MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab5728441104a151240fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab5728441104a151240fd
SHA3-384 hash: 1f096606cbc9ef74a977c0df3b736e7f44b8ded738b1052927329ce64951f242d428db25e98cb0aa359bb6936be69889
SHA1 hash: 30512dba9f325abdd60e85e496fa0c5e36c11f92
MD5 hash: 4664a0336ab661fd9c421dfd49f6e9a3
humanhash: emma-pizza-johnny-charlie
File name:9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:6'771'585 bytes
First seen:2021-09-04 19:36:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:pAI+iLWaYjpemX/B6QLv3NFkXkHb0ZCzXfivWa+8O7X0RN7AmgxmGkPCCdpiZqg1:itiDmJv9FUkHb0ZCz6O7q8QW/4++Gnl
TLSH T1B3663376F5C2187BF0234E704593D7B7617AB7801F9CA45EB3F69D8CDC0A64A18E068A
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.173/ https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
jkrhjgnkjkg.zip
Verdict:
Malicious activity
Analysis date:
2021-09-03 14:17:21 UTC
Tags:
loader evasion trojan rat redline stealer opendir vidar raccoon
Link:
https://app.any.run/tasks/ac314fdf-3b70-48d2-b55b-6c2a9f6bb175

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185347/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Running batch commands
Creating a file
Sending a custom TCP request
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the system32 directory
Connecting to a non-recommended domain
Sending an HTTP GET request to an infection source
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Creating a file in the system32 subdirectories
Launching the default Windows debugger (dwwin.exe)
Modifying a system file
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d358d02-1f8e-4710-9488-041e0dbd6dda
Result
Threat name:
BitCoin Miner Cookie Stealer Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845346
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Tries to steal Mail credentials (via file access)
Yara detected BitCoin Miner
Yara detected Cookie Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477777 Sample: 9c9cdb438163a2e64adcb398a6f... Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 72 185.177.125.94 WORLDSTREAMNL Netherlands 2->72 74 91.199.212.52 SECTIGOGB United Kingdom 2->74 76 7 other IPs or domains 2->76 104 Multi AV Scanner detection for domain / URL 2->104 106 Antivirus detection for URL or domain 2->106 108 Antivirus detection for dropped file 2->108 110 14 other signatures 2->110 8 9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab.exe 18 32 2->8         started        signatures3 process4 file5 46 C:\Program Files (x86)\SmartPDF\...\stats.exe, PE32 8->46 dropped 48 C:\Program Files (x86)\SmartPDF\...\lg.exe, PE32 8->48 dropped 50 C:\Program Files (x86)\...\installer.exe, PE32 8->50 dropped 52 8 other files (6 malicious) 8->52 dropped 11 9840432e051a6fa1192594db02b80a4c1fd73456.exe 76 8->11         started        16 Inlog.exe 8->16         started        18 VPN.exe 8->18         started        20 4 other processes 8->20 process6 dnsIp7 92 94.158.245.173 MIVOCLOUDMD Moldova Republic of 11->92 94 195.201.225.248 HETZNER-ASDE Germany 11->94 96 8.8.8.8 GOOGLEUS United States 11->96 54 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->54 dropped 56 C:\Users\user\AppData\...\ucrtbase.dll, PE32 11->56 dropped 68 56 other files (none is malicious) 11->68 dropped 112 Tries to steal Mail credentials (via file access) 11->112 58 C:\Users\user\AppData\Local\...\Inlog.tmp, PE32 16->58 dropped 22 Inlog.tmp 16->22         started        60 C:\Users\user\AppData\Local\Temp\...\VPN.tmp, PE32 18->60 dropped 26 VPN.tmp 18->26         started        98 104.21.41.27 CLOUDFLARENETUS United States 20->98 100 192.168.2.1 unknown unknown 20->100 102 239.255.255.250 unknown Reserved 20->102 62 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 20->62 dropped 64 C:\Users\user\AppData\...