MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 652788bae486f6ef0ecadb2a951cd25da57d4f399ba77011745bae565cb7e762. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 8


Intelligence 8 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 652788bae486f6ef0ecadb2a951cd25da57d4f399ba77011745bae565cb7e762
SHA3-384 hash: d29f084f9a7af8a8b5b3f6347c12c22ea19c78fe3e2f8b2644e590d59ce028d5bc4a9d68d0cdadfdf71c8ff08564dbdb
SHA1 hash: 26fca9da16ebcfad666c22f6cfc5adda1a3a3d1c
MD5 hash: ac001161492c123ed08aff6389716c8f
humanhash: asparagus-diet-whiskey-river
File name:ac001161492c123ed08aff6389716c8f.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:3'939'251 bytes
First seen:2021-06-01 08:30:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xgCvLUBsgAfrEdTPOoeCfFS0JUKbhtetWZ1XGReVlF:xdLUCgAotPONCfE0Jb19Z1XHVT
Threatray 29 similar samples on MalwareBazaar
TLSH 0B0633417BE8C0F4E6524435BE48DBF3A4FEC38C173361D3AB10C5AA2F7C6A5A51A694
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://162.55.189.141/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://162.55.189.141/ https://threatfox.abuse.ch/ioc/67961/
162.55.55.250:80 https://threatfox.abuse.ch/ioc/67974/

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ac001161492c123ed08aff6389716c8f.exe
Verdict:
No threats detected
Analysis date:
2021-06-01 08:35:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2332cd8d-fda6-4c82-9692-9869dcec26cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163752/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Jaik-9866226-0
Create hunting rule

