MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a6c8ce1e4a64866a8e1341f135544aeb2b7ca4b27d784885dc75df7a96e56f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a6c8ce1e4a64866a8e1341f135544aeb2b7ca4b27d784885dc75df7a96e56f8
SHA3-384 hash: f0098b9ffdee219b8302bcf0e1b19001544b4a15447966bda43a242bdb93d9dc112a4d367db16c64189336cc6e595069
SHA1 hash: 32cb9126f5d990ffcb7f410418f2521f4dad33f3
MD5 hash: 925852828704fb5328b96342fb6ac8bf
humanhash: blossom-solar-leopard-happy
File name:7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:7'656'667 bytes
First seen:2021-05-20 01:50:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:itCdT4YXjbzV9rzRoITKkV70oOFiE1Mj0EEbHcx0tq1:rRzbxJ31t07FioMj0EWHcatq1
TLSH B4763374775046BBD0431E3999078376B1FBFB086B2C648F67E90E2996B374B512832E
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
195.123.242.190:11628

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.123.242.190:11628 https://threatfox.abuse.ch/ioc/49465/
87.251.71.193:80 https://threatfox.abuse.ch/ioc/49472/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe
Verdict:
No threats detected
Analysis date:
2021-05-20 01:54:02 UTC
Tags:
installer
Link:
https://app.any.run/tasks/f530cf95-5691-43fd-b819-2f720e47ec6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/159277/
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Generic-9849070-0
Create hunting rule

Win.Malware.Autoit-9849407-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Creating a file
Creating a file in the Program Files directory
DNS request
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP GET request
Launching a process
Connecting to a non-recommended domain
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cookie Stealer Cyberduck RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/785601
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected Cyberduck
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 417997 Sample: 7A6C8CE1E4A64866A8E1341F135... Startdate: 20/05/2021 Architecture: WINDOWS Score: 100 168 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->168 170 Multi AV Scanner detection for domain / URL 2->170 172 Found malware configuration 2->172 174 15 other signatures 2->174 10 7A6C8CE1E4A64866A8E1341F135544AEB2B7CA4B27D78.exe 16 19 2->10         started        13 haleng.exe 2->13         started        process3 file4 126 C:\Program Files (x86)\...\sskiper.exe, PE32 10->126 dropped 128 C:\Program Files (x86)\...\lylal220.exe, PE32 10->128 dropped 130 C:\Program Files (x86)\...\jg7_7wjg.exe, PE32 10->130 dropped 132 9 other files (8 malicious) 10->132 dropped 15 guihuali-game.exe 3 9 10->15         started        19 sskiper.exe 10->19         started        21 LOQn7WyBrhly.exe 10->21         started        28 8 other processes 10->28 24 jfiag3g_gg.exe 13->24         started        26 jfiag3g_gg.exe 13->26         started        process5 dnsIp6 148 192.168.2.1 unknown unknown 15->148 74 C:\Program Files\unins0000.dll, PE32 15->74 dropped 86 5 other files (none is malicious) 15->86 dropped 30 wscript.exe 15->30         started        150 download2.info 109.248.175.187, 49731, 80 SURYA-ASRU Russian Federation 19->150 76 C:\Users\user\AppData\Local\...\119100232.exe, PE32 19->76 dropped 78 C:\Users\user\AppData\...\2011981595.exe, PE32 19->78 dropped 88 2 other files (none is malicious) 19->88 dropped 32 119100232.exe 19->32         started        176 Writes to foreign memory regions 21->176 178 Allocates memory in foreign processes 21->178 180 Sample uses process hollowing technique 21->180 182 Injects a PE file into a foreign processes 21->182 36 AddInProcess32.exe 21->36         started        152 greataccesstoserver.com 28->152 154 101.36.107.74, 49721, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 28->154 156 11 other IPs or domains 28->156 80 C:\Users\user\Documents\...\jg7_7wjg.exe, PE32 28->80 dropped 82 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 28->82 dropped 84 C:\Users\user\AppData\Local\...\lylal220.tmp, PE32 28->84 dropped 90 2 other files (none is malicious) 28->90 dropped 38 lylal220.tmp 28->38         started        41 LabPicV3.tmp 28->41         started        43 jfiag3g_gg.exe 1 28->43         started        45 2 other processes 28->45 file7 signatures8 process9 dnsIp10 47 rundll32.exe 30->47         started        134 217.107.34.191 RTCOMM-ASRU Russian Federation 32->134 158 Writes to foreign memory regions 32->158 160 Allocates memory in foreign processes 32->160 162 Sample uses process hollowing technique 32->162 164 Injects a PE file into a foreign processes 32->164 50 AddInProcess32.exe 32->50         started        110 C:\Users\user\AppData\Local\...\ysAGEL.exe, PE32 38->110 dropped 112 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 38->112 dropped 114 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 38->114 dropped 116 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 38->116 dropped 52 ysAGEL.exe 38->52         started        136 global-sc-ltd.com 199.188.201.83, 49727, 49729, 80 NAMECHEAP-NETUS United States 41->136 118 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 41->118 dropped 120 C:\Users\user\AppData\...\alpATCHInO.exe, PE32 41->120 dropped 122 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 41->122 dropped 124 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->124 dropped 56 alpATCHInO.exe 41->56         started        166 Tries to harvest and steal browser information (history, passwords, etc) 43->166 file11 signatures12 process13 dnsIp14 192 Writes to foreign memory regions 47->192 194 Allocates memory in foreign processes 47->194 196 Creates a thread in another existing process (thread injection) 47->196 58 svchost.exe 47->58 injected 61 svchost.exe 47->61 injected 63 svchost.exe 47->63 injected 65 svchost.exe 47->65 injected 138 198.54.126.101 NAMECHEAP-NETUS United States 52->138 140 162.0.220.187 ACPCA Canada 52->140 94 C:\Program Files (x86)\...\Ladehifyky.exe, PE32 52->94 dropped 96 C:\...\Ladehifyky.exe.config, XML 52->96 dropped 98 C:\Users\user\AppData\...\ZHujaepalyjo.exe, PE32 52->98 dropped 106 2 other files (none is malicious) 52->106 dropped 67 irecord.exe 52->67         started        142 2.20.142.209 AKAMAI-ASN1EU European Union 56->142 144 162.0.210.44 ACPCA Canada 56->144 100 C:\Program Files (x86)\...\Lukufetefae.exe, PE32 56->100 dropped 102 C:\...\Lukufetefae.exe.config, XML 56->102 dropped 104 C:\Users\user\AppData\...\Hishepobaesi.exe, PE32 56->104 dropped 108 2 other files (none is malicious) 56->108 dropped file15 signatures16 process17 file18 186 System process connects to network (likely due to code injection or exploit) 58->186 188 Sets debug register (to hijack the execution of another thread) 58->188 190 Modifies the context of a thread in another process (thread injection) 58->190 70 svchost.exe 58->70         started        92 C:\Users\user\AppData\Local\...\irecord.tmp, PE32 67->92 dropped signatures19 process20 dnsIp21 146 facebook.websmails.com 167.179.89.78 AS-CHOOPAUS United States 70->146 184 Query firmware table information (likely to detect VMs) 70->184 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a6c8ce1e4a64866a8e1341f135544aeb2b7ca4b27d784885dc75df7a96e56f8/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-04-14 23:55:11 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjwizypeuzegnkhbgqprgvkev2zlpssle7lyjcc5y5o7pklok34a._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:elysiumstealer family:plugx family:redline family:vidar botnet:fullynew agilenet discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210520-sr34qngrde/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
ElysiumStealer
PlugX
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
rlmushahel.xyz:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a6c8ce1e4a64866a8e1341f135544aeb2b7ca4b27d784885dc75df7a96e56f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Fabookie
Create hunting rule
Author:ditekSHen
Description:Detects Fabookie / ElysiumStealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/159277/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-20 02:00:31 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [F0002.002] Collection::Polling
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
5) [C0032.001] Data Micro-objective::CRC32::Checksum
6) [C0060] Data Micro-objective::Compression Library
7) [C0026.002] Data Micro-objective::XOR::Encode Data
9) [C0046] File System Micro-objective::Create Directory
10) [C0048] File System Micro-objective::Delete Directory
11) [C0047] File System Micro-objective::Delete File
12) [C0049] File System Micro-objective::Get File Attributes
13) [C0051] File System Micro-objective::Read File
14) [C0050] File System Micro-objective::Set File Attributes
15) [C0052] File System Micro-objective::Writes File
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
18) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
19) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
20) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
21) [C0017] Process Micro-objective::Create Process
22) [C0041] Process Micro-objective::Set Thread Local Storage Value
23) [C0018] Process Micro-objective::Terminate Process