MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a75947e7809e5629f8a4119f06834d01c0a09bb2f25c2a1527caf37f685d4292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a75947e7809e5629f8a4119f06834d01c0a09bb2f25c2a1527caf37f685d4292
SHA3-384 hash: b4adaa4d73e072f10268c85b0fffc38a9a5027869c60142b8080dc179576f929c2e911e667087adee70e9a22dc45d8c6
SHA1 hash: f14119fd48faf4e67f2830377e59c971e97bb655
MD5 hash: a90feb9b28a784657ec9a9b2a7bd7122
humanhash: enemy-bulldog-table-mars
File name:a90feb9b28a784657ec9a9b2a7bd7122.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:1'087'248 bytes
First seen:2021-06-22 11:45:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1dd9e0c90802c146c30db4b322f2aa9e (1 x RedLineStealer, 1 x Adware.FileTour, 1 x DiamondFox)
ssdeep 24576:rJeo26y1eqAyY6fNC1TawJXO+Tb5OMvicKt:R92NC1TawJ/gcKt
Threatray 26 similar samples on MalwareBazaar
TLSH 7035E041FE8294F3E5A220B151F6AB761D39653147109AD3D3C85AF54E203F0AB3B7AE
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://cypwua22.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cypwua22.top/index.php https://threatfox.abuse.ch/ioc/139823/
http://morutv02.top/index.php https://threatfox.abuse.ch/ioc/139824/

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a90feb9b28a784657ec9a9b2a7bd7122.exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 11:46:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/86ed3295-5540-48cb-95a6-5abdfe565969

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Netbounce
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167547/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.iObit-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ded47b92-046f-4fb9-9121-3b63dfc47c3b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/805923
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Detected potential unwanted application
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: BlueMashroom DLL Load
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438334 Sample: wbEjg6mZB8.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 84 45 r3.o.lencr.org 2->45 47 echo.bluewavecdn.com 2->47 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Sigma detected: BlueMashroom DLL Load 2->59 61 Detected potential unwanted application 2->61 9 wbEjg6mZB8.exe 3 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\Temp\Setup.exe, PE32 9->43 dropped 12 Setup.exe 2 9->12         started        process6 dnsIp7 49 spark.lightburst.xyz 195.181.169.92, 443, 49757 CDN77GB United Kingdom 12->49 51 127.0.0.1 unknown unknown 12->51 63 Multi AV Scanner detection for dropped file 12->63 65 Performs DNS queries to domains with low reputation 12->65 67 Adds a directory exclusion to Windows Defender 12->67 16 cmd.exe 1 12->16         started        19 cmd.exe 1 12->19         started        21 cmd.exe 12->21         started        23 3 other processes 12->23 signatures8 process9 signatures10 53 Adds a directory exclusion to Windows Defender 16->53 25 powershell.exe 26 16->25         started        27 conhost.exe 16->27         started        29 powershell.exe 17 19->29         started        31 conhost.exe 19->31         started        39 2 other processes 21->39 33 powershell.exe 17 23->33         started        35 conhost.exe 23->35         started        37 conhost.exe 23->37         started        41 3 other processes 23->41 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a75947e7809e5629f8a4119f06834d01c0a09bb2f25c2a1527caf37f685d4292/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-19 07:01:00 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5mupz4atzlct6fecgpqna2nahakbg5s6jocufjhzlzx62c5ikja._file
Verdict:
malicious
Similar samples:
1bd7f695ac2b3267dcc36f68784d44ccb966cee16c88db57ad004995527dd6ec
Adware.FileTour
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Adware.FileTour
5dc4c9f9b91f1d349aa12569b1c9e792710adbc5d8e200b89f92c920008901fc
Adware.FileTour
64fa359ee0cc2f6724acd29a0ea27bb086922d80c8d2aa385c03db890d5e8bb3
Adware.FileTour
6651e6156af086e120114fb83b10af8b07acac4b73998cf5758bb5fe17677bfc
Adware.FileTour
7c84f12d1931043664fde0954a5af1b0e30edd8f7fcc6b33cfe298fc431baa84
Adware.FileTour
91d3770ac0d4463cb356327db2c492f1cbce42715dbcae11d8768f4bf2fb2c98
Adware.FileTour
987506b904adf02794b1c51f8b166aa4ea284454607e133ef0d5d003aba64b00
Adware.FileTour
af7e5864c9e4b6c0161231a1be5822505ba84eb55e0185693ef5835954c98a21
Adware.FileTour
cf76d84527415e188f5954b3c7289ad60f3b36ad0aedb913c53cf398243609a9
Adware.FileTour
+ 16 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar persistence stealer vmprotect
Link:
https://tria.ge/reports/210622-9f5yk38ame/
Behaviour
GoLang User-Agent
Kills process with taskkill
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
autoit_exe
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
Vidar
Unpacked files
SH256 hash:
5722c6e6d7e6dc805b906a861c6833f6065299e50303bfb2b56d701eaef1a8e8
MD5 hash:
84ce449e3c0ee62bfcb080c5be396d1f
SHA1 hash:
576e91d8cc200d1bd1ecb4da306468e57dd9061f
Link:
https://www.unpac.me/results/1941e6cb-8525-4aa9-ad24-b1b93931c3a5/
SH256 hash:
a75947e7809e5629f8a4119f06834d01c0a09bb2f25c2a1527caf37f685d4292
MD5 hash:
a90feb9b28a784657ec9a9b2a7bd7122
SHA1 hash:
f14119fd48faf4e67f2830377e59c971e97bb655
Link:
https://www.unpac.me/results/1941e6cb-8525-4aa9-ad24-b1b93931c3a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a75947e7809e5629f8a4119f06834d01c0a09bb2f25c2a1527caf37f685d4292

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167547/

Comments