Win.Malware.SmokeLoader-9865604-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/795119
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 427519 Sample: 2wlBX00vsN.exe Startdate: 01/06/2021 Architecture: WINDOWS Score: 100 177 Multi AV Scanner detection for domain / URL 2->177 179 Antivirus detection for URL or domain 2->179 181 Antivirus detection for dropped file 2->181 183 10 other signatures 2->183 11 2wlBX00vsN.exe 15 2->11         started        process3 file4 103 C:\Users\user\AppData\...\setup_install.exe, PE32 11->103 dropped 105 C:\Users\user\AppData\Local\...\metina_4.exe, PE32 11->105 dropped 107 C:\Users\user\AppData\Local\...\metina_2.exe, PE32 11->107 dropped 109 10 other files (1 malicious) 11->109 dropped 14 setup_install.exe 1 11->14         started        process5 dnsIp6 171 8.8.8.8 GOOGLEUS United States 14->171 173 104.21.92.229 CLOUDFLARENETUS United States 14->173 175 127.0.0.1 unknown unknown 14->175 223 Detected unpacking (changes PE section rights) 14->223 18 cmd.exe 1 14->18         started        20 cmd.exe 1 14->20         started        22 cmd.exe 1 14->22         started        24 8 other processes 14->24 signatures7 process8 process9 26 metina_1.exe 93 18->26         started        31 metina_3.exe 6 20->31         started        33 metina_4.exe 2 22->33         started        35 metina_6.exe 24->35         started        37 metina_2.exe 1 24->37         started        39 metina_7.exe 24->39         started        41 metina_5.exe 1 1 24->41         started        dnsIp10 157 104.17.63.50 CLOUDFLARENETUS United States 26->157 159 162.55.189.141 ACPCA United States 26->159 125 12 other files (none is malicious) 26->125 dropped 193 Detected unpacking (changes PE section rights) 26->193 195 Detected unpacking (overwrites its own PE header) 26->195 197 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->197 205 4 other signatures 26->205 43 cmd.exe 26->43         started        111 C:\Users\user\AppData\Local\...\install.dll, PE32 31->111 dropped 113 C:\Users\user\AppData\...113ewtonsoft.Json.dll, PE32 31->113 dropped 45 rundll32.exe 31->45         started        115 C:\Users\user\AppData\Local\...\metina_4.tmp, PE32 33->115 dropped 48 metina_4.tmp 33->48         started        161 104.21.33.129 CLOUDFLARENETUS United States 35->161 117 C:\Users\user\AppData\Roaming\6368188.exe, PE32 35->117 dropped 119 C:\Users\user\AppData\Roaming\4579357.exe, PE32 35->119 dropped 52 6368188.exe 35->52         started        54 4579357.exe 35->54         started        121 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 37->121 dropped 199 DLL reload attack detected 37->199 201 Renames NTDLL to bypass HIPS 37->201 203 Checks if the current machine is a virtual machine (disk enumeration) 37->203 56 explorer.exe 37->56 injected 163 192.168.2.1 unknown unknown 39->163 127 3 other files (1 malicious) 39->127 dropped 58 7Fdzc9CuQ6cn.exe 39->58         started        60 Browzar.exe 39->60         started        165 208.95.112.1 TUT-ASUS United States 41->165 167 88.99.66.31 HETZNER-ASDE Germany 41->167 169 4 other IPs or domains 41->169 123 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 41->123 dropped 62 5 other processes 41->62 file11 signatures12 process13 dnsIp14 64 conhost.exe 43->64         started        66 taskkill.exe 43->66         started        68 timeout.exe 43->68         started        207 Writes to foreign memory regions 45->207 209 Allocates memory in foreign processes 45->209 211 Creates a thread in another existing process (thread injection) 45->211 70 svchost.exe 45->70         started        74 svchost.exe 45->74 injected 76 svchost.exe 45->76 injected 137 198.54.126.101 NAMECHEAP-NETUS United States 48->137 85 C:\Users\user\...\djhdfu_____________.exe, PE32 48->85 dropped 87 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 48->87 dropped 89 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 48->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->91 dropped 78 djhdfu_____________.exe 48->78         started        93 C:\Users\user\AppData\...\WinHoster.exe, PE32 52->93 dropped 213 Detected unpacking (changes PE section rights) 52->213 215 Creates multiple autostart registry keys 52->215 139 172.67.188.69 CLOUDFLARENETUS United States 54->139 95 C:\ProgramData\77\vcruntime140.dll, PE32 54->95 dropped 97 C:\ProgramData\77\sqlite3.dll, PE32 54->97 dropped 99 C:\ProgramData\77\softokn3.dll, PE32 54->99 dropped 101 4 other files (none is malicious) 54->101 dropped 217 Sample uses process hollowing technique 58->217 219 Injects a PE file into a foreign processes 58->219 141 142.250.180.202 GOOGLEUS United States 60->141 143 172.217.16.110 GOOGLEUS United States 60->143 145 2 other IPs or domains 60->145 221 Tries to harvest and steal browser information (history, passwords, etc) 62->221 file15 signatures16 process17 dnsIp18 149 92.122.144.200 AKAMAI-ASUS European Union 70->149 187 Sets debug register (to hijack the execution of another thread) 70->187 189 Modifies the context of a thread in another process (thread injection) 70->189 81 svchost.exe 70->81         started        151 199.188.201.83 NAMECHEAP-NETUS United States 78->151 153 67.26.73.254 LEVEL3COMMUNICATIONSFR United States 78->153 155 2 other IPs or domains 78->155 129 C:\Program Files (x86)\...\Ruqifabeno.exe, PE32 78->129 dropped 131 C:\...\Ruqifabeno.exe.config, XML 78->131 dropped 133 C:\Users\user\AppData\...\Kylysasyla.exe, PE32 78->133 dropped 135 2 other files (none is malicious) 78->135 dropped 191 Creates multiple autostart registry keys 78->191 file19 signatures20 process21 dnsIp22 147 198.13.62.186 AS-CHOOPAUS United States 81->147 185 Query firmware table information (likely to detect VMs) 81->185 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/652788bae486f6ef0ecadb2a951cd25da57d4f399ba77011745bae565cb7e762/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-05-31 10:03:56 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mutyroxeq33o6dwk3mvjkhgslwsx2tzztotxaeluloxfmxfx45ra._file
Verdict:
unknown
Similar samples:
2cafa910950afa826e2e255ebe4c40a611bcb12c012a502a36efeb2f4effe320
Adware.FileTour
360ae682470c27ef1e4a70a89aed9d14bb6f6260a5609b391c0d67220f91a306
Adware.FileTour
46e99e70a21a9ecd28e61195f175bea9260eea38b1718f6750166688d955e91e
Adware.FileTour
4e9bb871716df27af35ede8b153efa96e131321fa3ced426fce64b893ebd089a
Adware.FileTour
59c98f1846f03efaa1a594b76b320e3f35ecd53e9ed640bb360bdcf0a41f3c2d
Adware.FileTour
679d4240ec3562404c1222d91bb2594cb90843b5aec479ce75bd47d4a4e8b780
Adware.FileTour
df102108e8beb55334e3976e1cb7f389e8f9ecd23a12c4d71c22921626938c50
Adware.FileTour
e7c3cea59ec83faa8886c1a5d0b0eabd00cf68ae8491ad6a985f3b6e422c0d19
Adware.FileTour
f3b3bf03f311300ba76f4de3376ff21b3b1971ccbc90e24638ab15c2b42ef79b
Adware.FileTour
f8b69bd4d7c6a8c131c5f9cd93ca7d0a3645f9cf1f207608bf8d209f3bcaa3b3
Adware.FileTour
+ 19 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:smokeloader family:vidar aspackv2 backdoor discovery evasion infostealer persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210601-9wthwxyk8a/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Checks for common network interception software
PlugX
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/652788bae486f6ef0ecadb2a951cd25da57d4f399ba77011745bae565cb7e762

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163752/

Comments