MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70
SHA3-384 hash: 446c2221d3df6dc87df170b25cb11c6eb660e1f716cc05382f10cdc0e7c99c6c0f32a4d607b1d6232b77b317d9dd195a
SHA1 hash: 9871cc17704732c0a376f7245c31544af711a729
MD5 hash: b7464f482b06e0ce25f0323f58f5c058
humanhash: pasta-alanine-ceiling-kansas
File name:B7464F482B06E0CE25F0323F58F5C058.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:4'152'669 bytes
First seen:2021-06-17 20:50:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:Ub5DpoD2hP7o5q9yc9aqheNRNQY1tUQrEGOkyZ9UMR01gDs:UsD69yc9aTHNQzzjUG01gDs
Threatray 682 similar samples on MalwareBazaar
TLSH 3E163381B6C4C8B2C472297696B9A721867DBC301F3CDF9B539444ACCA746C0D736AB7
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
162.55.170.54:29785

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.55.170.54:29785 https://threatfox.abuse.ch/ioc/131101/

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B7464F482B06E0CE25F0323F58F5C058.exe
Verdict:
Malicious activity
Analysis date:
2021-06-17 20:53:13 UTC
Tags:
autoit evasion stealer trojan rat redline
Link:
https://app.any.run/tasks/5037469f-4648-45e2-b9aa-66152a5d8be4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166645/
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9869693-0
Create hunting rule

Win.Malware.Nymeria-9871971-0
Create hunting rule

Win.Malware.Nymeria-9872012-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8ea1a9c-9fd1-4df4-8521-68d240ce266d
Result
Threat name:
SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803958
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample is protected by VMProtect
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 436369 Sample: ZDX1RKucBg.exe Startdate: 17/06/2021 Architecture: WINDOWS Score: 100 112 clientconfig.passport.net 2->112 158 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->158 160 Antivirus detection for URL or domain 2->160 162 Antivirus detection for dropped file 2->162 166 13 other signatures 2->166 9 ZDX1RKucBg.exe 13 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 signatures3 164 May check the online IP address of the machine 112->164 process4 file5 104 C:\Users\user\Desktop\pzyh.exe, PE32 9->104 dropped 106 C:\Users\user\Desktop\pub2.exe, PE32 9->106 dropped 108 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->108 dropped 110 5 other files (2 malicious) 9->110 dropped 19 KRSetp.exe 15 9 9->19         started        24 IDWCH1.exe 9->24         started        26 Folder.exe 8 9->26         started        30 5 other processes 9->30 192 System process connects to network (likely due to code injection or exploit) 12->192 28 svchost.exe 12->28         started        signatures6 process7 dnsIp8 114 topnewsdesign.xyz 104.21.69.75, 443, 49700 CLOUDFLARENETUS United States 19->114 78 C:\Users\user\AppData\Roaming\5702525.exe, PE32 19->78 dropped 80 C:\Users\user\AppData\Roaming\4481136.exe, PE32 19->80 dropped 88 3 other files (none is malicious) 19->88 dropped 168 Detected unpacking (changes PE section rights) 19->168 170 Detected unpacking (overwrites its own PE header) 19->170 172 Performs DNS queries to domains with low reputation 19->172 32 5702525.exe 19->32         started        36 4481136.exe 19->36         started        38 1601744.exe 19->38         started        82 C:\Users\user\AppData\Local\...\IDWCH1.tmp, PE32 24->82 dropped 41 IDWCH1.tmp 24->41         started        90 4 other files (none is malicious) 26->90 dropped 43 rundll32.exe 26->43         started        45 conhost.exe 26->45         started        116 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 28->116 92 2 other malicious files 28->92 dropped 174 Query firmware table information (likely to detect VMs) 28->174 176 Tries to harvest and steal browser information (history, passwords, etc) 28->176 118 101.36.107.74, 49690, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 30->118 120 ip-api.com 208.95.112.1, 49693, 80 TUT-ASUS United States 30->120 122 5 other IPs or domains 30->122 84 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 30->84 dropped 86 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 30->86 dropped 94 2 other files (1 malicious) 30->94 dropped 178 DLL reload attack detected 30->178 180 Drops PE files to the document folder of the user 30->180 182 May check the online IP address of the machine 30->182 47 File.exe 13 30->47         started        49 WerFault.exe 30->49         started        51 3 other processes 30->51 file9 signatures10 process11 dnsIp12 60 C:\Users\user\AppData\...\WinHoster.exe, PE32 32->60 dropped 138 Detected unpacking (changes PE section rights) 32->138 140 Detected unpacking (overwrites its own PE header) 32->140 142 Creates multiple autostart registry keys 32->142 53 WinHoster.exe 32->53         started        144 Injects a PE file into a foreign processes 36->144 124 104.21.76.97 CLOUDFLARENETUS United States 38->124 126 192.168.2.1 unknown unknown 38->126 62 C:\ProgramData\47\vcruntime140.dll, PE32 38->62 dropped 64 C:\ProgramData\47\sqlite3.dll, PE32 38->64 dropped 66 C:\ProgramData\47\softokn3.dll, PE32 38->66 dropped 76 4 other files (none is malicious) 38->76 dropped 128 cor-tips.com 198.54.116.159, 49701, 80 NAMECHEAP-NETUS United States 41->128 68 C:\Users\user\...\(878888888(85)GSFG1G.exe, PE32 41->68 dropped 70 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 41->70 dropped 72 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 41->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->74 dropped 55 (878888888(85)GSFG1G.exe 41->55         started        146 Contains functionality to infect the boot sector 43->146 148 Contains functionality to inject threads in other processes 43->148 150 Contains functionality to inject code into remote processes 43->150 156 5 other signatures 43->156 130 nixsd.xyz 92.53.96.150, 49685, 80 TIMEWEB-ASRU Russian Federation 47->130 152 Performs DNS queries to domains with low reputation 47->152 154 Tries to evade analysis by execution special instruction which cause usermode exception 49->154 file13 signatures14 process15 dnsIp16 132 5.196.8.173 OVHFR France 55->132 134 198.54.126.101 NAMECHEAP-NETUS United States 55->134 136 3 other IPs or domains 55->136 96 C:\Users\user\AppData\...\Vimymiqure.exe, PE32 55->96 dropped 98 C:\Users\user\AppData\...\Kazhygusizhy.exe, PE32 55->98 dropped 100 C:\Program Files (x86)\...\Rixaelaevijy.exe, PE32 55->100 dropped 102 3 other malicious files 55->102 dropped 184 Antivirus detection for dropped file 55->184 186 Detected unpacking (overwrites its own PE header) 55->186 188 Machine Learning detection for dropped file 55->188 190 Creates multiple autostart registry keys 55->190 file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-14 07:24:00 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=frn46p4iu2ciau7voirtmow3elsj6qnrzcsu7do4g4cqrqyehzya._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
