MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
SHA3-384 hash: 5a14b9645e59579bed045609a069928ef3658355dfef9305f526c80abe28dfe9725ba90ee8da9fe81733aa6553ceeb55
SHA1 hash: f47075361e8d94c631475e8bbd664910d06f4a5b
MD5 hash: 158e5dd95884449919421d4ba79e8e88
humanhash: magnesium-beryllium-lactose-seven
File name:158e5dd95884449919421d4ba79e8e88.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:1'093'262 bytes
First seen:2021-03-28 00:40:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 24576:pAT8QE+kC7eZbxX33JSJh8nVE8A9nwxERuEmLYv2jIvAq0AedOfY:pAI+aFHYkOzFwvEmU7vAq5emY
Threatray 3 similar samples on MalwareBazaar
TLSH D1352235B1C1863AC0620E318C4BA3B6F53A7A085A3865CFB7DD1C6DDD372861A7529F
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://shopstyle3.top/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://shopstyle3.top/ https://threatfox.abuse.ch/ioc/5613/

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127309/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Creating a file in the Windows subdirectories
Creating a file
Searching for analyzing tools
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Sending an HTTP POST request
Reading critical registry keys
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38f33965-0b00-4024-805a-2111b97e41a6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656006
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 376938 Sample: DtE7OndZYB.exe Startdate: 28/03/2021 Architecture: WINDOWS Score: 100 102 api.ip.sb 2->102 104 shopstyle3.top 2->104 106 4 other IPs or domains 2->106 154 Multi AV Scanner detection for domain / URL 2->154 156 Antivirus detection for URL or domain 2->156 158 Multi AV Scanner detection for dropped file 2->158 160 7 other signatures 2->160 11 DtE7OndZYB.exe 14 10 2->11         started        signatures3 process4 file5 72 C:\Program Files (x86)\VR\...\Second.exe, PE32 11->72 dropped 74 C:\Program Files (x86)\...\8tOSL9jZxuHN.exe, PE32 11->74 dropped 76 C:\Program Files (x86)\VR\...\Uninstall.exe, PE32 11->76 dropped 14 Second.exe 2 11->14         started        17 8tOSL9jZxuHN.exe 3 11->17         started        process6 file7 86 C:\Users\user\AppData\Local\...\Second.tmp, PE32 14->86 dropped 20 Second.tmp 3 14 14->20         started        120 Writes to foreign memory regions 17->120 122 Allocates memory in foreign processes 17->122 124 Sample uses process hollowing technique 17->124 126 Injects a PE file into a foreign processes 17->126 25 AddInProcess32.exe 17->25         started        signatures8 process9 dnsIp10 108 googlehosted.l.googleusercontent.com 172.217.22.225, 443, 49716, 49721 GOOGLEUS United States 20->108 110 ipinfo.io 216.239.34.21, 443, 49707, 49708 GOOGLEUS United States 20->110 112 5 other IPs or domains 20->112 64 C:\Users\user\AppData\Local\...\Setup.exe, PE32 20->64 dropped 66 C:\Users\user\AppData\...\itdownload.dll, PE32 20->66 dropped 68 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->68 dropped 70 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->70 dropped 162 May check the online IP address of the machine 20->162 27 Setup.exe 15 9 20->27         started        file11 signatures12 process13 dnsIp14 114 iplogger.org 88.99.66.31, 443, 49737 HETZNER-ASDE Germany 27->114 116 mightydollars.xyz 172.67.154.93, 443, 49726 CLOUDFLARENETUS United States 27->116 78 C:\ProgramData\6267109.exe, PE32 27->78 dropped 80 C:\ProgramData\411161.exe, PE32 27->80 dropped 82 C:\ProgramData\3295287.exe, PE32 27->82 dropped 84 2 other malicious files 27->84 dropped 164 Detected unpacking (changes PE section rights) 27->164 166 May check the online IP address of the machine 27->166 168 Machine Learning detection for dropped file 27->168 32 3010661.exe 27->32         started        37 3295287.exe 27->37         started        39 411161.exe 27->39         started        41 2 other processes 27->41 file15 signatures16 process17 dnsIp18 88 musicislife.xyz 172.67.149.133, 443, 49732 CLOUDFLARENETUS United States 32->88 90 powerins3rts.xyz 172.67.222.235, 443, 49728 CLOUDFLARENETUS United States 32->90 48 C:\ProgramData\44\vcruntime140.dll, PE32 32->48 dropped 50 C:\ProgramData\44\sqlite3.dll, PE32 32->50 dropped 52 C:\ProgramData\44\softokn3.dll, PE32 32->52 dropped 60 4 other files (none is malicious) 32->60 dropped 128 Antivirus detection for dropped file 32->128 130 Multi AV Scanner detection for dropped file 32->130 132 Detected unpacking (changes PE section rights) 32->132 134 Tries to harvest and steal browser information (history, passwords, etc) 32->134 92 m6.beauty-shopping24.ru 81.177.140.169, 443, 49729 RTCOMM-ASRU Russian Federation 37->92 136 Machine Learning detection for dropped file 37->136 150 4 other signatures 37->150 43 AddInProcess32.exe 37->43         started        46 AddInProcess32.exe 37->46         started        94 api.ip.sb 39->94 96 arthichi.site 104.217.62.116, 49742, 49753, 80 AS40676US United States 39->96 100 3 other IPs or domains 39->100 138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->138 140 May check the online IP address of the machine 39->140 142 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->142 98 holdingfr0nts.xyz 104.21.30.104, 443, 49727 CLOUDFLARENETUS United States 41->98 54 C:\ProgramData\48\vcruntime140.dll, PE32 41->54 dropped 56 C:\ProgramData\48\sqlite3.dll, PE32 41->56 dropped 58 C:\ProgramData\48\softokn3.dll, PE32 41->58 dropped 62 4 other files (none is malicious) 41->62 dropped 144 Detected unpacking (overwrites its own PE header) 41->144 146 Query firmware table information (likely to detect VMs) 41->146 148 Tries to detect sandboxes and other dynamic analysis tools (window names) 41->148 152 2 other signatures 41->152 file19 signatures20 process21 dnsIp22 118 87.251.71.103, 3214, 49750 RMINJINERINGRU Russian Federation 43->118
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b/
Threat name:
Win32.Trojan.Badur
Create hunting rule
Status:
Malicious
First seen:
2021-03-27 08:59:25 UTC
AV detection:
19 of 48 (39.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfap3f5cru7oemqvkiy744fpoc7emkvbitilmjkhb7sguandxunq._file
Verdict:
malicious
Similar samples:
04db0b6b37fcd16563eaeb06996b2ab0c676f53cb1445d9b40eb46fa2c38c641
Adware.FileTour
71429908b3a0a6492db25aea67f8488b7e24ea087e71b2ef453150e7097d2db7
Adware.FileTour
7c1648815aa70e879d1f6f542ae8c41ba912305fe8adc70f5970026adc2e46a6
Adware.FileTour
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210328-v4gz3n5nfe/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
Unpacked files
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/d7efc190-c117-479b-8314-d0cbcefd7e78/
SH256 hash:
3bae15f7c9b96553c49638c2bcdaf851294c9d2ebd9bf083f42d3c81df25e9db
MD5 hash:
90eceb2a21c7c9b3157484b7d2438d3e
SHA1 hash:
d6942068061524a6728ce537968a3e37252cefbf
Link:
https://www.unpac.me/results/d7efc190-c117-479b-8314-d0cbcefd7e78/
SH256 hash:
e0ff40c02a229e1247cec72d8551c09e2c3c305ce5ce133779aeeeafc72ec1a3
MD5 hash:
c42fa28789033224b591ab1d2a944ca2
SHA1 hash:
b817925eb4a76ac5ba6e38d6ba1cd774df78915e
Link:
https://www.unpac.me/results/d7efc190-c117-479b-8314-d0cbcefd7e78/
SH256 hash:
cbf6c0751749d984732decd8d1b3c0735b6cb480553191b9567f326b86054a5c
MD5 hash:
f671ffd4b7f363f047c26e4022902fd6
SHA1 hash:
7424a6e0ea0fb2f0f209147cdc29eac34e4e22f8
Link:
https://www.unpac.me/results/d7efc190-c117-479b-8314-d0cbcefd7e78/
SH256 hash:
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
MD5 hash:
158e5dd95884449919421d4ba79e8e88
SHA1 hash:
f47075361e8d94c631475e8bbd664910d06f4a5b
Link:
https://www.unpac.me/results/d7efc190-c117-479b-8314-d0cbcefd7e78/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127309/

Comments