MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4905fecf9b5d2057f495dcd21e81e03db0114af804fe59931cd901fbfbde5c9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4905fecf9b5d2057f495dcd21e81e03db0114af804fe59931cd901fbfbde5c9a
SHA3-384 hash: bb471cb417c739baa98f45a2b80cd7bf7818777669e52b1d9fd7257ffb0f4b0104fbb422d3dde9b0833aaa65dcd77f26
SHA1 hash: ee7539267c6a0816a2fc8542f564c49bf04b96ff
MD5 hash: ecd309f987796a0f3dfc403c9d5b40d1
humanhash: social-crazy-cat-tennis
File name:ECD309F987796A0F3DFC403C9D5B40D1.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:29'736'525 bytes
First seen:2021-07-05 11:35:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 786432:xQiWe/OHParm23ZlAcnYyF9eiVibFDidee2jWshnRkZK:2hWOHkPAYYyF9eiVipmee2HtRkZK
Threatray 779 similar samples on MalwareBazaar
TLSH 7B573319E10586B7E5002E31A81710AA7E19B1596BFF17DB34C1D9FE4428B8E3BF139E
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
185.215.113.85:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.85:80 https://threatfox.abuse.ch/ioc/157534/

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Xforce_keygen_by_KeygenSumo.zip
Verdict:
Malicious activity
Analysis date:
2021-07-02 04:18:49 UTC
Tags:
evasion trojan rat azorult stealer loader miner raccoon fareit pony keylogger agenttesla redline phishing vidar
Link:
https://app.any.run/tasks/a662becf-b2c2-4b7b-aa68-48996347d4ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
MALICIOUS
Result
Threat name:
Backstage Stealer Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811828
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops executable to a common third party application directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444239 Sample: bGk64hnnAZ.exe Startdate: 05/07/2021 Architecture: WINDOWS Score: 100 159 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->159 161 Multi AV Scanner detection for domain / URL 2->161 163 Found malware configuration 2->163 165 18 other signatures 2->165 9 bGk64hnnAZ.exe 14 19 2->9         started        12 svchost.exe 1 2->12         started        15 svchost.exe 2->15         started        17 8 other processes 2->17 process3 dnsIp4 125 C:\Program Files (x86)\...\lylal220.exe, PE32 9->125 dropped 127 C:\Program Files (x86)\...\hjjgaa.exe, PE32 9->127 dropped 129 C:\Program Files (x86)\...\guihuali-game.exe, PE32 9->129 dropped 131 6 other files (5 malicious) 9->131 dropped 20 guihuali-game.exe 9->20         started        23 LabPicV3.exe 2 9->23         started        25 lylal220.exe 2 9->25         started        27 5 other processes 9->27 177 System process connects to network (likely due to code injection or exploit) 12->177 179 Changes security center settings (notifications, updates, antivirus, firewall) 15->179 133 23.211.4.86 AKAMAI-ASUS United States 17->133 135 127.0.0.1 unknown unknown 17->135 file5 signatures6 process7 dnsIp8 75 C:\Users\user\AppData\Local\...\install.dll, PE32 20->75 dropped 77 C:\Users\user\AppData\...\adobe_caps.dll, PE32 20->77 dropped 31 rundll32.exe 20->31         started        34 conhost.exe 20->34         started        79 C:\Users\user\AppData\Local\...\LabPicV3.tmp, PE32 23->79 dropped 36 LabPicV3.tmp 23->36         started        40 lylal220.tmp 25->40         started        153 ip-api.com 208.95.112.1, 49713, 80 TUT-ASUS United States 27->153 155 157.90.127.76, 49721, 80 REDIRISRedIRISAutonomousSystemES United States 27->155 157 6 other IPs or domains 27->157 81 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 27->81 dropped 83 C:\Users\user\AppData\Roaming\8065275.exe, PE32 27->83 dropped 85 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 27->85 dropped 87 14 other files (none is malicious) 27->87 dropped 181 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->181 183 Tries to harvest and steal browser information (history, passwords, etc) 27->183 185 Modifies the context of a thread in another process (thread injection) 27->185 187 3 other signatures 27->187 42 MediaBurner.tmp 3 19 27->42         started        44 8065275.exe 27->44         started        46 jfiag3g_gg.exe 27->46         started        48 5 other processes 27->48 file9 signatures10 process11 dnsIp12 189 Writes to foreign memory regions 31->189 191 Allocates memory in foreign processes 31->191 193 Creates a thread in another existing process (thread injection) 31->193 50 svchost.exe 31->50 injected 53 svchost.exe 31->53 injected 89 C:\Users\user\AppData\...