MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a4f9ef507cfa7e595aea78b62adde21c0ea8e94e21aca457692e3c7df6b699f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adwind


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a4f9ef507cfa7e595aea78b62adde21c0ea8e94e21aca457692e3c7df6b699f
SHA3-384 hash: 9776dac33921243256897fbdba30a5bca4f75e621b8c9b3f26b3fb563919302edc58708138c154ea17eb905c233e1678
SHA1 hash: 8e92558736a9c0073332aae79224c25249c8a168
MD5 hash: deae36c4a6bea3944a0039986bd6470f
humanhash: purple-coffee-five-mango
File name:Rechnung 1.jar
Download: download sample
Signature Adwind
Create hunting rule
File size:524'064 bytes
First seen:2020-06-18 10:20:16 UTC
Last seen:Never
File type:Java file jar
MIME type:application/java-archive
ssdeep 12288:dBZXAwC7+6U5LUaHVd7VmrObbtVZ/eTXtuLNrd/rLMSiKuSaQ:PVAw4+9dj73/eTXgldTQ7PSaQ
TLSH 2DB4238ADCF6DF7FC2A74A7699C98303BA14483DD95AFBDF51214593AEC5E182C04C88
Reporter abuse_ch
Tags:Adwind DEU geo jar nVpn RAT


Avatar
abuse_ch
Malspam distributing Adwind:

HELO: mailout11.t-online.de
Sending IP: 194.25.134.85
From: cleverbridge AG<raho.pia@t-online.de>
Subject: Rechnung
Attachment: Rechnung 1.jar

Adwind RAT C2:
79.134.225.111:1501

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19760/
Detection(s):
SecuriteInfo.com.Trojan.Java.Agent.gen.24153.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-JAVA.Trojan.Jaraut
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 10:19:50 UTC
AV detection:
18 of 30 (60.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=djhz55ihz6t6lfnou6fwflo6ehaovduu4inmurlwslr4px3lngpq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/200624-b747rqqhh2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run entry to start application
Drops desktop.ini file(s)
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Adwind

Java file jar 1a4f9ef507cfa7e595aea78b62adde21c0ea8e94e21aca457692e3c7df6b699f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19760/

Comments