2c32dcb54c310daf509527d74de8ab4cb7b45425fa543a5df22afd1e9bd00fd5
Adware.FileTour
541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8
Adware.FileTour
5677b9d1528c45370a17cd4b68fc443862d4304ef1bca005c369c8c1d9158a62
Adware.FileTour
6c8b67843326b740d17af91ba222e513fb29c45b6decab158009e71f94a8e62a
Adware.FileTour
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
Adware.FileTour
a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13
Adware.FileTour
b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b
Adware.FileTour
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
Adware.FileTour
e6e11a92390d1e01775514d1a4f047f5b94471070a07bf82b6e9fe5c547d55a8
Adware.FileTour
ffecd6261932159067dd93f5c1df26f8da517f37ded13d122db853c1c84e7924
Adware.FileTour
+ 672 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:smokeloader family:tofsee family:vidar backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210617-ygma91a19s/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
VMProtect packed file
Checks for common network interception software
PlugX
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Tofsee
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Unpacked files
SH256 hash:
7c5c5d47ac9b6a5f55386341bdad25c0f4a32c25a9548535ce1757aeb3df12d7
MD5 hash:
3cb83e9dbb8ffce9227da20df929fe8e
SHA1 hash:
9c186ece085fe8564f9162f1afe281f8931a2866
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
12b2a34db1f822c089218f1b46c1870462a0afb65ff0364e0f0ba043e93c1e5a
MD5 hash:
a7732204d9c883a4373c8b615c97de43
SHA1 hash:
017de30fc0647908eb8dd532982ce6644fb13e59
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
ad7b9965a5342380f90a5207605ca6d4f566337c8d5154924b79fa418e7401c5
MD5 hash:
8bffedfaa819d5d1e8abf3c8a2fa89a0
SHA1 hash:
c140e5a926d151bcd8e85898b79fbc06f266ac16
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
d4b6f42bfeed5f55241226d77784e11c9ebd1c7fe20216e31d27028050900bdd
MD5 hash:
c02bcc72407cc22e068557cae0d52d62
SHA1 hash:
a5331a16450f3c901953ddcdaa57981e9731af4e
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
241fbb217d56fc8a4f15be77883a4afd2442dc90b9d7c4b780e75f74324b3951
MD5 hash:
a5b5b2b2ee10a05ac99f69f7797ccf5b
SHA1 hash:
0c888887bf94cccde588b21567f6fdd75685928c
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
9798bbcbf18911c7465a6057aa163d3e1badafab27d2ac90138b5096b516ae5c
MD5 hash:
e60e3f87e7b4a46041c1cdb5ba429830
SHA1 hash:
0a9789352449598d2643b4f1dc803f4e4fe021ec
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
fd39b0eae2703c5ac73e9936ebc398673ee17f4548d262338f86260627509b27
MD5 hash:
2ba64d39cade25dedef7df25840fd10d
SHA1 hash:
11ade383bf4689e47367cd08cbd83af60da5d5fe
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
ea331795e1c21add199f52c43b6c0bb7555e10e7697e18c7940af4c2a068950a
MD5 hash:
e9519047a5156c640b54b0b3a480a54a
SHA1 hash:
da59d669377a733ad2ec76d8ae3ae720acbe6626
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
3c5748b3274a1f7fe73e45737a358f63bc7b380e00b05a9f8e0a1439e5f73b79
MD5 hash:
a1380115e3c2bacdf64f3362e49ae060
SHA1 hash:
c1b275ba10c45b2c7eb7c17cd8f631dd67d9b78c
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
e66ede5b2834e1bd99e26f1916a0d2fc553d00d88bbb370a1e9f9b74d22f47b2
MD5 hash:
7eb2f97140135b03dc46a2298582d58a
SHA1 hash:
2facb6241f2dd90e2b31494ca3dcfacf2126dc49
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
473383c54cdb09f32c5a126d6f9c90a9ee97e0dec08b3fdf21d624fcc7a38a60
MD5 hash:
1739374e67fd465d4a518f4844e9591a
SHA1 hash:
65023ba492cced101d127a578d5a24080bce372a
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
SH256 hash:
69fe38757045a35ac1746169be09d5f70691d9495ab90cf7e2178c22d40ef120
MD5 hash:
ed1651e7a1a3e21e9ac3e472adc9fffb
SHA1 hash:
6f938b2c6b1aac0016a6a3b7a283a9d23a73dd5d
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
Parent samples :
6c8b67843326b740d17af91ba222e513fb29c45b6decab158009e71f94a8e62a
2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70
d4fb12766874defc4d6a9dda8cd8aa956fdac4352d874c04f9828743247510df
SH256 hash:
2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70
MD5 hash:
b7464f482b06e0ce25f0323f58f5c058
SHA1 hash:
9871cc17704732c0a376f7245c31544af711a729
Link:
https://www.unpac.me/results/c84d0c12-a509-4a00-b8f4-bab93ccafe22/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_TOOL_ChromeCookiesView
Create hunting rule
Author:ditekSHen
Description:Detects ChromeCookiesView
Rule name:INDICATOR_TOOL_EdgeCookiesView
Create hunting rule
Author:ditekSHen
Description:Detects EdgeCookiesView
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166645/

Comments