\758____Dawn.exe, PE32 36->89 dropped 99 3 other files (none is malicious) 36->99 dropped 55 758____Dawn.exe 36->55         started        137 superstationcity.com 194.163.135.248, 49715, 49716, 49717 NEXINTO-DE Germany 40->137 139 192.168.2.1 unknown unknown 40->139 91 C:\Users\user\AppData\...lZan _  _.exe, PE32 40->91 dropped 101 3 other files (none is malicious) 40->101 dropped 58 ElZan _  _.exe 40->58         started        93 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 42->93 dropped 95 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 42->95 dropped 103 2 other files (none is malicious) 42->103 dropped 61 JFHGSFGSIUGFSUIG.exe 42->61         started        97 C:\Users\user\AppData\...\WinHoster.exe, PE32 44->97 dropped 195 Creates multiple autostart registry keys 44->195 63 WinHoster.exe 44->63         started        197 Tries to harvest and steal browser information (history, passwords, etc) 46->197 141 172.67.152.52 CLOUDFLARENETUS United States 48->141 105 7 other files (none is malicious) 48->105 dropped 65 conhost.exe 48->65         started        67 taskkill.exe 48->67         started        69 timeout.exe 48->69         started        file13 signatures14 process15 dnsIp16 167 Sets debug register (to hijack the execution of another thread) 50->167 169 Modifies the context of a thread in another process (thread injection) 50->169 71 svchost.exe 50->71         started        107 C:\Program Files (x86)\...\ZHuwubaewabo.exe, PE32 55->107 dropped 109 C:\...\ZHuwubaewabo.exe.config, XML 55->109 dropped 119 3 other files (none is malicious) 55->119 dropped 171 Creates multiple autostart registry keys 55->171 145 173.222.108.226 AKAMAI-ASN1EU United States 58->145 147 162.0.210.44 ACPCA Canada 58->147 111 C:\Program Files (x86)\...behaviorgraphishogudahi.exe, PE32 58->111 dropped 113 C:\...behaviorgraphishogudahi.exe.config, XML 58->113 dropped 121 3 other files (none is malicious) 58->121 dropped 173 Drops executable to a common third party application directory 58->173 149 63.250.33.126 NAMECHEAP-NETUS United States 61->149 151 162.0.220.187 ACPCA Canada 61->151 115 C:\Program Files (x86)\...\Pifawaelowu.exe, PE32 61->115 dropped 117 C:\...\Pifawaelowu.exe.config, XML 61->117 dropped 123 3 other files (none is malicious) 61->123 dropped file17 signatures18 process19 dnsIp20 143 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 71->143 175 Query firmware table information (likely to detect VMs) 71->175 signatures21
Gathering data
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 11:36:16 UTC
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jec75t43luqfp5ev3tjb5apahwybcsxyat7ftey43ea7x666lsna._file
Verdict:
suspicious
Similar samples:
2df4e3a4d7b6e5f33ef54c73ff86ffc76d8667ff587756a2887bf91687ab46a9
Adware.FileTour
361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f
Adware.FileTour
83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2
Adware.FileTour
9bd52703dba9fde3dda64118f9404ed8c3aab6cd3c6b6924f173fcbd5d83fd96
Adware.FileTour
b1298f0877eba17945d3468c06927f6cfc2b52f413bcc2b995f75436e0b7e7dd
Adware.FileTour
d03c955b566ad3308d6f9fe90c320300b097e649c9c7380d48cf06815d4988b9
Adware.FileTour
e1fffde5cce94f703cbaf29b14bf0e7569ad207a0a7f4fc63484ced33307198b
Adware.FileTour
f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041
Adware.FileTour
fcebd1383b524b3ed55ce93204ab0199fc3c8871783dc2b197ce3148c66a5ca1
Adware.FileTour
fe8417ad3e0bad396fd009f20ad6cb106605098ec72fb933bb6f8e16cb6d437d
Adware.FileTour
+ 769 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar discovery infostealer persistence stealer upx vmprotect
Link:
https://tria.ge/reports/210705-k4a128r4gs/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Vidar Stealer
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4905fecf9b5d2057f495dcd21e81e03db0114af804fe59931cd901fbfbde5c9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments