MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fddf826955108a8c57deb9526f847f666aceef5118fb56c55ed78b17fcfb1c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fddf826955108a8c57deb9526f847f666aceef5118fb56c55ed78b17fcfb1c6
SHA3-384 hash: 090349be6be55ca5e07c90d5129fcd05a3b598e3c90fa520a69f909f4a25016de3f98ddbc1ccde2300be42c60ebb712f
SHA1 hash: 4103d832327db2fede92d1371dc315441514a906
MD5 hash: 6f57086b2160f6aea3af17701c8301f6
humanhash: hamper-oven-music-queen
File name:6F57086B2160F6AEA3AF17701C8301F6.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:7'115'871 bytes
First seen:2021-07-04 22:15:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:itcp+gyhio5UzQbMBZ+H+AJQmxEbV7xZ/hp:b5yhioWTBZ+eAJHELZ3
TLSH EA66333AA301C677D2A03F315D0BA177B43A76995F7A018F0BC86A6D183775C17B43AA
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
185.215.113.85:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.85:80 https://threatfox.abuse.ch/ioc/157534/

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://keygenit.com
Verdict:
Malicious activity
Analysis date:
2021-07-04 04:01:39 UTC
Tags:
evasion trojan rat azorult stealer loader miner keylogger agenttesla raccoon opendir vidar autoit danabot redline phishing
Link:
https://app.any.run/tasks/94a2ae41-9c88-42a9-a2c2-b9135fc5aa6b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169645/
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Generic-9849070-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fca3cc74-4ec9-4ba7-b135-8e6c55042921
Result
Threat name:
Backstage Stealer Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811636
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444047 Sample: i9TdI1j0k2.exe Startdate: 05/07/2021 Architecture: WINDOWS Score: 100 151 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->151 153 Multi AV Scanner detection for domain / URL 2->153 155 Found malware configuration 2->155 157 15 other signatures 2->157 9 i9TdI1j0k2.exe 14 15 2->9         started        process3 file4 63 C:\Program Files (x86)\...\lylal220.exe, PE32 9->63 dropped 65 C:\Program Files (x86)\...\hjjgaa.exe, PE32 9->65 dropped 67 C:\Program Files (x86)\...\guihuali-game.exe, PE32 9->67 dropped 69 5 other files (4 malicious) 9->69 dropped 12 guihuali-game.exe 9->12         started        15 lylal220.exe 2 9->15         started        17 RunWW.exe 90 9->17         started        21 4 other processes 9->21 process5 dnsIp6 71 C:\Users\user\AppData\Local\...\install.dll, PE32 12->71 dropped 73 C:\Users\user\AppData\...\adobe_caps.dll, PE32 12->73 dropped 23 rundll32.exe 12->23         started        26 conhost.exe 12->26         started        75 C:\Users\user\AppData\Local\...\lylal220.tmp, PE32 15->75 dropped 28 lylal220.tmp 15->28         started        125 157.90.127.76, 49723, 80 REDIRISRedIRISAutonomousSystemES United States 17->125 127 sergeevih43.tumblr.com 74.114.154.22, 443, 49720 AUTOMATTICUS Canada 17->127 77 C:\Users\user\AppData\...\softokn3[1].dll, PE32 17->77 dropped 85 11 other files (none is malicious) 17->85 dropped 159 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->159 161 Tries to harvest and steal browser information (history, passwords, etc) 17->161 163 Tries to steal Crypto Currency Wallets 17->163 32 cmd.exe 17->32         started        129 ip-api.com 208.95.112.1, 49711, 80 TUT-ASUS United States 21->129 131 88.99.66.31 HETZNER-ASDE Germany 21->131 133 4 other IPs or domains 21->133 79 C:\Users\user\AppData\Roaming\7629979.exe, PE32 21->79 dropped 81 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 21->81 dropped 83 C:\Users\user\AppData\Roaming\6181864.exe, PE32 21->83 dropped 87 3 other files (none is malicious) 21->87 dropped 34 MediaBurner.tmp 21->34         started        36 LabPicV3.tmp 21->36         started        38 7629979.exe 21->38         started        40 5 other processes 21->40 file7 signatures8 process9 dnsIp10 165 Writes to foreign memory regions 23->165 167 Allocates memory in foreign processes 23->167 169 Creates a thread in another existing process (thread injection) 23->169 42 svchost.exe 23->42 injected 45 svchost.exe 23->45 injected 89 C:\Users\user\AppData\...lZan _  _.exe, PE32 28->89 dropped 91 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 28->91 dropped 93 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 28->93 dropped 95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->95 dropped 47 ElZan _  _.exe 28->47         started        50 conhost.exe 32->50         started        52 taskkill.exe 32->52         started        145 superstationcity.com 194.163.135.248, 49714, 49716, 49717 NEXINTO-DE Germany 34->145 101 4 other files (none is malicious) 34->101 dropped 54 JFHGSFGSIUGFSUIG.exe 34->54         started        97 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 36->97 dropped 103 3 other files (none is malicious) 36->103 dropped 57 758____Dawn.exe 36->57         started        99 C:\Users\user\AppData\...\WinHoster.exe, PE32 38->99 dropped 171 Creates multiple autostart registry keys 38->171 147 172.67.152.52 CLOUDFLARENETUS United States 40->147 149 192.168.2.1 unknown unknown 40->149 105 7 other files (none is malicious) 40->105 dropped 173 Tries to harvest and steal browser information (history, passwords, etc) 40->173 file11 signatures12 process13 dnsIp14 175 System process connects to network (likely due to code injection or exploit) 42->175 177 Sets debug register (to hijack the execution of another thread) 42->177 179 Modifies the context of a thread in another process (thread injection) 42->179 59 svchost.exe 42->59         started        107 C:\Program Files (x86)\...\Lozhuqaeshuko.exe, PE32 47->107 dropped 109 C:\...\Lozhuqaeshuko.exe.config, XML 47->109 dropped 119 3 other files (none is malicious) 47->119 dropped 181 Creates multiple autostart registry keys 47->181 135 173.222.108.226 AKAMAI-ASN1EU United States 54->135 137 162.0.210.44 ACPCA Canada 54->137 111 C:\Program Files (x86)\...\Hilonilaxu.exe, PE32 54->111 dropped 113 C:\...\Hilonilaxu.exe.config, XML 54->113 dropped 121 3 other files (none is malicious) 54->121 dropped 139 63.250.33.126 NAMECHEAP-NETUS United States 57->139 141 162.0.220.187 ACPCA Canada 57->141 115 C:\Program Files (x86)\...\Weqalepuvi.exe, PE32 57->115 dropped 117 C:\...\Weqalepuvi.exe.config, XML 57->117 dropped 123 3 other files (none is malicious) 57->123 dropped file15 signatures16 process17 dnsIp18 143 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 59->143 183 Query firmware table information (likely to detect VMs) 59->183 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fddf826955108a8c57deb9526f847f666aceef5118fb56c55ed78b17fcfb1c6/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-07-03 03:21:17 UTC
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7o7qjuvkeekrrl55oksn6ch6ztkz3xvcgh3k3cv5v4lc76pwhda._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar discovery infostealer stealer upx vmprotect
Link:
https://tria.ge/reports/210704-9nem7thmws/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Vidar Stealer
RedLine
RedLine Payload
Vidar
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
SH256 hash:
01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7
MD5 hash:
5e6df381ce1c9102799350b7033e41df
SHA1 hash:
f8a4012c9547d9bb2faecfba75fc69407aaec288
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
SH256 hash:
b26d99296cc1f38ad735c36a305eb206b8a9022e92b463886ed918f42dee0b04
MD5 hash:
9decb9ebf19e4e45bd75f175140e1018
SHA1 hash:
c9d35d2bc78dd37270dbe17f2555324c6f560d11
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
SH256 hash:
4c69620b527dbaa16cebdfb1fe011a222efa2859b3f7563081119a39424a8b8d
MD5 hash:
2d1cb89f7296dfd258bbf8a09d37ae4f
SHA1 hash:
fbcb45cb0c4996611005d58955dd4d9f970cafac
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
SH256 hash:
9a566a751fb85fa41fc104418a5c4ba7bfa3ff8f51756c08af32a7283b2cab33
MD5 hash:
c70579438c9f650b735d1688aa94b364
SHA1 hash:
ecbd200e029c22eaa7a7ea62647686c05677ee29
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
SH256 hash:
6bea897b06441f33f33764c26f62c206666a204768cf3e5c0ae6912d8e86780f
MD5 hash:
128250f29b71047e68f7b2ba44b10535
SHA1 hash:
fc7fbe41eec8ac9e286451ade80a2f5c7abddc1c
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
SH256 hash:
eaafcf04b8aff22d260ebe0c132f535e79849f5cbdab44ebd36b028c69d4e24b
MD5 hash:
2a0c825a5c0031c7215d9e2db44982f9
SHA1 hash:
418765a0a08a0894f63b21d13939735a64080e8e
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
SH256 hash:
c1864eacfbda1495a7e13c7e6e937cc4013aa3bdfcf123d036d1816a5d44340c
MD5 hash:
93f90e947ac6727d9dd5820f1b53977a
SHA1 hash:
b2189950a30dd3625ecf2fc3d83a587c9391dd4b
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
SH256 hash:
a0e7fb0673a5ecd636015e08430379a623ddd5e98f14658cd73a03673da253d4
MD5 hash:
ba8e03adbaa33b63a0c81360c650e096
SHA1 hash:
20260a8535edc45dddbad767ff2105c85ce7735a
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
SH256 hash:
3fddf826955108a8c57deb9526f847f666aceef5118fb56c55ed78b17fcfb1c6
MD5 hash:
6f57086b2160f6aea3af17701c8301f6
SHA1 hash:
4103d832327db2fede92d1371dc315441514a906
Link:
https://www.unpac.me/results/9bb55b12-5db5-4ec1-8c6e-04e43e944640/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fddf826955108a8c57deb9526f847f666aceef5118fb56c55ed78b17fcfb1c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169645/

Comments