MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 892dc1607407dedbb30f95ac92cb326a5c4f248f5e8981343bc84e4f834d8f52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 892dc1607407dedbb30f95ac92cb326a5c4f248f5e8981343bc84e4f834d8f52
SHA3-384 hash: 74ee6d39df43c9714f29b917a2e2c460562774fc81d37a2122422ca9901c8256b05a1905345a2df9c14f276e14c908b4
SHA1 hash: edc47f6a0fdcbf870e456e3f9fdf6d02aaebca8d
MD5 hash: 4d4933918c5f4dc8294ef986cb8ba1b4
humanhash: kitten-mars-ten-triple
File name:SecuriteInfo.com.FileRepMalware.9853.10727
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:1'649'291 bytes
First seen:2023-12-01 18:21:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:5aJKrt9QyqLMUR/0AMBGVZrdzxEBvrx8MinXBgJ:QJKhKyQMURsAMmZCrWnRgJ
Threatray 6 similar samples on MalwareBazaar
TLSH T15575335356D5DC39E160A5702C3FE0E25B2A7E93AC3C217C75AEA03F4E0A478E546B87
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:Adware.FileTour exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461799/
Detection(s):
SecuriteInfo.com.FileRepMalware.9853.10727.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/892dc1607407dedbb30f95ac92cb326a5c4f248f5e8981343bc84e4f834d8f52
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Relevantknowledge
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df88ee66-4d60-4af2-90a7-9062b861b393
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/1351631
Behaviour
Behavior Graph:
n/a
Score:
22%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/892dc1607407dedbb30f95ac92cb326a5c4f248f5e8981343bc84e4f834d8f52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/892dc1607407dedbb30f95ac92cb326a5c4f248f5e8981343bc84e4f834d8f52/
Threat name:
Win32.Adware.RelevantKnowledge
Create hunting rule
Status:
Malicious
First seen:
2013-04-20 02:15:00 UTC
AV detection:
6 of 44 (13.64%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rew4cydua7pnxmypswwjfszsnjoe6jepl2eycnb3zbhe7a2nr5ja._file
Verdict:
malicious
Similar samples:
5118bb57711f4d7e0a3ce98b44ae66c7cbf0d40d93e922de8bf4e9e1d6a6fa1a
Adware.FileTour
892dc1607407dedbb30f95ac92cb326a5c4f248f5e8981343bc84e4f834d8f52
Adware.FileTour
a1f46aa45e0bef5d47b20f44c9309a3b9b4d7aa585f693ed7b1dca3fbe75d699
Adware.FileTour
a37797b95ddba40a9451dbc5d92e0e641c7c95cc01e8d0c9adec2d392057a572
Adware.FileTour
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/231201-wzxyjaeg83/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/a9ca3cc3-978e-46bd-822e-c8510273b111/
SH256 hash:
7970f1f389c6e9bb7269578b6868fc67f236a85f23b01ec964735664218a55ff
MD5 hash:
b0e4ff058a93a3b40417c4dfd0260e25
SHA1 hash:
854a375000f8eea5147baeae41a4c925a224fe9e
Link:
https://www.unpac.me/results/a9ca3cc3-978e-46bd-822e-c8510273b111/
SH256 hash:
892dc1607407dedbb30f95ac92cb326a5c4f248f5e8981343bc84e4f834d8f52
MD5 hash:
4d4933918c5f4dc8294ef986cb8ba1b4
SHA1 hash:
edc47f6a0fdcbf870e456e3f9fdf6d02aaebca8d
Link:
https://www.unpac.me/results/a9ca3cc3-978e-46bd-822e-c8510273b111/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/892dc1607407dedbb30f95ac92cb326a5c4f248f5e8981343bc84e4f834d8f52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/461799/

Comments