MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa9be79c40da851c806a4cbd196aad2731e57090c5c4e0bb107437073e0ebd11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa9be79c40da851c806a4cbd196aad2731e57090c5c4e0bb107437073e0ebd11
SHA3-384 hash: 2889398506dbcf55cc15c6b05430e142152be4a524621de3e676013e025731a98cc2388276663c99023bb8a60ed5e8e1
SHA1 hash: 912c07ea3c0f3399c9c0b87524b763e11f50d322
MD5 hash: 27118a12fe3aaac9fc76624ceb4ec722
humanhash: floor-twelve-jupiter-six
File name:27118A12FE3AAAC9FC76624CEB4EC722.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:390'088 bytes
First seen:2021-05-23 17:00:31 UTC
Last seen:2021-05-23 18:02:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXCakm+ksmpk3U9j0IBeOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3aP6m6UR0IBelL//plmW9bTXeVhD4
Threatray 29 similar samples on MalwareBazaar
TLSH 68841243F3F19439E073CEB05C90E962893B79254DBC650876ECAD8E9F3B5829256783
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://94.130.58.199/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.130.58.199/ https://threatfox.abuse.ch/ioc/57564/

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
27118A12FE3AAAC9FC76624CEB4EC722.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-23 17:13:08 UTC
Tags:
installer
Link:
https://app.any.run/tasks/ef0f6a6c-5aa4-4a7d-9028-c338538ef754

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/160919/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Deleting a recently created file
Sending an HTTP POST request
Creating a file in the Windows subdirectories
Adding an access-denied ACE
Launching a process
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Connection attempt
Modifying a system file
Unauthorized injection to a recently created process
Setting a single autorun event
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/789688
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Searches for Windows Mail specific files
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 422084 Sample: 0fXCUmAjNE.exe Startdate: 23/05/2021 Architecture: WINDOWS Score: 100 112 www.cloud-security.xyz 2->112 114 www.profitabletrustednetwork.com 2->114 116 51 other IPs or domains 2->116 144 Multi AV Scanner detection for domain / URL 2->144 146 Antivirus detection for URL or domain 2->146 148 Antivirus detection for dropped file 2->148 152 5 other signatures 2->152 11 0fXCUmAjNE.exe 2 2->11         started        14 Pishaxypawe.exe 2->14         started        signatures3 150 Performs DNS queries to domains with low reputation 114->150 process4 dnsIp5 82 C:\Users\user\AppData\...\0fXCUmAjNE.tmp, PE32 11->82 dropped 17 0fXCUmAjNE.tmp 3 19 11->17         started        142 limesfile.com 14->142 84 C:\Program Files (x86)\...\Windows Update.exe, PE32 14->84 dropped 86 C:\...\Windows Update.exe.config, XML 14->86 dropped 21 Windows Update.exe 14->21         started        file6 process7 dnsIp8 96 limesfile.com 198.54.126.101, 49722, 49726, 49744 NAMECHEAP-NETUS United States 17->96 64 C:\Users\user\AppData\Local\Temp\...\RimK.exe, PE32 17->64 dropped 66 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 17->66 dropped 68 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 17->68 dropped 70 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->70 dropped 23 RimK.exe 20 20 17->23         started        file9 process10 dnsIp11 132 global-sc-ltd.com 199.188.201.83, 49725, 80 NAMECHEAP-NETUS United States 23->132 134 connectini.net 162.0.210.44, 443, 49723, 49731 ACPCA Canada 23->134 136 2 other IPs or domains 23->136 74 C:\Users\user\AppData\...\Xaefelomomy.exe, PE32 23->74 dropped 76 C:\Users\user\AppData\...\Kycoremelae.exe, PE32 23->76 dropped 78 C:\Program Files (x86)\...\Pishaxypawe.exe, PE32 23->78 dropped 80 4 other files (3 malicious) 23->80 dropped 154 Detected unpacking (overwrites its own PE header) 23->154 156 Searches for Windows Mail specific files 23->156 28 Kycoremelae.exe 14 5 23->28         started        32 Xaefelomomy.exe 23->32         started        34 prolab.exe 2 23->34         started        file12 signatures13 process14 dnsIp15 138 connectini.net 28->138 158 Detected unpacking (overwrites its own PE header) 28->158 160 Machine Learning detection for dropped file 28->160 37 iexplore.exe 28->37         started        40 iexplore.exe 28->40         started        42 iexplore.exe 28->42         started        47 11 other processes 28->47 140 connectini.net 32->140 162 Antivirus detection for dropped file 32->162 72 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 34->72 dropped 44 prolab.tmp 27 26 34->44         started        file16 signatures17 process18 dnsIp19 118 www.cloud-security.xyz 37->118 120 cloud-security.xyz 37->120 126 2 other IPs or domains 37->126 49 iexplore.exe 37->49         started        128 3 other IPs or domains 40->128 52 iexplore.exe 40->52         started        54 iexplore.exe 40->54         started        122 vexacion.com 42->122 56 iexplore.exe 42->56         started        58 iexplore.exe 42->58         started        88 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->88 dropped 90 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->90 dropped 92 C:\Program Files (x86)\...\is-SSAE8.tmp, PE32 44->92 dropped 94 8 other files (none is malicious) 44->94 dropped 124 www.profitabletrustednetwork.com 47->124 130 3 other IPs or domains 47->130 60 iexplore.exe 47->60         started        62 iexplore.exe 47->62         started        file20 process21 dnsIp22 98 directdexchange.com 35.201.70.46, 443, 49739, 49740 GOOGLEUS United States 54->98 108 3 other IPs or domains 54->108 100 vexacion.com 139.45.197.236, 443, 49733, 49734 RETN-ASEU Netherlands 60->100 110 3 other IPs or domains 60->110 102 static.wholefreshposts.com 139.45.197.177, 443, 49749, 49750 RETN-ASEU Netherlands 62->102 104 propeller-tracking.com 139.45.197.240, 443, 49753, 49754 RETN-ASEU Netherlands 62->104 106 wholefreshposts.com 62->106
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa9be79c40da851c806a4cbd196aad2731e57090c5c4e0bb107437073e0ebd11/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-05-21 01:19:00 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkn6phca3kcrzadkjs6rs2vne4y6k4eqyxcoboyqoq3qopqoxuiq._file
Verdict:
unknown
Similar samples:
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
Adware.FileTour
6bd5019594fbe81423f3f5c10c61773203914ebcc1d57dfab9bde6d8bc7b6c46
Adware.FileTour
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
Adware.FileTour
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
Adware.FileTour
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
Adware.FileTour
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
Adware.FileTour
cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95
Adware.FileTour
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
Adware.FileTour
ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39
Adware.FileTour
eb2b82c14b81523edd762536c3dcd308624821dd6840e8cabdf94327d55fcbf9
Adware.FileTour
+ 19 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:elysiumstealer family:plugx family:redline family:vidar discovery evasion infostealer persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/210523-7hhxy1e2cs/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
VMProtect packed file
Checks for common network interception software
ElysiumStealer
PlugX
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa9be79c40da851c806a4cbd196aad2731e57090c5c4e0bb107437073e0ebd11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/160919/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-23 18:08:55 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
2) [C0032.001] Data Micro-objective::CRC32::Checksum
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0046] File System Micro-objective::Create Directory
6) [C0048] File System Micro-objective::Delete Directory
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0017.003] Process Micro-objective::Create Suspended Process::Create Process
16) [C0017] Process Micro-objective::Create Process
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process