MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca942cc19eb3d9f6bd2e5947eb77af104948ccea1f4b96c87270e91065650c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 10


Intelligence 10 IOCs 5 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca942cc19eb3d9f6bd2e5947eb77af104948ccea1f4b96c87270e91065650c7
SHA3-384 hash: 8011c74624fe21e2c084a14a632d4452e319690b0408a4394f2623cc4b7506bbc8c9b802f0965368b56b4252120bd215
SHA1 hash: e5693ec6ef7d5b5d872130d33c05a10160a127c9
MD5 hash: a447d89f3c72c8f5c81e9cac1b3eeb53
humanhash: asparagus-mike-gee-wisconsin
File name:a447d89f3c72c8f5c81e9cac1b3eeb53.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:3'396'067 bytes
First seen:2021-08-09 06:45:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBwDyczsDMz45DqbDqUeZvBaFsVyHPb1TYZbA+/3PBEMEwJ84vLRaBtIl9mTpH6:xr1zsDHiwJaEwBTYZbRBQCvLUBsKp6p
Threatray 270 similar samples on MalwareBazaar
TLSH T1FAF533903B87C4FFD9922532A844BB7604BEC7492F4408DBB7D8961F9A7C4CBC72A156
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://74.119.195.134/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.119.195.134/ https://threatfox.abuse.ch/ioc/166044/
5.8.248.83:61808 https://threatfox.abuse.ch/ioc/166048/
45.14.49.68:43238 https://threatfox.abuse.ch/ioc/166049/
http://gcc-prtnrs.top/dlc/distribution.php https://threatfox.abuse.ch/ioc/166056/
http://gcc-prtnrs.top/stats/remember.php https://threatfox.abuse.ch/ioc/166057/

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
610dc1_php-echo-the_ti.zip
Verdict:
Malicious activity
Analysis date:
2021-08-06 23:23:39 UTC
Tags:
evasion trojan stealer vidar loader rat redline
Link:
https://app.any.run/tasks/a838635d-f925-4b24-8c33-eb7ddae474c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177457/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Malware.Jaik-9883713-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Moving a file to the %temp% subdirectory
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/484ea683-2ccc-4ed9-9f48-8c030094fd81
Result
Threat name:
RedLine Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829071
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 461501 Sample: YWDurwkPid.exe Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 86 185.65.135.248 ESAB-ASSE Sweden 2->86 88 162.159.130.233 CLOUDFLARENETUS United States 2->88 90 3 other IPs or domains 2->90 116 Antivirus detection for URL or domain 2->116 118 Antivirus detection for dropped file 2->118 120 Multi AV Scanner detection for dropped file 2->120 122 12 other signatures 2->122 11 YWDurwkPid.exe 17 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\setup_install.exe, PE32 11->50 dropped 52 C:\Users\user\AppData\Local\...\sahiba_9.txt, PE32+ 11->52 dropped 54 C:\Users\user\AppData\Local\...\sahiba_8.txt, PE32 11->54 dropped 56 12 other files (none is malicious) 11->56 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 110 172.67.170.195 CLOUDFLARENETUS United States 14->110 112 127.0.0.1 unknown unknown 14->112 78 C:\Users\user\AppData\...\sahiba_7.exe (copy), PE32 14->78 dropped 80 C:\Users\user\AppData\...\sahiba_6.exe (copy), PE32 14->80 dropped 82 C:\Users\user\AppData\...\sahiba_3.exe (copy), PE32 14->82 dropped 84 6 other files (2 malicious) 14->84 dropped 114 Detected unpacking (changes PE section rights) 14->114 19 cmd.exe 14->19         started        21 cmd.exe 1 14->21         started        23 cmd.exe 1 14->23         started        25 6 other processes 14->25 file8 signatures9 process10 process11 27 sahiba_7.exe 19->27         started        32 sahiba_3.exe 90 21->32         started        34 sahiba_2.exe 23->34         started        36 sahiba_1.exe 2 25->36         started        38 sahiba_6.exe 25->38         started        40 sahiba_5.exe 25->40         started        42 sahiba_4.exe 4 25->42         started        dnsIp12 92 37.0.10.236 WKD-ASIE Netherlands 27->92 94 37.0.11.8 WKD-ASIE Netherlands 27->94 100 10 other IPs or domains 27->100 58 C:\Users\...\oOIj6n2a5KEdqpcHPAhcv9a6.exe, PE32 27->58 dropped 60 C:\Users\...\ioOvv3RngsbLQMZPahGvAKJh.exe, PE32 27->60 dropped 62 C:\Users\...\AMzh3n5_uMxrdsaOOm0TJ9Es.exe, PE32 27->62 dropped 66 29 other files (14 malicious) 27->66 dropped 124 Tries to harvest and steal browser information (history, passwords, etc) 27->124 126 Disable Windows Defender real time protection (registry) 27->126 102 2 other IPs or domains 32->102 68 12 other files (none is malicious) 32->68 dropped 128 Detected unpacking (changes PE section rights) 32->128 130 Detected unpacking (overwrites its own PE header) 32->130 132 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->132 134 Tries to steal Crypto Currency Wallets 32->134 136 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->136 138 Checks if the current machine is a virtual machine (disk enumeration) 34->138 96 192.168.2.1 unknown unknown 36->96 140 Creates processes via WMI 36->140 44 sahiba_1.exe 3 36->44         started        98 172.67.190.140 CLOUDFLARENETUS United States 38->98 64 C:\Users\user\AppData\Roaming\6755785.exe, PE32 38->64 dropped 70 3 other files (none is malicious) 38->70 dropped 104 3 other IPs or domains 40->104 72 2 other files (none is malicious) 40->72 dropped 74 2 other files (none is malicious) 42->74 dropped file13 signatures14 process15 dnsIp16 106 8.8.8.8 GOOGLEUS United States 44->106 108 104.21.70.98 CLOUDFLARENETUS United States 44->108 76 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 44->76 dropped 48 conhost.exe 44->48         started        file17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ca942cc19eb3d9f6bd2e5947eb77af104948ccea1f4b96c87270e91065650c7/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-07 13:07:03 UTC
AV detection:
32 of 46 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psuuftaz5m6z626s4wkh5n326ecjjdgouh2ls3ehe4hjcbswkddq._file
Verdict:
unknown
Similar samples:
261b33850dd1404b22acfd5fe7e46806dce68f710f9b21b7ec00a264804e2137
Adware.FileTour
2dd292dcc5d8e599d717242cb403360120308bed82e47709f6ae231202e1b0ff
Adware.FileTour
3df4f87d41a548e7cd16ee0bd11ce89e6c74681ca2d5741eed38238a91d5f415
Adware.FileTour
64ac76b13292907c1f38ed314a15f7129e09b0acac831d62451a4feb0ae2a54c
Adware.FileTour
9e74b137b73150bea9b3ef6b987d3af1b3c445163c8ea469e6608d3ebc6062d9
Adware.FileTour
aa9b8b79b9b4e0478e85c4ae5b08c15aadea45cac7617de2c298070fd781748e
Adware.FileTour
+ 260 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar family:xmrig botnet:706 aspackv2 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210809-bzn52zv9sx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
XMRig Miner Payload
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
xmrig
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Unpacked files
SH256 hash:
875b8ccdf7909cba02cf4fd8adbf0a7ff91d93f7c5f3b83b3b33c903d9c91d8e
MD5 hash:
8beec33a93b1f6c8223c1fc34449037d
SHA1 hash:
5131c64127c289f0cf6c5ab932e09f8579af4551
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
e774e5309f3cd09767e6767b04a2aed1310943ba1f03413f12143c4262d9e141
MD5 hash:
52f7a8d8e1711098ba912407687c5982
SHA1 hash:
2bcc6d88c391a6ec0bfe5ef1c9d613b0ca7d6bb8
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
7480620e70764fb206ff7dfb106bdf4c88a4b4188da15cb64e61ccc0e75223e0
MD5 hash:
654f4b5a7079b36688de21003cf4e51d
SHA1 hash:
28cb1c7d13da4f1a887dfa5198422ed389d7dd48
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
93abb3524f16f0ed93c84dfae86cad854c3898a57858687f0ffd52a3315ec2a6
MD5 hash:
3590d8e8272a15717220b64b6cc04bc9
SHA1 hash:
6e198523e1cf38f9dffceeded0489549e0bf30e7
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
MD5 hash:
13a289feeb15827860a55bbc5e5d498f
SHA1 hash:
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
5dbe764c587a5a27b0daaa1b3a56a2ac4047cc78c2b878ae49589c2ec55c350a
MD5 hash:
62ca6931bc7a374f80ff8541138baa9e
SHA1 hash:
d36e63034bddf32d3c79106a75cfa679cfdd336a
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4
MD5 hash:
c85639691074f9d98ec530901c153d2b
SHA1 hash:
cac948e5b1f9d7417e7c5ead543fda1108f0e9ed
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
3ed9c981d1b1c61fc0de3e7973af1a6f9cad82f4509a01f51efb0ca29cd0e5ca
MD5 hash:
13d4228eebba30a121c8544a5493b16a
SHA1 hash:
7dff5b6638e6e840e1b4ecaa83406f3173bbb0fd
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
12f2a4af5a7e54ff55a57549d351315ad3e1dac80aef43200f1abdd20b1a3f00
MD5 hash:
fc1bf039d6e2275262ee314cb5dcdcb9
SHA1 hash:
596c821bf1be4690daec15c62cf6457b0b5de722
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
640e057dd5bfed29fea28606f5d25d746c231a1e7e9fad07a63604ac4ae74463
MD5 hash:
c2babfdde6b570c2ff3b620747856d42
SHA1 hash:
27650118025d5351bcb8d95cff0d9f2759694290
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
SH256 hash:
7ca942cc19eb3d9f6bd2e5947eb77af104948ccea1f4b96c87270e91065650c7
MD5 hash:
a447d89f3c72c8f5c81e9cac1b3eeb53
SHA1 hash:
e5693ec6ef7d5b5d872130d33c05a10160a127c9
Link:
https://www.unpac.me/results/be0e0eac-bbdf-4559-9f8a-cda2f6613caa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7ca942cc19eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ca942cc19eb3d9f6bd2e5947eb77af104948ccea1f4b96c87270e91065650c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177457/

Comments