MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13282c40dd66c53e866c60202f428781cf9562bb0f02e30027ebb7fb41efb5b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13282c40dd66c53e866c60202f428781cf9562bb0f02e30027ebb7fb41efb5b8
SHA3-384 hash: 33500b3734717f38aca4a92b9ba20d64fe8b22b40265837db2426f760fe1007a048e61efd70cea4273b639a0da84bd1e
SHA1 hash: a69df46202eb2497bad5c4ddc39e0e83efb8482a
MD5 hash: 331317b4cae70b90441e0a2c8fb2e6c6
humanhash: blossom-september-july-cat
File name:331317B4CAE70B90441E0A2C8FB2E6C6.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:390'100 bytes
First seen:2021-05-23 17:15:30 UTC
Last seen:2021-05-23 18:01:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXCckm+ksmpk3U9j0IkquROGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglMb:pQi3cP6m6UR0IuRlL//plmW9bTXeVhD4
Threatray 19 similar samples on MalwareBazaar
TLSH 59841242F7E18839E073CEB01C90E962893B79654DBC650837ECAD8F9F3B5825256793
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://94.130.58.199/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.130.58.199/ https://threatfox.abuse.ch/ioc/57564/

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
331317B4CAE70B90441E0A2C8FB2E6C6.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-23 17:19:18 UTC
Tags:
installer
Link:
https://app.any.run/tasks/bb561aec-7cfc-4deb-9ce7-e43123e8be9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/160941/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a UDP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Sending an HTTP POST request
Creating a file
Deleting a recently created file
Replacing files
Using the Windows Management Instrumentation requests
Adding an access-denied ACE
Launching a process
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Delayed reading of the file
Running batch commands
Unauthorized injection to a recently created process
Setting a single autorun event
Sending a TCP request to an infection source
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/789702
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 422098 Sample: sP2AXSWC73.exe Startdate: 23/05/2021 Architecture: WINDOWS Score: 100 96 www.profitabletrustednetwork.com 2->96 98 www.cloud-security.xyz 2->98 100 35 other IPs or domains 2->100 144 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->144 146 Multi AV Scanner detection for domain / URL 2->146 148 Antivirus detection for URL or domain 2->148 152 6 other signatures 2->152 11 sP2AXSWC73.exe 2 2->11         started        14 Popunusatae.exe 2->14         started        signatures3 150 Performs DNS queries to domains with low reputation 96->150 process4 dnsIp5 86 C:\Users\user\AppData\...\sP2AXSWC73.tmp, PE32 11->86 dropped 17 sP2AXSWC73.tmp 3 19 11->17         started        130 limesfile.com 14->130 88 C:\Program Files (x86)\...\Windows Update.exe, PE32 14->88 dropped 90 C:\...\Windows Update.exe.config, XML 14->90 dropped file6 process7 dnsIp8 94 limesfile.com 198.54.126.101, 49717, 49725, 49783 NAMECHEAP-NETUS United States 17->94 62 C:\Users\user\AppData\Local\...\Balti.exe, PE32 17->62 dropped 64 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 17->64 dropped 66 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 17->66 dropped 68 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->68 dropped 21 Balti.exe 22 20 17->21         started        file9 process10 dnsIp11 116 global-sc-ltd.com 199.188.201.83, 49721, 80 NAMECHEAP-NETUS United States 21->116 118 iplogger.org 88.99.66.31, 443, 49729, 49912 HETZNER-ASDE Germany 21->118 120 3 other IPs or domains 21->120 70 C:\Users\user\AppData\...\Hyxacenawae.exe, PE32 21->70 dropped 72 C:\Program Files (x86)\...\Popunusatae.exe, PE32 21->72 dropped 74 C:\Users\user\...\Hyxacenawae.exe.config, XML 21->74 dropped 76 3 other files (1 malicious) 21->76 dropped 154 Detected unpacking (overwrites its own PE header) 21->154 26 Hyxacenawae.exe 14 5 21->26         started        30 irecord.exe 2 21->30         started        33 Dowilekaepi.exe 21->33         started        file12 signatures13 process14 dnsIp15 122 connectini.net 26->122 156 Detected unpacking (overwrites its own PE header) 26->156 35 iexplore.exe 26->35         started        38 iexplore.exe 26->38         started        40 iexplore.exe 26->40         started        45 12 other processes 26->45 92 C:\Users\user\AppData\Local\...\irecord.tmp, PE32 30->92 dropped 42 irecord.tmp 27 31 30->42         started        124 d.jumpstreetboys.com 104.21.62.88, 443, 49902, 49939 CLOUDFLARENETUS United States 33->124 126 192.168.2.1 unknown unknown 33->126 128 2 other IPs or domains 33->128 file16 signatures17 process18 dnsIp19 108 3 other IPs or domains 35->108 47 iexplore.exe 35->47         started        102 www.cloud-security.xyz 38->102 104 cloud-security.xyz 38->104 110 2 other IPs or domains 38->110 112 3 other IPs or domains 40->112 50 iexplore.exe 40->50         started        52 iexplore.exe 40->52         started        78 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 42->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->80 dropped 82 C:\Program Files (x86)\...\is-VJV0C.tmp, PE32 42->82 dropped 84 13 other files (none is malicious) 42->84 dropped 54 i-record.exe 42->54         started        106 www.profitabletrustednetwork.com 45->106 114 2 other IPs or domains 45->114 56 iexplore.exe 45->56         started        58 iexplore.exe 45->58         started        60 iexplore.exe 45->60         started        file20 process21 dnsIp22 132 vexacion.com 139.45.197.236, 443, 49732, 49733 RETN-ASEU Netherlands 47->132 134 betshucklean.com 47->134 142 35 other IPs or domains 47->142 136 directdexchange.com 35.201.70.46, 443, 49737, 49738 GOOGLEUS United States 50->136 138 www.directdexchange.com 50->138 140 www.profitabletrustednetwork.com 192.243.59.12, 443, 49730, 49731 ADVANCEDHOSTERS-ASNL Dominica 56->140
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13282c40dd66c53e866c60202f428781cf9562bb0f02e30027ebb7fb41efb5b8/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 14:16:24 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmucyqg5m3ct5btmmaqc6quhqhhzkyv3b4bogabh5o37wqppww4a._file
Verdict:
malicious
Similar samples:
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
Adware.FileTour
6bd5019594fbe81423f3f5c10c61773203914ebcc1d57dfab9bde6d8bc7b6c46
Adware.FileTour
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
Adware.FileTour
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
Adware.FileTour
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
Adware.FileTour
aa9be79c40da851c806a4cbd196aad2731e57090c5c4e0bb107437073e0ebd11
Adware.FileTour
cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95
Adware.FileTour
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
Adware.FileTour
ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39
Adware.FileTour
eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9
Adware.FileTour
+ 9 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline discovery evasion infostealer persistence trojan vmprotect
Link:
https://tria.ge/reports/210523-x8w7y262e2/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
VMProtect packed file
Checks for common network interception software
PlugX
RedLine
RedLine Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13282c40dd66c53e866c60202f428781cf9562bb0f02e30027ebb7fb41efb5b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/160941/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-23 18:01:16 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
2) [C0032.001] Data Micro-objective::CRC32::Checksum
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0046] File System Micro-objective::Create Directory
6) [C0048] File System Micro-objective::Delete Directory
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0017.003] Process Micro-objective::Create Suspended Process::Create Process
16) [C0017] Process Micro-objective::Create Process
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process