MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a
SHA3-384 hash: 2ad92b565f20a425d357dfd0ca29f9a4623a7f90757cfd99e4c89da396836b0f47a3e4440b62d852db15a801078c7238
SHA1 hash: 38870ff33a6dbbf33b59dad4778ad99c9d0b0c0f
MD5 hash: 8e667c12df45f2de4567cfdf8ba5761f
humanhash: wisconsin-carbon-indigo-uniform
File name:SecuriteInfo.com.Adware.Relevant.189.10664.32306
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:1'611'036 bytes
First seen:2023-11-07 23:26:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 24576:iQitRCIujF9xQ4EtHviMNqQKP7Hpkw65iWfQD/uL+o9ThYB9IUyxzZrDiXVV9+:i92nhKFJNoP7HpMiEQDGKoleCRnMV8
Threatray 3 similar samples on MalwareBazaar
TLSH T110752385EAE062F2F0314ABF7A199DF057677F25662191813098BF2F0F5A093DA36353
TrID 73.3% (.EXE) Inno Setup installer (109740/4/30)
9.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
8.7% (.SCR) Windows screen saver (13097/50/3)
3.0% (.EXE) Win32 Executable (generic) (4505/5/1)
1.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 71d0cecccccee878 (1 x Adware.FileTour)
Reporter SecuriteInfoCom
Tags:Adware.FileTour exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a.zip
Verdict:
Malicious activity
Analysis date:
2023-11-08 01:14:04 UTC
Tags:
loader darkgate
Link:
https://app.any.run/tasks/1bf632b7-5c19-421f-a8be-f8e2b73be1c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Adware.Relevant.189.10664.32306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/654ac7da0adeb0343351a3c8/reports/abde20f0-dc4b-48f7-94c7-361114c05758/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Relevant Knowledge
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d69b7802-c431-4243-96b1-163691a0df74
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/1338665
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338665 Sample: SecuriteInfo.com.Adware.Rel... Startdate: 08/11/2023 Architecture: WINDOWS Score: 36 33 www.cojulyfastdl.com 2->33 35 post.securestudies.com 2->35 37 2 other IPs or domains 2->37 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 8 SecuriteInfo.com.Adware.Relevant.189.10664.32306.exe 2 2->8         started        11 unsecapp.exe 2->11         started        signatures3 process4 file5 23 SecuriteInfo.com.A...189.10664.32306.tmp, PE32 8->23 dropped 13 SecuriteInfo.com.Adware.Relevant.189.10664.32306.tmp 26 38 8->13         started        process6 dnsIp7 39 post.securestudies.com 165.193.78.234, 49705, 49706, 49712 CENTURYLINK-LEGACY-SAVVISUS United States 13->39 41 dm7o9revlbq0c.cloudfront.net 3.163.189.6, 443, 49713 AMAZON-02US United States 13->41 25 C:\Users\user\AppData\Local\...\rkverify.exe, PE32 13->25 dropped 27 C:\Users\user\AppData\...\rkinstaller.exe, PE32 13->27 dropped 29 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->29 dropped 31 9 other files (7 malicious) 13->31 dropped 17 rkverify.exe 1 1 13->17         started        file8 process9 file10 21 C:\Users\user\AppData\Local\...\CSMA82E.tmp, PE32 17->21 dropped 43 Antivirus detection for dropped file 17->43 45 Multi AV Scanner detection for dropped file 17->45 signatures11
Score:
44%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2013-04-16 20:31:00 UTC
File Type:
PE (Exe)
Extracted files:
137
AV detection:
8 of 37 (21.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kemlwv3rd5gx4cr45gfujltgy7f7bvanspusfxul6tu6dvvg7ina._file
Verdict:
malicious
Similar samples:
5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a
Adware.FileTour
a1f46aa45e0bef5d47b20f44c9309a3b9b4d7aa585f693ed7b1dca3fbe75d699
Adware.FileTour
a37797b95ddba40a9451dbc5d92e0e641c7c95cc01e8d0c9adec2d392057a572
Adware.FileTour
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/231107-3fgkrsab2w/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/063d8653-38a3-4a01-8a07-48bc23108e39/
SH256 hash:
5407d2af0ecaf529d75a25ac34515a01b45dc3152711be845273b95cc26cf3c2
MD5 hash:
9913024a56e241d46a6722efb931d9ce
SHA1 hash:
e90569779e67ff3323d9247f250ffa849c0ae0b6
Link:
https://www.unpac.me/results/063d8653-38a3-4a01-8a07-48bc23108e39/
SH256 hash:
5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a
MD5 hash:
8e667c12df45f2de4567cfdf8ba5761f
SHA1 hash:
38870ff33a6dbbf33b59dad4778ad99c9d0b0c0f
Link:
https://www.unpac.me/results/063d8653-38a3-4a01-8a07-48bc23108e39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments