MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Adware.FileTour

Vendor detections: 9

Intelligence 9 IOCs 4 YARA File information Comments

SHA256 hash:	486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
SHA3-384 hash:	b545bc5514a8d46933fef0bb08737b82ed5f6f34b681881f118d51b66c16eb519b3da730e28aad448ed169deed583e5c
SHA1 hash:	8840feba8025ce904c076cf35cc0835b718503aa
MD5 hash:	d1adee00a2745df94375ba4d0026c637
humanhash:	neptune-king-mississippi-ohio
File name:	D1ADEE00A2745DF94375BA4D0026C637.exe
Download:	download sample
Signature	Adware.FileTour Create hunting rule
File size:	4'085'712 bytes
First seen:	2021-08-13 07:56:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:yY31zkSBNIKE1pgbusbPh4NPIEuTw74qly:yK9BCKbbtK5I12Xy
Threatray	310 similar samples on MalwareBazaar
TLSH	T1BA1633580155F53FF3861FB08E094076B3F62E2C38FC5A462E465DE34179962FAAF682
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	Adware.FileTour exe

abuse_ch

Adware.FileTour C2:
http://ggc-partners.info/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://ggc-partners.info/decision.php	https://threatfox.abuse.ch/ioc/184302/
185.53.46.25:18856	https://threatfox.abuse.ch/ioc/184311/
65.21.228.92:46802	https://threatfox.abuse.ch/ioc/184313/
http://45.67.231.40/	https://threatfox.abuse.ch/ioc/184315/

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/178894/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Searching for the window

Running batch commands

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Deleting a recently created file

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2c16d8ea-d4af-4716-852b-383c9197411f

Result

Threat name:

RedLine Socelars Vidar

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832215

Signature

Antivirus detection for dropped file

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to steal Chrome passwords or cookies

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Sigma detected: Suspicious Svchost Process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected RedLine Stealer

Yara detected Socelars

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5/

Threat name:

Win32.Trojan.Chapak

Status:

Malicious

First seen:

2021-08-09 18:43:34 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jbwvemndlxcojszuc6qtkpbqakmiesu57gejbiiaywlopqiynksq._file

Verdict:

unknown

Adware.FileTour

51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3

Adware.FileTour

65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca

Adware.FileTour

799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21

Adware.FileTour

82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2

Adware.FileTour

befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec

Adware.FileTour

c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c

Adware.FileTour

+ 300 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:7new botnet:916 botnet:937 aspackv2 backdoor infostealer persistence stealer suricata trojan vmprotect

Link:

https://tria.ge/reports/210813-9mnxqjhlzj/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

VMProtect packed file

Vidar Stealer

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE GCleaner Downloader Activity M1

suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Malware Config

C2 Extraction:

https://prophefliloc.tumblr.com/
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80

Unpacked files

SH256 hash:

76fd57122331c7e402c7ab4a48bb9a86529641200f391241e20f31232e5f439b

MD5 hash:

922068b48ff8abb7e513a724443c1f62

SHA1 hash:

fef5db5322dae45dade837d28a2ad1aa159c74b9

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

e51763543ade893e7423ed3f589fbe73f84ee2fb41f612cbfcbf61cf6e45d471

MD5 hash:

4352aeaf791c3bc2c18c3b00f53fd6e2

SHA1 hash:

3d3a3722e9b3811bf9b1fdf00a4f290a9396630a

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

0cfeb696a1e79a5933429e77f1d32b5d95fafbbd7053955a7ade9c0de264a904

MD5 hash:

2354ad9552eb7a2b129b6397be8fdcf1

SHA1 hash:

20218e9b1dc221230e279cdc1e33e012d38a7aeb

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265

MD5 hash:

117c7ff5dd9efc0b059f64520f2d4f46

SHA1 hash:

ff07b1fcc58aa62b42d797981e0d953d9f9e0120

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13

MD5 hash:

9806f3f87bcb267281009a6fc5c420fa

SHA1 hash:

1e36820c67183d74e9c1f94cfa63863e520b0598

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

Parent samples :

549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234

SH256 hash:

1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

MD5 hash:

0965da18bfbf19bafb1c414882e19081

SHA1 hash:

e4556bac206f74d3a3d3f637e594507c30707240

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

d3cd0b6963c1b88ff327eee0953c9e30ed3fe4ed7cc198a949b285b626c237d6

MD5 hash:

6cae1487c1ba88b65eead225c280d78c

SHA1 hash:

e2624ce9267706b64ee724abe6e7dc8e1dcafd32

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

MD5 hash:

13a289feeb15827860a55bbc5e5d498f

SHA1 hash:

e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

50c924e0f3b319b8f66278419f3c0dbd14c1c7d8d33e32d70ee1a959df30d4ae

MD5 hash:

7e51418ec90a49b4b6b3ce8e4ba26ba1

SHA1 hash:

9cc182ef14b4731d3c45930161afb0ee170d885c

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

MD5 hash:

3263859df4866bf393d46f06f331a08f

SHA1 hash:

5b4665de13c9727a502f4d11afb800b075929d6c

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

8bee01f04f5a1a077b35213ac4749a2798196b29aa469c5aa9a683fbfc4cfb5a

MD5 hash:

cf9709c91d2c6707e48e09f89cbf6d83

SHA1 hash:

f2348705785fe4321f5cdbb983ff5571f9e66178

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71

MD5 hash:

7aaf005f77eea53dc227734db8d7090b

SHA1 hash:

b6be1dde4cf73bbf0d47c9e07734e96b3442ed59

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

3cea2de7a396967ee1690ffb6bae439b0b3729b06bf26051da6b2084e550e12c

MD5 hash:

fdfe5493e5bed740a0bf52a098f5253f

SHA1 hash:

2bdcc0e0cb8403f5938a10d6c9ecbae457209e2f

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

97c674b3d76a79d6e460077ff7f12ddfea643a1cdf195f6c8380aef829a3c9d3

MD5 hash:

b77d5da7e8810c1f3e53750360c5ce42

SHA1 hash:

c9a5574ea0976678b1c35058d117eeb28bff598f

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

SH256 hash:

486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5

MD5 hash:

d1adee00a2745df94375ba4d0026c637

SHA1 hash:

8840feba8025ce904c076cf35cc0835b718503aa

Link:

https://www.unpac.me/results/aeb13497-2593-475a-a211-ec7b3ba29891/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/178894/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample