.c@nkbiotech.com>
Subject: Re: BankCopy672335
Attachment: BankCopy672335.zip (contains "BankCopy672335.jar")

Adwind RAT C2:
marshost.publicvm.com:6149 (91.193.75.252)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@kgb-vpn.org'

inetnum: 91.193.75.0 - 91.193.75.255
netname: NON-LOGGING-VPN-SERVICE
descr: Please note that we don't store any user data.
descr: Our main effort is not to make money, but to preserve values like the
descr: freedom of expression, the freedom of press, the right to data protection
descr: and informational self-determination.
country: EU
admin-c: KA7109-RIPE
tech-c: KA7109-RIPE
org: ORG-KHd1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: KGB-MNT
mnt-routes: KGB-MNT
sponsoring-org: ORG-MW1-RIPE
created: 2012-06-04T11:05:55Z
last-modified: 2020-06-12T19:27:12Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 29
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/16785/
ClamAV SecuriteInfo.com.Java.Siggen.424.18503.17311.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/78506861635b537bdfd939c5fad8265ee1e0153c59aabac5d3aad5da8b9d8aaa/
ReversingLabs :Status:Malicious
Threat name:ByteCode-JAVA.Trojan.Adwind
First seen:2020-06-30 05:08:07 UTC
AV detection:14 of 31 (45.16%)
Threat level:   2/5
Spamhaus Hash Blocklist :Suspicious file
Hatching Triage Score:   10/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-jvsl8rfcl6/
Tags:persistence evasion trojan discovery
VirusTotal:Virustotal results 16.95%

File information


The table below shows additional information about this malware sample such as delivery method and external references.

e5b75b2540bf7b268db23ba735ec00be

Adwind

Java file jar 78506861635b537bdfd939c5fad8265ee1e0153c59aabac5d3aad5da8b9d8aaa

(this sample)

  
Dropped by
MD5 e5b75b2540bf7b268db23ba735ec00be
  
Delivery method
Distributed via e-mail attachment

Comments