\Windows Updater.exe, PE32 20->64 dropped 66 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 20->66 dropped 70 9 other files (none is malicious) 20->70 dropped 28 chrome.exe 30 20->28         started        file8 signatures9 process10 dnsIp11 78 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 22->78 88 2 other IPs or domains 22->88 30 C:\Users\user\AppData\...\itdownload.dll, PE32 22->30 dropped 32 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 22->32 dropped 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->34 dropped 36 C:\Users\user\AppData\Local\...\Setup.exe, PE32 22->36 dropped 80 18.66.212.190 MIT-GATEWAYSUS United States 26->80 82 172.67.72.12 CLOUDFLARENETUS United States 26->82 38 C:\Users\user\AppData\...\itdownload.dll, PE32 26->38 dropped 40 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 26->40 dropped 42 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->42 dropped 44 C:\Users\user\AppData\Local\...\Setup.exe, PE32 26->44 dropped 84 20.190.159.138 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->84 86 204.79.197.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->86 90 14 other IPs or domains 28->90 file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab5728441104a151240fd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 20:29:00 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsonwq4bmoromsw4womkn4prvpg4qha46nnlk4ueieieufisid6q._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:netsupport family:raccoon family:redline botnet:208cae76e27fe102019484f9b1e2c6db71cd743e discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210904-ybs1saedg4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
NetSupport
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
f670a341d04478b5fe903f80216dfa7629a98fbc58a3f30d9da6b013c2d70306
MD5 hash:
77b0aa53469d5e8d9c786f2a2c37a7f1
SHA1 hash:
8994d3f16f6e58ff80e78d5e25312887d3a7327a
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
e2a652f0d48dd116e6cbfa0a4ee7cd626a188b536767728b95515aa4ed49332d
MD5 hash:
b5ac3301996922db16b590f16c80143f
SHA1 hash:
51147ea003dcc78b47655edf5ab11f7959988aba
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
0efafb246fc239e5388334c52ee7da78845af74687b0b8bb14a9f7c2d0dfb691
MD5 hash:
247c213c223896a9621a763d199c3ab2
SHA1 hash:
4a15fed8d997d80e85bc1b84cc20ccd424c40064
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
47ea4fc2b557f672618d7ba615ae371705623fa978060cbb31b07c4ec7116b2d
MD5 hash:
9edfd4a125f5946b5bbb0c597643f621
SHA1 hash:
93847000326ae5f3e76a686282cfd09bafffa04f
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
11327d7c5b78cbaecf8dfd6a318abdbbbe3fd3d66abc7b28278c27e04977a353
MD5 hash:
afdf32ee714a6895208dd26229298edf
SHA1 hash:
6bddd2fc423196efe15b796e3c23bea5f9652631
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
c634d1747ca153346db3d743c149fd41a3d31afcb8f04c068d77c1d928007783
MD5 hash:
d7f46913c63d73021421145a67913b6a
SHA1 hash:
aa41f4f89a9f98d454cdfa399cd7a067c3e00aaf
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
4b85a03970d173f4a34b53543a59dd94f82a111008cd0b76b0184f8622cf1651
MD5 hash:
b8f7b41332d1d740e16de5056f369ed4
SHA1 hash:
46c9e44d1de1193563040010504ad446c266091c
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
7cea9f6a97c8f204638fe4dd2e85de91f24672c8ecebf6f8c038228eb21d8fa3
MD5 hash:
a9f17c25ef274dc3147035382ae43fc6
SHA1 hash:
89d34372dfd2ee6688653dfd6547175d8bbcec6c
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
SH256 hash:
9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab5728441104a151240fd
MD5 hash:
4664a0336ab661fd9c421dfd49f6e9a3
SHA1 hash:
30512dba9f325abdd60e85e496fa0c5e36c11f92
Link:
https://www.unpac.me/results/9ad0864b-ac8f-4a11-a4df-42b5850372f9/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9c9cdb438163/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab5728441104a151240fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185347/

Comments