MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90dd2d39ffc0ebcf1db286191a316c833ddc3111337e1c05e3d847e03e67c377. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adwind


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90dd2d39ffc0ebcf1db286191a316c833ddc3111337e1c05e3d847e03e67c377
SHA3-384 hash: e0151f1d6fba68f4998b23b6566f2e361c7995c2526bb230573e5183da43cba24eb93776998007aa548eaaed52796c16
SHA1 hash: 934f6b7441384a70c07b65391bc56145fdd3156c
MD5 hash: c6cb4c301d7dd2768233d5ab0d054d50
humanhash: fanta-white-muppet-kilo
File name:cov.exe
Download: download sample
Signature Adwind
Create hunting rule
File size:928'835 bytes
First seen:2020-05-01 18:13:00 UTC
Last seen:2020-05-01 18:46:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 12288:0ed+RQ21hGU05ahHATn1mqairh39r2AfW7SwRiHsuuMX2O6n0P4pflgAMSAY:5+RbXB05Eg7/Vh39r1W7SZMuXKflgOAY
Threatray 308 similar samples on MalwareBazaar
TLSH 2E150201FBC184F2D6722A36097E63111BBC75701E35DA6FB7C44D6DDA720A2A921FA3
Reporter abuse_ch
Tags:Adwind exe nVpn RAT


Avatar
abuse_ch
Adwind payload URL:
https://swiftexpresscourier.vip/SH/cov.exe

Adwind RAT C2:
185.140.53.137:4028

Hosted on nVpn:

% Information related to '185.140.53.0 - 185.140.53.255'

% Abuse contact for '185.140.53.0 - 185.140.53.255' is 'abuse@FOS-VPN.org'

inetnum: 185.140.53.0 - 185.140.53.255
netname: Freedom_Of_Speech_VPN
remarks: Before you contact us, please read:
remarks: 185.140.53.0/24 belongs to a NON-LOGGING VPN service.
remarks: We don't log any user activities.
remarks: We believe that the right to informational self-determination and the
remarks: right to privacy are essential to all citizens of all countries.
remarks: We don't host anything else on our servers than VPN software and our
remarks: customers can open a fixed number of Ports.
remarks: Like Public WiFi or Tor Exit Node Operators we cannot be held responsible
remarks: for the actions of our customers, because we simply can't (and to be
remarks: honest: don't want) to control them.
country: EU
org: ORG-SL751-RIPE
admin-c: SL12644-RIPE
tech-c: SL12644-RIPE
status: ASSIGNED PA
mnt-by: FOS-VPN-MNT
created: 2016-10-17T23:24:00Z
last-modified: 2020-04-06T18:59:49Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Backdoor.dc.727.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Zbot
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 16:31:50 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdos2op7ydv46hnsqymrumlmqm65ymirgn7bybpd3bd6apthyn3q._file
Verdict:
malicious
Similar samples:
1aca49752cef2bb58d097e0ac96963e32f14e4e6b1e6e24e11125d1e9ef54cf2
Adwind
238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb
Adwind
41a9e893d9922e09870fcb8a968be26b7645c491b655b11b59be8c284c1e1b29
Adwind
6ec6d3425cc3bdc664f5938119469a2947ad061dac33fafbd303998c9311a254
Adwind
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
Adwind
8ecfe22ec30443d42392898e0d23f29fc42e72bf74c066d9738acb3ef551919b
Adwind
8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0
Adwind
9bb1a92bc0f71772f7a57b22fa9a62b2147243d9c1387cf5767d7dea516c37ca
Adwind
b5c7fbd5e805b6f1a9796c041be4f9829d2157e5b59a6608871511d045b8d79c
Adwind
ca70168a3b0c1e1ad0232faef2d5a3cee6f36a17f174ac5692e9c930beba62a0
Adwind
+ 298 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Adwind

Excel file xlsm bc4281dd49f6651a0687351c1e03f7233df53ce5155e1040aa56883c187612b3

Adwind

Executable exe 90dd2d39ffc0ebcf1db286191a316c833ddc3111337e1c05e3d847e03e67c377

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/355599/
  
Dropped by
MD5 48be1f1540b9ffd903f32f3ab506c144
  
Dropped by
SHA256 bc4281dd49f6651a0687351c1e03f7233df53ce5155e1040aa56883c187612b3
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments