MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
SHA3-384 hash: 27f9f2912d27242ceb79561f726470f3ef103d5a71888d3e7d7a9aa0ead96cd27275f59acb9ae83a1aa96e42fe59c116
SHA1 hash: 265311e2afd9f59e824f4b77162cf3dfa278eb7e
MD5 hash: 6d18c8e8ab9051f7a70b89ff7bb0ec35
humanhash: queen-moon-purple-artist
File name:setup_x86_x64_install.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:4'534'901 bytes
First seen:2021-09-09 21:59:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yRWYQccy8xqv6ivCd0JHEczLiRugNgLWO:ynrCqv6iH+cXXgNg6O
Threatray 535 similar samples on MalwareBazaar
TLSH T15126332557BCC796E3D633B71C2B828D8F597A0152960307ACA0B93EC961471DCDCFAA
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:Adware.FileTour exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-09 21:53:36 UTC
Tags:
trojan evasion rat redline loader stealer vidar unwanted netsupport
Link:
https://app.any.run/tasks/c7b77bac-660d-4ca2-81d9-ed96fb8d9e06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186742/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Trojan.Jaik-9862236-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Sending a UDP request
Creating a window
Reading critical registry keys
Moving a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Launching the default Windows debugger (dwwin.exe)
Delayed reading of the file
Creating a file in the Program Files subdirectories
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the Windows subdirectories
Sending an HTTP POST request
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab6d714b-0be8-41b6-a06a-757cd39400e3
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848467
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 480896 Sample: setup_x86_x64_install.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 78 95.181.163.181 RACKTECHRU Russian Federation 2->78 80 accounts.google.com 142.250.180.205, 443, 49779 GOOGLEUS United States 2->80 82 23 other IPs or domains 2->82 102 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->102 104 Multi AV Scanner detection for domain / URL 2->104 106 Antivirus detection for URL or domain 2->106 108 16 other signatures 2->108 10 setup_x86_x64_install.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 20 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\...\Thu21df5caa1b78de6.exe, PE32 13->50 dropped 52 C:\Users\user\...\Thu21b93295136197.exe, PE32 13->52 dropped 54 15 other files (8 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 74 hsiens.xyz 104.21.87.76, 49742, 80 CLOUDFLARENETUS United States 16->74 76 127.0.0.1 unknown unknown 16->76 98 Performs DNS queries to domains with low reputation 16->98 100 Adds a directory exclusion to Windows Defender 16->100 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 16->24         started        26 7 other processes 16->26 signatures10 process11 signatures12 29 Thu214ce31cede21.exe 20->29         started        34 Thu219d5fe8cf316.exe 15 8 22->34         started        36 Thu2164f292a11ce.exe 24->36         started        110 Adds a directory exclusion to Windows Defender 26->110 38 Thu21a1ef054cac78a.exe 26->38         started        40 Thu21624565bb917a.exe 3 26->40         started        42 Thu21b93295136197.exe 26->42         started        44 2 other processes 26->44 process13 dnsIp14 92 2 other IPs or domains 29->92 56 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 29->56 dropped 58 C:\Users\user\AppData\...\freebl3[1].dll, PE32 29->58 dropped 60 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 29->60 dropped 70 9 other files (none is malicious) 29->70 dropped 112 Detected unpacking (changes PE section rights) 29->112 114 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->114 116 Machine Learning detection for dropped file 29->116 128 2 other signatures 29->128 94 3 other IPs or domains 34->94 62 C:\ProgramData\7441131.exe, PE32 34->62 dropped 64 C:\ProgramData\7393709.exe, PE32 34->64 dropped 66 C:\ProgramData\5732678.exe, PE32 34->66 dropped 72 2 other files (none is malicious) 34->72 dropped 118 Performs DNS queries to domains with low reputation 34->118 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->120 122 Maps a DLL or memory area into another process 36->122 124 Checks if the current machine is a virtual machine (disk enumeration) 36->124 84 iplis.ru 88.99.66.31, 443, 49743, 49780 HETZNER-ASDE Germany 38->84 96 3 other IPs or domains 38->96 126 Antivirus detection for dropped file 38->126 86 45.14.49.169 ITGLOBAL-NL Netherlands 40->86 68 C:\Users\user\...\Thu21b93295136197.tmp, PE32 42->68 dropped 88 ip-api.com 208.95.112.1, 49744, 80 TUT-ASUS United States 44->88 90 staticimg.youtuuee.com 45.136.151.102, 49751, 49759, 49767 ENZUINC-US Latvia 44->90 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d/
Threat name:
Win32.Downloader.Zenlod
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 22:00:10 UTC
AV detection:
29 of 45 (64.44%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7tmq2ydrturvgi743vyvgzshozxwvkp622olqmn4p7ffvfo35wq._file
Verdict:
unknown
Similar samples:
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
Adware.FileTour
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
Adware.FileTour
547cc534323bdd58f2fb30611e0cae63dea9c2583cb8932ef5e6063b2a08fbcc
Adware.FileTour
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
Adware.FileTour
95070ee5eadc35fc22ec5818a4406261a776a28292576024bd58102126e2cb30
Adware.FileTour
9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
Adware.FileTour
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
Adware.FileTour
b566e04e4dde55640065fa942fcfa35ec3cb5f0c8b6057bfd0039ac4ebbc65f7
Adware.FileTour
+ 525 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:pab123 aspackv2 backdoor infostealer stealer suricata themida trojan
Link:
https://tria.ge/reports/210909-1wm2dacabj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.14.49.169:22411
Unpacked files
SH256 hash:
0fd897b1e74f50e47526f974bf4906ecbe4a331b1ae4e2ec309fbee57a032586
MD5 hash:
4c3423a6e5e3337c71c551358f1334c1
SHA1 hash:
e3f59c4781ab6b19adb9eb85054a060b34c3df73
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
be466c036bbcec6936d2b2f51d530c89b592c6624fb839914d98ee9c935671b7
MD5 hash:
86bfea0cf31c782163dce5387419a19b
SHA1 hash:
d24a2e9fd57014cc5bb0b4089012847807dd6016
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
c02d2c9ae0b587f9b7631c443ce5a7d6d409c0a5d09ff6b389ca1330d44a1149
MD5 hash:
a91a81780273bb279790c1fbb6fb3105
SHA1 hash:
4bedae163300009aac8afa2c2b42ea6c184ca9dd
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
c034ee0ed45c8278cf10e330a92220f7d33c2d3d10f2721c2acabcca552b6423
MD5 hash:
4df600c45dbfd49fa9e31134e8f47434
SHA1 hash:
f07d4411a7b3722206e9d17e94749819930cedcb
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
cf9be5a04001fd464a9cd8c47dcf16edd9523846dd90b76aa361d48901a6dd07
MD5 hash:
78a80556b64f85f6d215e12b7c6f051c
SHA1 hash:
b76e4be025c4a06453916d1514a1e84328451ed1
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
4974a5caec0e8009ce8fc3e0646007f60eeb7f191d32d3c1c78eb3bb2927a246
MD5 hash:
421ea0195d3e7031c68847f3a10faa9c
SHA1 hash:
97f5b47f950beac9cc2275e6fbd7015745b36a7b
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
462903116807da9a27462013c045a75d7f331a245fd99d4d46d06fc4f28a22af
MD5 hash:
0a241fa5ab68617d9d736287443a726b
SHA1 hash:
68b034724879270d92c7393cff6a18d4700d53d8
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
f9f37bf5cd2308425ebb111a260118574b4ace5ae866a7440ac00b29ffa453a8
MD5 hash:
9ff20b6ea8e49447a1435441671d68a6
SHA1 hash:
18b23a404fffe1dab8c1ef36adaebf1c6aee9202
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
17c6394f4256e6ec014b98d078dcfae89bfff431bb5fd17e95d5858b50ca1659
MD5 hash:
2927aaa5f942c2fb3f781d0ed30fb6ab
SHA1 hash:
19c566defbc40d60e909cd4635a840a042b119b3
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
bc4bacc3b8b28d898f1671b79f216cca439f95eb60cd32d3e3ecafbecac42780
MD5 hash:
047bca47d9d12191811fb2e87cded3aa
SHA1 hash:
afdc5d27fb919d1d813e6a07466f889dbc8c6677
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
75837fb002c28ae5e4f3d77bcf29d38c847b385af1f10847872cc4585480e76a
MD5 hash:
066432b957c64a1a8a6a883b241b9e7b
SHA1 hash:
fbbf86ae9e33f483491f79ec0a065b066484d22f
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
b01e4a4283ac9e14ddc13bd90c7289a094b0c5d1f9e325e1c3bbb53c38df67f3
MD5 hash:
a070891e0fa22a6b18b29129d922b0ee
SHA1 hash:
b941d7541ccb47b9feb95201d37a5be48598a0d4
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
e94c6e593ed9ba221ba464489c4d2f708de644ff0522dbce854a2062a6156693
MD5 hash:
3e86207c64605d0da94c2096c527d526
SHA1 hash:
647e0fdd0de2e4dc209bdb2d709b25e0f380afec
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
9dcfdf58d331dca3406f4bc4185f79d5f9318db1a5d70781ebbcca5d114824a0
MD5 hash:
34c22c8622b1e49c50be3c97fcd1144d
SHA1 hash:
638a661de239b8837e5eb21622a7d966d39d3c28
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
3affe6557a29eaab28e2703cdac741df28be4d2fcbac5a5ab5a4e6b83d22bda1
MD5 hash:
4d4dd27cc0511c0168dcd494f2b19f83
SHA1 hash:
d6af59b945cd308cd5b2380bfa3136bc26a3a8a8
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
c167d95d6fbd411192889bab02a007eabfcda869c136e3c6f38e43fee6768803
MD5 hash:
8c07bc6c815ab2263720aa630eddfb1c
SHA1 hash:
67af51f942ce17642c2df62b010e4faae70ed540
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
3dc52cc017760afa49ff80f6405505bc6a97fecc388d16823851b8328c6ea90c
MD5 hash:
949b8a7f9e489c33e04c35273809a742
SHA1 hash:
bc7a5fdc7daae2b97e22b3454d5409979d007f7c
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
SH256 hash:
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
MD5 hash:
6d18c8e8ab9051f7a70b89ff7bb0ec35
SHA1 hash:
265311e2afd9f59e824f4b77162cf3dfa278eb7e
Link:
https://www.unpac.me/results/160a71d9-4fed-42af-a409-5258cc1ba45e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8fe6c86b038c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186742/

Comments