MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab5e597bf7316bd8fcaeca8cddeec38a9585704a7929d50ea92ba603b038d7f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab5e597bf7316bd8fcaeca8cddeec38a9585704a7929d50ea92ba603b038d7f3
SHA3-384 hash: b26416928a37ba3894463cab6e643493be6abb8e3b1278c51909c2aeae9cbc9cb57831600015609eb8e007e274a81a40
SHA1 hash: 7950760a45972465207bd60062dab04449fa88ba
MD5 hash: 146d5e3ba35287954f1b61bf2ef52e24
humanhash: ohio-jupiter-october-minnesota
File name:146D5E3BA35287954F1B61BF2EF52E24.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:2'913'951 bytes
First seen:2021-09-05 07:55:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:pAI+DgOabshj2kKeiN2VBJvMrslCAZCxJO19b0FzvbcKwPCGKXyi1BqbSYo2e9U8:pAI+Dnab02DslCA2JLvb5waFXLmTo2I/
Threatray 1'216 similar samples on MalwareBazaar
TLSH T11DD53365A381853AE0720678984BC6327836B2044FEC549FB7FE1E1DDD7724952BE387
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.173/ https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install
Verdict:
Malicious activity
Analysis date:
2021-09-02 13:04:52 UTC
Tags:
trojan rat redline stealer evasion raccoon vidar loader
Link:
https://app.any.run/tasks/7d7aa0af-451c-4b4c-9ad6-a97898b449ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185394/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Running batch commands
Creating a file in the Windows subdirectories
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Moving a recently created file
Creating a file in the %AppData% directory
Creating a file in the system32 directory
Sending an HTTP GET request to an infection source
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching cmd.exe command interpreter
Creating a file in the system32 subdirectories
Replacing files
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f367a280-578d-4bdf-b878-85e101ef1e33
Result
Threat name:
BitCoin Miner Cookie Stealer Nitol Racco
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845478
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Cookie Stealer
Yara detected Costura Assembly Loader
Yara detected Nitol
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477909 Sample: kj1CaURZbn.exe Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 105 104.21.34.192 CLOUDFLARENETUS United States 2->105 107 clientconfig.passport.net 2->107 151 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->151 153 Multi AV Scanner detection for domain / URL 2->153 155 Antivirus detection for URL or domain 2->155 157 24 other signatures 2->157 9 kj1CaURZbn.exe 18 30 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 file5 79 C:\Program Files (x86)\SmartPDF\...\stats.exe, PE32 9->79 dropped 81 C:\Program Files (x86)\...\note866.exe, PE32 9->81 dropped 83 C:\Program Files (x86)\SmartPDF\...\lg.exe, PE32 9->83 dropped 85 6 other files (5 malicious) 9->85 dropped 14 PBrowFile15.exe 15 8 9->14         started        18 SmartPDF.exe 9->18         started        21 9840432e051a6fa1192594db02b80a4c1fd73456.exe 79 9->21         started        25 5 other processes 9->25 23 rundll32.exe 12->23         started        process6 dnsIp7 121 gavenetwork.bar 14->121 131 3 other IPs or domains 14->131 87 C:\Users\user\AppData\Roaming\6821485.exe, PE32 14->87 dropped 89 C:\Users\user\AppData\Roaming\6507186.exe, PE32 14->89 dropped 91 C:\Users\user\AppData\Roaming\7938464.exe, PE32 14->91 dropped 93 C:\Users\user\AppData\Roaming\6568343.exe, PE32 14->93 dropped 27 6507186.exe 14->27         started        31 6821485.exe 14->31         started        33 6568343.exe 14->33         started        95 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 18->95 dropped 137 Adds a directory exclusion to Windows Defender 18->137 36 cmd.exe 18->36         started        38 cmd.exe 18->38         started        123 94.158.245.173, 49702, 80 MIVOCLOUDMD Moldova Republic of 21->123 125 telete.in 195.201.225.248, 443, 49701 HETZNER-ASDE Germany 21->125 103 59 other files (none is malicious) 21->103 dropped 139 Tries to steal Mail credentials (via file access) 21->139 40 cmd.exe 21->40         started        141 Writes to foreign memory regions 23->141 143 Allocates memory in foreign processes 23->143 145 Creates a thread in another existing process (thread injection) 23->145 42 svchost.exe 23->42 injected 44 2 other processes 23->44 127 95.142.37.102 EUROBYTEEurobyteLLCMoscowRussiaRU Russian Federation 25->127 129 186.2.171.3, 49719, 80 DDOS-GUARDCORPBZ Belize 25->129 133 3 other IPs or domains 25->133 97 C:\Users\user\Documents\...\note866.exe, PE32 25->97 dropped 99 C:\Users\user\AppData\...\tmp301D_tmp.exe, PE32 25->99 dropped 101 C:\Users\user\AppData\Local\...\stats.tmp, PE32 25->101 dropped 147 Tries to harvest and steal browser information (history, passwords, etc) 25->147 46 4 other processes 25->46 file8 149 Performs DNS queries to domains with low reputation 121->149 signatures9 process10 dnsIp11 109 104.21.24.17 CLOUDFLARENETUS United States 27->109 163 Detected unpacking (changes PE section rights) 27->163 165 Tries to harvest and steal browser information (history, passwords, etc) 27->165 111 185.177.125.94 WORLDSTREAMNL Netherlands 31->111 113 104.26.13.31 CLOUDFLARENETUS United States 31->113 167 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->167 169 Tries to steal Crypto Currency Wallets 31->169 67 C:\Users\user\AppData\...\WinHoster.exe, PE32 33->67 dropped 171 Uses schtasks.exe or at.exe to add and modify task schedules 36->171 173 Adds a directory exclusion to Windows Defender 36->173 48 conhost.exe 36->48         started        50 powershell.exe 36->50         started        52 svchost32.exe 38->52         started        56 conhost.exe 38->56         started        58 conhost.exe 40->58         started        60 timeout.exe 40->60         started        175 System process connects to network (likely due to code injection or exploit) 42->175 177 Sets debug register (to hijack the execution of another thread) 42->177 179 Modifies the context of a thread in another process (thread injection) 42->179 62 svchost.exe 42->62         started        115 iplis.ru 88.99.66.31, 443, 49704, 49705 HETZNER-ASDE Germany 46->115 117 clients.l.google.com 142.250.186.78, 443, 49703, 50542 GOOGLEUS United States 46->117 119 10 other IPs or domains 46->119 69 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 46->69 dropped 71 C:\Users\user\AppData\Local\...\Cookies, SQLite 46->71 dropped 73 C:\Users\user\AppData\...\itdownload.dll, PE32 46->73 dropped 75 4 other files (none is malicious) 46->75 dropped 65 conhost.exe 46->65         started        file12 signatures13 process14 dnsIp15 77 C:\Windows\System32\services32.exe, PE32+ 52->77 dropped 159 Drops executables to the windows directory (C:\Windows) and starts them 52->159 135 google.vrthcobj.com 34.97.69.225 GOOGLEUS United States 62->135 161 Query firmware table information (likely to detect VMs) 62->161 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab5e597bf7316bd8fcaeca8cddeec38a9585704a7929d50ea92ba603b038d7f3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 19:13:00 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnpfs67xgfv5r7fozkgn33wdrkkyk4ckpeu5kdvjfotahmby27zq._file
Verdict:
malicious
Similar samples:
4569c2ca16175dd869475526af97004f47e2918edb583043b609fceb86b35161
Adware.FileTour
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
Adware.FileTour
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
Adware.FileTour
a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3
Adware.FileTour
d99ac72301d4d4c55ee0c6e33ad4e4551bac90b71f80515eea1a3dfe426abf23
Adware.FileTour
f2dc381b529cbc75c03ca8bf1886b0ee6b1e2622f8918a27a876c50889e2ae7e
Adware.FileTour
f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d
Adware.FileTour
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
Adware.FileTour
+ 1'206 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:208cae76e27fe102019484f9b1e2c6db71cd743e discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/210905-jspx5acfaq/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
d055b76f5b6f57a8dd84bbe8e70a86c2877fc9486491948bbf03ba6a368c5d06
MD5 hash:
71a97ce396722d0fce07f9878ca47734
SHA1 hash:
a8716e491dbc1dfd03e3a208dbc52206942351d2
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
e2a652f0d48dd116e6cbfa0a4ee7cd626a188b536767728b95515aa4ed49332d
MD5 hash:
b5ac3301996922db16b590f16c80143f
SHA1 hash:
51147ea003dcc78b47655edf5ab11f7959988aba
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
f4dc97b32ae2776d0d6433c608c1519c71d7f1deb2fda87f4d23ea063fa6a874
MD5 hash:
0d8d682aacb165de2e48349fc9857607
SHA1 hash:
8bc853185a698f366dff9eb08823ab7bedcfaf26
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
ca32bdff488d1b4dca1dab7600f94bebbebfb771eeb5778a471dbbd44de07717
MD5 hash:
36cbfdaf320998c1090ca91b85d94dc5
SHA1 hash:
20072b5dc543f3b972e57f7ddc2348c0b337e919
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
e7483cfeecfae0228e7fbbfd80454d57b208cc7a0be6b872e31b2c956cf1595f
MD5 hash:
c207095f8da73b96401cad749bc90ddf
SHA1 hash:
7614bbe72ca00f27add42bc7a2c2246fd8f5cbb6
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
2e202b045d77d0c64b6293d84294bb234da3b2302dd79bf9635c1453eca1924a
MD5 hash:
f81728779ca6259fe33b262e077aa73b
SHA1 hash:
96484eb0b81e739f13b903d8ab2102945aac2ec8
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
SH256 hash:
ab5e597bf7316bd8fcaeca8cddeec38a9585704a7929d50ea92ba603b038d7f3
MD5 hash:
146d5e3ba35287954f1b61bf2ef52e24
SHA1 hash:
7950760a45972465207bd60062dab04449fa88ba
Link:
https://www.unpac.me/results/54d912a1-c178-4750-8d37-3dcfec6f3463/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ab5e597bf731/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab5e597bf7316bd8fcaeca8cddeec38a9585704a7929d50ea92ba603b038d7f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185394/

Comments