MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 14


Intelligence 14 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
SHA3-384 hash: 83bd69d9aa4aedb9f8c580228c6ea3812e3a36c4de419f34d11196269b582746b5eab5beb891963f814f71e743fe385b
SHA1 hash: 276c234a544054072593fb3b87e2a37f81e4f3c5
MD5 hash: 15fd29325e11aa1777bdde1e09829784
humanhash: six-robert-island-artist
File name:15FD29325E11AA1777BDDE1E09829784.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:3'365'608 bytes
First seen:2021-08-09 20:55:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbvDpNv9xyFximcWtxL4iZ1XxDLv6BFe6:UoxHcCLn3pLiBFe6
TLSH T154F53300BDC094B2D1A119394674E628697D7C306F108BDFF7945A6E8B361C1EF39BAB
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://ggc-partners.top/stats/remember.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.top/stats/remember.php https://threatfox.abuse.ch/ioc/166296/
http://ggc-partners.top/dlc/distribution.php https://threatfox.abuse.ch/ioc/166297/

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15FD29325E11AA1777BDDE1E09829784.exe
Verdict:
Malicious activity
Analysis date:
2021-08-09 20:58:13 UTC
Tags:
autoit evasion
Link:
https://app.any.run/tasks/8a3f1478-3215-4b29-add3-98264a3fdb80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177763/
Detection(s):
Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

Win.Malware.Passteal-9882272-0
Create hunting rule

Win.Malware.Passteal-9882333-0
Create hunting rule

Win.Malware.Nymeria-9883195-0
Create hunting rule

Win.Malware.Nymeria-9883200-0
Create hunting rule

Win.Malware.Nymeria-9883202-0
Create hunting rule

Win.Malware.Nymeria-9883203-0
Create hunting rule

Win.Malware.Zusy-9883691-0
Create hunting rule

Win.Malware.Chapak-9883695-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Changing a file
Reading critical registry keys
Sending an HTTP POST request
Moving a file to the %temp% subdirectory
Replacing files
Possible injection to a system process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching a tool to kill processes
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ecab39d-11f9-4db7-916c-48194cb9ead4
Result
Threat name:
RedLine SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829701
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates processes via WMI
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample is protected by VMProtect
Sigma detected: Execution from Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462130 Sample: I3MeJlxmtl.exe Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 66 208.95.112.1 TUT-ASUS United States 2->66 68 74.119.195.134 MOVECLICKLLCUS United States 2->68 70 3 other IPs or domains 2->70 96 Antivirus detection for URL or domain 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 12 other signatures 2->102 9 I3MeJlxmtl.exe 1 27 2->9         started        signatures3 process4 file5 46 C:\Users\user\Desktop\pub2.exe, PE32 9->46 dropped 48 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->48 dropped 50 C:\Users\user\Desktop\Install.exe, PE32 9->50 dropped 52 4 other files (2 malicious) 9->52 dropped 12 Info.exe 9->12         started        17 Files.exe 24 9->17         started        19 jg3_3uag.exe 9->19         started        21 4 other processes 9->21 process6 dnsIp7 82 136.144.41.201 WORLDSTREAMNL Netherlands 12->82 84 37.0.10.236 WKD-ASIE Netherlands 12->84 92 16 other IPs or domains 12->92 54 C:\Users\...\xdIbhJg8omKJQ99IH3xtmX7I.exe, PE32 12->54 dropped 56 C:\Users\...\uTEj7XLAlvHN19E0Kwjy40Wc.exe, PE32 12->56 dropped 58 C:\Users\...\hV8klFnFmXtCUzO7QIbnWqLc.exe, PE32 12->58 dropped 64 47 other files (26 malicious) 12->64 dropped 108 Drops PE files to the document folder of the user 12->108 110 Disable Windows Defender real time protection (registry) 12->110 60 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 17->60 dropped 23 File.exe 3 19 17->23         started        86 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 19->86 62 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 19->62 dropped 112 Tries to harvest and steal browser information (history, passwords, etc) 19->112 88 172.67.201.250 CLOUDFLARENETUS United States 21->88 90 144.202.76.47 AS-CHOOPAUS United States 21->90 94 3 other IPs or domains 21->94 114 Creates processes via WMI 21->114 28 chrome.exe 21->28         started        30 Folder.exe 21->30         started        32 conhost.exe 21->32         started        file8 signatures9 process10 dnsIp11 72 92.53.96.150 TIMEWEB-ASRU Russian Federation 23->72 74 8.8.8.8 GOOGLEUS United States 23->74 36 C:\Users\Public\run.exe, PE32 23->36 dropped 104 Binary is likely a compiled AutoIt script file 23->104 106 Drops PE files to the user root directory 23->106 76 88.99.66.31 HETZNER-ASDE Germany 28->76 78 142.250.184.206 GOOGLEUS United States 28->78 80 11 other IPs or domains 28->80 38 C:\Users\user\AppData\Local\...\Cookies, SQLite 28->38 dropped 40 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 30->40 dropped 42 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 30->42 dropped 44 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 30->44 dropped 34 conhost.exe 30->34         started        file12 signatures13 process14
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf/
Threat name:
Win32.Trojan.Propagate
Create hunting rule
Status:
Malicious
First seen:
2021-08-07 03:55:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3dmmna77ayaljsrlwkcs5wsbesusmjnignctzm5b35rlvsxjg7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars botnet:9fd53b475fc64a3ea667b6e92477d7b54c1560a6 botnet:мощный agilenet backdoor discovery evasion infostealer spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/210809-cfcvf6bbvn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
193.56.146.22:47861
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
6b47cdab0328059d8edc5f6a8700ff47b95904f0d5ffd3071475922da632cb47
MD5 hash:
28dec7fa05b13908a0d80048d7554be8
SHA1 hash:
7a122fa8d5cf43465070c481e88efc9c40f37cde
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
5559c74bb425c1803ff900ce51643d0453809b9a30584773bad518384f684087
MD5 hash:
5d3d5f41f5fd5d33ebcc5ed4ca0e64ff
SHA1 hash:
4a3967a8982cff6998ba599acd050b12d95c6baf
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
3d67bae1a41794a00e7374e41087f29efb893257d0dac5218f571b46cc1040fa
MD5 hash:
2d8176c32761820c08580daa8434214a
SHA1 hash:
204e4038f0466b6f4b1b687fb647b851160cc1ae
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
829724693f7ee90bb9bc101eb1b8d3e6718f9b3bd35c7a69bcdf13579b85795e
MD5 hash:
7a5e3ab315604d2f98608e40eb5af3de
SHA1 hash:
2c9984a94a8f766a3ca866248577a8118431943e
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
a5abe23c51a32940b54e2ae81a7086c4c70caa55abf20adeb8215210aedb5d52
MD5 hash:
c1bb7f4a08e1e3c58c5b4d3e03525182
SHA1 hash:
5e9a24e33908e39c44dfbf964f0996a3827ebfeb
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
Parent samples :
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
SH256 hash:
57d12753d0c78492a38a39caf5378c33a89cbeb7680c7a6ad8af9479b512a61c
MD5 hash:
5f4f5360acba8dadf0bb1888f8350896
SHA1 hash:
4f9f41eb4319d6c4458770f5363ddda8b185f15e
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
3e62ffd46bb97dad1c9542d7c310fd76307934b38a4ade5d4100cd00aaffa880
MD5 hash:
1098fd963a65a47d1e9da0e0768ee83c
SHA1 hash:
f107d50e8bd9e94f902a46d429a088379f236e83
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
81f0ee3a12483ed5f08aa961c7d9ded73320d6efd83bd57e501e3b64ee78296f
MD5 hash:
990ce4a22aa1b7b8345dcc2262cab2ca
SHA1 hash:
2a1ccad863c8ff2a7f810e8025e2370cb43aad18
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
a0d7481318b5c92fc44974c0927ba5caf0e0bbf50ab66f7c595106f1d9ae5187
MD5 hash:
d0a37de8df871666f8d4c3f94c577272
SHA1 hash:
be40ba320c41eedae3c606b916484bb7f886ee26
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
SH256 hash:
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
MD5 hash:
15fd29325e11aa1777bdde1e09829784
SHA1 hash:
276c234a544054072593fb3b87e2a37f81e4f3c5
Link:
https://www.unpac.me/results/aa9b3b86-3ac5-4fc1-8abc-5158076ff7a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177763/

Comments