MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
SHA3-384 hash: 45a44e848a4065ca6cf6081700b7d7addacf5c528744436b8e0eeddb73809d34ed250e51695d81ea75f020e35fc4efe2
SHA1 hash: c59b1eaabe08e0b6aa8c87c7483e8c6cdf7c8bc9
MD5 hash: b881f162c6d02aac190818d72db7844a
humanhash: bacon-single-comet-steak
File name:B881F162C6D02AAC190818D72DB7844A.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:1'028'608 bytes
First seen:2021-09-02 07:26:04 UTC
Last seen:2021-09-02 08:19:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d829f266aa146de717eb87c227ada96a (2 x DiamondFox, 2 x RaccoonStealer, 1 x Adware.FileTour)
ssdeep 12288:2//AH0CyrHLWuOmsdRtyncxQRhJJzhoqgH5sB4dxHGxoI:2/oHHkIdRhQRh9B4dot
Threatray 96 similar samples on MalwareBazaar
TLSH T1C9256C10A3D85A26D6EE1370F0B4492946F5FE31BB72E78F9644B4AC1E73BC198107A7
dhash icon f0d8b06969e0e8f0 (3 x DiamondFox, 2 x RaccoonStealer, 2 x RedLineStealer)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.144/ https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B881F162C6D02AAC190818D72DB7844A.exe
Verdict:
No threats detected
Analysis date:
2021-09-02 07:27:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3bf60d0-e582-43d7-b1ae-526fcfe1cd79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184690/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.2034.20414.29840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Sending an HTTP GET request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Delayed reading of the file
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Launching a process
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Connection attempt to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be23d98c-444f-49e7-a22f-fd7122acf5eb
Result
Threat name:
Glupteba Metasploit Raccoon RedLine Vida
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843848
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476279 Sample: D09MD2MjGx.exe Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 54 172.217.23.97 GOOGLEUS United States 2->54 56 104.21.79.144 CLOUDFLARENETUS United States 2->56 58 4 other IPs or domains 2->58 78 Multi AV Scanner detection for domain / URL 2->78 80 Antivirus detection for URL or domain 2->80 82 Antivirus detection for dropped file 2->82 84 14 other signatures 2->84 8 D09MD2MjGx.exe 4 57 2->8         started        signatures3 process4 dnsIp5 60 37.0.10.214 WKD-ASIE Netherlands 8->60 62 37.0.10.237 WKD-ASIE Netherlands 8->62 64 11 other IPs or domains 8->64 28 C:\Users\...\y7sxoZosziIql_wiVKDUn5ZT.exe, PE32 8->28 dropped 30 C:\Users\...\pi4sTbgVFjja9mc2jd19wXDU.exe, PE32 8->30 dropped 32 C:\Users\...\o5fUGgquNf2iHSvgf8gRmqz0.exe, PE32 8->32 dropped 34 36 other files (29 malicious) 8->34 dropped 86 Drops PE files to the document folder of the user 8->86 88 Disable Windows Defender real time protection (registry) 8->88 13 UG194HexYAilx6sl6VZ8VLUN.exe 8->13         started        18 pi4sTbgVFjja9mc2jd19wXDU.exe 8->18         started        20 Ql2VnDP27pn49hAvVq_XJ2RI.exe 8->20         started        22 11 other processes 8->22 file6 signatures7 process8 dnsIp9 66 49.12.198.69 HETZNER-ASDE Germany 13->66 68 74.114.154.22 AUTOMATTICUS Canada 13->68 36 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 13->36 dropped 50 11 other files (none is malicious) 13->50 dropped 90 Detected unpacking (changes PE section rights) 13->90 92 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->92 94 Tries to harvest and steal browser information (history, passwords, etc) 13->94 96 Tries to steal Crypto Currency Wallets 13->96 98 Query firmware table information (likely to detect VMs) 18->98 100 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->100 102 Hides threads from debuggers 18->102 104 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->104 70 149.154.167.99 TELEGRAMRU United Kingdom 20->70 38 C:\Users\...\J77cmUgJX0OQi4nZtiqUPG2L.exe, PE32 20->38 dropped 40 C:\...\PowerControl_Svc.exe, PE32 20->40 dropped 42 C:\Users\user\AppData\...\Cube_WW14[1].exe, PE32 20->42 dropped 106 Drops PE files to the document folder of the user 20->106 72 208.95.112.1 TUT-ASUS United States 22->72 74 91.241.19.38 REDBYTES-ASRU Russian Federation 22->74 76 11 other IPs or domains 22->76 44 C:\Users\user\...\Dssdsdaw34k41y[1].exe, PE32 22->44 dropped 46 C:\Windows\System32\drivers\etc\hosts, ASCII 22->46 dropped 48 C:\Users\user\AppData\Roaming\8595858.exe, PE32 22->48 dropped 52 13 other files (none is malicious) 22->52 dropped 108 Contains functionality to steal Internet Explorer form passwords 22->108 110 Modifies the hosts file 22->110 24 conhost.exe 22->24         started        26 conhost.exe 22->26         started        file10 signatures11 process12
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 06:16:55 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ogmdriizfltlkolgcwo2kzrv46qfovhlaf7skogkh6bmlacugkaa._file
Verdict:
malicious
Similar samples:
055581a45098bcdda89f414c2346c7737546908ad7fba54f1c6f6451886e014d
Adware.FileTour
21391fc51c85957fb1bf530fbdd01b9cc6b855445c5ae6e46d9be51441ee62f5
Adware.FileTour
68d83afa2dc4272e54c4ebb1ab8981e7f00442dfe6e66c8b7299c30a230be997
Adware.FileTour
79c334850dedad7a1eacb71789b4f025a307bb093f916b51939384a6593315d3
Adware.FileTour
7cf7024eb95b7063c95546364329c3568e42b44c70425107a59b3de6e8025c67
Adware.FileTour
8e8ce2e7aded8560037718928e891ddc0831e7be68d906c93f91509e71756d72
Adware.FileTour
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
Adware.FileTour
d2d90f02ccd7c3fd1b46d667081529a1af8172e4a51feda461c8d250081c3548
Adware.FileTour
d57957436111516ca7a7e9af7cb143353cf41a22d556aa19ba6e710a37c6f0ae
Adware.FileTour
f454ea9fa15b20582eb0311beea5cc20e03e643a0a87b7c4e3fb848148873acf
Adware.FileTour
+ 86 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:vidar botnet:d02c5d65069fc7ce1993e7c52edf0c9c4c195c81 botnet:spnewportspectr backdoor dropper evasion infostealer loader stealer themida trojan
Link:
https://tria.ge/reports/210902-3yz2apjj5j/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
Vidar
Malware Config
C2 Extraction:
135.148.139.222:1594
193.56.146.60:16367
Unpacked files
SH256 hash:
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
MD5 hash:
b881f162c6d02aac190818d72db7844a
SHA1 hash:
c59b1eaabe08e0b6aa8c87c7483e8c6cdf7c8bc9
Link:
https://www.unpac.me/results/59203e99-616d-4390-bd2f-3a31a69ef92c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/719838a1192a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184690/

Comments