MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 12


Intelligence 12 IOCs 6 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
SHA3-384 hash: 9e46f44367692a876c6055faa75dca75f7fed59f2250941b47454ef1891d0b8db2a890d2ac84c9981e526ca1cceba7c3
SHA1 hash: 91111164eb5a8b996eefe72a6363bad3f1a858b0
MD5 hash: c105d4787dde8f7183c57c1285e9f808
humanhash: carpet-winter-london-eighteen
File name:C105D4787DDE8F7183C57C1285E9F808.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:6'024'291 bytes
First seen:2021-08-20 19:41:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x7CvLUBsg7C0ijhUYMUpUqOnvqpM2GSEw1kHyaNgUvI745IRZYriuyY7x77:xALUCg7Cj1DavBHyQgUQ7XYiuyY7xv
Threatray 106 similar samples on MalwareBazaar
TLSH T14256331177D1D8F3DA07223483457B7580BD92A019AC21ABA3D09D6E7B794EED42FF28
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
159.69.190.155:35975

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
159.69.190.155:35975 https://threatfox.abuse.ch/ioc/192384/
95.181.172.100:6795 https://threatfox.abuse.ch/ioc/192435/
65.108.29.202:61024 https://threatfox.abuse.ch/ioc/192500/
95.181.157.130:11418 https://threatfox.abuse.ch/ioc/192501/
185.4.65.191:1203 https://threatfox.abuse.ch/ioc/192508/
94.103.82.22:49018 https://threatfox.abuse.ch/ioc/192510/

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C105D4787DDE8F7183C57C1285E9F808.exe
Verdict:
No threats detected
Analysis date:
2021-08-20 19:44:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/27890237-c169-47b7-ade3-c356549a828f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181026/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Reading critical registry keys
Delayed reading of the file
Deleting a recently created file
Searching for analyzing tools
Creating a file
Creating a window
Sending an HTTP GET request
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Launching a process
Unauthorized injection to a recently created process
Stealing user critical data
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bfb115bc-3d14-4511-9bbd-c0d1cd565d62
Result
Threat name:
Cryptbot RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836651
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cryptbot
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 469082 Sample: 1xDJNh6Npt.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 Antivirus detection for dropped file 2->100 102 13 other signatures 2->102 10 1xDJNh6Npt.exe 16 2->10         started        process3 file4 54 C:\Users\user\AppData\...\setup_install.exe, PE32 10->54 dropped 56 C:\Users\user\...\Sun12f16dad862e5.exe, PE32 10->56 dropped 58 C:\Users\user\AppData\...\Sun12e8955f09.exe, PE32+ 10->58 dropped 60 11 other files (5 malicious) 10->60 dropped 13 setup_install.exe 1 10->13         started        process5 dnsIp6 92 127.0.0.1 unknown unknown 13->92 132 Adds a directory exclusion to Windows Defender 13->132 17 cmd.exe 13->17         started        19 cmd.exe 1 13->19         started        21 cmd.exe 1 13->21         started        23 8 other processes 13->23 signatures7 process8 dnsIp9 27 Sun12f16dad862e5.exe 17->27         started        32 Sun1255d5adb176aec7a.exe 19->32         started        34 Sun125add0b48588f.exe 21->34         started        76 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->76 104 Adds a directory exclusion to Windows Defender 23->104 36 Sun12e8955f09.exe 1 14 23->36         started        38 Sun12909bc20fc20.exe 2 23->38         started        40 Sun12e14a1a6d85.exe 23->40         started        42 3 other processes 23->42 signatures10 process11 dnsIp12 78 185.233.185.134 YURTEH-ASUA Russian Federation 27->78 80 37.0.10.214 WKD-ASIE Netherlands 27->80 86 14 other IPs or domains 27->86 62 C:\Users\...\yLrFtbUzMhp0YJpE9AsxpW9y.exe, PE32 27->62 dropped 64 C:\Users\...\ugDOC4dNIrdN9lJ0DYfQ_soL.exe, PE32 27->64 dropped 66 C:\Users\...\uS2QYBvGB5ilPttA6Rr9HUBI.exe, PE32 27->66 dropped 72 47 other files (42 malicious) 27->72 dropped 106 Drops PE files to the document folder of the user 27->106 108 Creates HTML files with .exe extension (expired dropper behavior) 27->108 110 Disable Windows Defender real time protection (registry) 27->110 82 185.230.143.16 HostingvpsvilleruRU Russian Federation 32->82 112 Detected unpacking (changes PE section rights) 32->112 114 Query firmware table information (likely to detect VMs) 32->114 116 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->116 128 2 other signatures 32->128 118 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->118 130 2 other signatures 34->130 44 explorer.exe 34->44 injected 88 5 other IPs or domains 36->88 68 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 36->68 dropped 70 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 36->70 dropped 120 Contains functionality to steal Chrome passwords or cookies 36->120 122 Drops PE files to the startup folder 36->122 124 Creates processes via WMI 38->124 46 Sun12909bc20fc20.exe 38->46         started        84 88.99.66.31 HETZNER-ASDE Germany 40->84 90 2 other IPs or domains 42->90 126 Tries to harvest and steal browser information (history, passwords, etc) 42->126 50 WerFault.exe 42->50         started        file13 signatures14 process15 dnsIp16 94 172.67.222.125 CLOUDFLARENETUS United States 46->94 74 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 46->74 dropped 52 conhost.exe 46->52         started        file17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 10:05:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdmkn6khrjqkaxj3rrl2mfw2ededxgn4pb34iyld7tisno5skqeq._file
Verdict:
malicious
Similar samples:
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
Adware.FileTour
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
Adware.FileTour
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
Adware.FileTour
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
Adware.FileTour
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
Adware.FileTour
6814143c59108c0010bd29365823a38f61062a1978987b4798671334aa496740
Adware.FileTour
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
Adware.FileTour
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
Adware.FileTour
+ 96 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline family:smokeloader family:vidar botnet:706 botnet:fopoejpvcepjvwe[9 botnet:second_7.5k botnet:www aspackv2 backdoor evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210820-sr9elgw9f6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
CryptBot
CryptBot Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
lysuht78.top
morisc07.top
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
185.204.109.146:54891
45.14.49.200:27625
45.14.49.232:6811
Unpacked files
SH256 hash:
a49ae7155dfc48ec360cc92b7f9906232121c46639acaa84690d1c49051574c8
MD5 hash:
158fe1aadf0c738824e913aaf8314035
SHA1 hash:
5c80665fe3d244bc1ff203f9e091121dd5086f69
Detections:
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
Parent samples :
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
SH256 hash:
64c7ef3ed9e4573fa84560d690464695fb64d135bdcdd6331895d7c45af11568
MD5 hash:
79dc16327930b7f6edc982aea85110c9
SHA1 hash:
e7cd82aceb133f5a5604e59a36647c3c8be26818
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
0f359d1c55cee967fe6182274b2a3cae1b9f056b9eb29b6808e5a7a5b19aa3b6
MD5 hash:
eb8a7e21e47880318bffc9079a1ecf62
SHA1 hash:
c9b20bb05692a1026cee89c98fdb138dc2e935a9
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
d43fea0fe7c6890b9ec5f6b1a0cce4daf7cb54fd77e32447859a5eeed75669d3
MD5 hash:
679464caa41552079dae92337f8a004f
SHA1 hash:
23869d3dac7247a6f4d585d3b8c866630f29665c
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
a2c74a570b5fdfa3633f0cefb8c34e11233d62403d226d48af130bc1c986d24f
MD5 hash:
34b17b580f2ca3610bcb6db343136451
SHA1 hash:
d6c4e6d3f42ad52a175507b37835433e6b303875
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
c83c6bbdf2a042df0c8343aed3d04a09e2f09b7c97ca13da4e141b2ee6b73e24
MD5 hash:
bd04c2aaa95597b44e601173a12ff67a
SHA1 hash:
6482176bc16a64fe9df5f4615c30dfddc083dcfc
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
a1317cecc63a421cf722a5bf45d14691dc5ce611833f850e03b89a4395cfd74a
MD5 hash:
914a8117c0c56c0fc8913e8cee4fd890
SHA1 hash:
5b07ff497398058f011724408974fe76692bcab1
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
1e00b9b5681032886c230dfc5ee0813004942a6eb83dd08e019240cbc38e75eb
MD5 hash:
2000ae9f850aadb882ad675ed72931e2
SHA1 hash:
4e91e6ed9cbb255ebe15c5ac96e70eb92237ce96
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
fd4d632bf8decc7d545ea985813583d720d14e062d82b040ed9b620caeb3b894
MD5 hash:
8700eddf588b678f6a822a5e90c1e271
SHA1 hash:
25ee6dd0ee4acc37efecc572a02486a362c10e54
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
8481913814ca5a4c693ec6149ebb061e0404bd68a505188682f04d60cb642ca1
MD5 hash:
0e847d56357ed4b2b111bf929d27c071
SHA1 hash:
4c626c8691e4bf97ec1c7f4591eed74591db3166
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
d5bd3a84eb36ce8b09faadd5785554a791a69d7a6d2f556f6238b6560a01e78f
MD5 hash:
57d16aa734f53584c238448bc07621cb
SHA1 hash:
5e75f9318ccca1d9cf8d11b63e134abe44885b89
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
SH256 hash:
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
MD5 hash:
c105d4787dde8f7183c57c1285e9f808
SHA1 hash:
91111164eb5a8b996eefe72a6363bad3f1a858b0
Link:
https://www.unpac.me/results/2f5d6c86-a389-40ad-963a-c6f22710b67e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181026/

Comments