MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b
SHA3-384 hash: 0c9c1eba6cfc08f2c3e648af033394d8eced923a3b078eab59e35293d7e5d250dd6705fb2390a0980758a8cddf91c675
SHA1 hash: 8ef260f55055d4a7242d6e3cbf0359d2793bc374
MD5 hash: 82d8fe8523a17596a64f5ec94845e7c0
humanhash: wisconsin-one-zebra-delaware
File name:82D8FE8523A17596A64F5EC94845E7C0.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:3'368'493 bytes
First seen:2021-06-07 05:41:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:UbA30MdTQFfT+hi+4JnMSeFD+JQni7g2eFn3hljTMCG3TqwZr4kJyWh/ipcVsAjv:Ub7FZHaFymi7g2mvILTJrJniss47C/O
Threatray 710 similar samples on MalwareBazaar
TLSH C3F53352BDE19972C5650D364A2A76562636FF201F28DDDBA3E08F4ECE350E0E331726
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
5.252.179.50:1203

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.252.179.50:1203 https://threatfox.abuse.ch/ioc/72133/
162.55.55.250:80 https://threatfox.abuse.ch/ioc/67974/

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
82D8FE8523A17596A64F5EC94845E7C0.exe
Verdict:
Malicious activity
Analysis date:
2021-06-07 06:56:55 UTC
Tags:
evasion trojan autoit
Link:
https://app.any.run/tasks/fef896d3-375d-43ed-ac9a-e56b4c7fdfb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164837/
Detection(s):
Win.Malware.Mikey-9866193-0
Create hunting rule

Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9867377-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Sending a UDP request
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Creating a file
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Reading critical registry keys
Deleting a recently created file
Launching a process
Sending a custom TCP request
Creating a file in the %AppData% directory
Connection attempt
Modifying a system file
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797898
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 430296 Sample: kkZlGFJMS1.exe Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 122 52.255.188.83 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->122 148 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->148 150 Antivirus detection for dropped file 2->150 152 Multi AV Scanner detection for dropped file 2->152 154 11 other signatures 2->154 10 kkZlGFJMS1.exe 12 2->10         started        signatures3 process4 file5 54 C:\Users\user\Desktop\pzyh.exe, PE32 10->54 dropped 56 C:\Users\user\Desktop\pub2.exe, PE32 10->56 dropped 58 C:\Users\user\Desktop\jg3_3uag.exe, PE32 10->58 dropped 60 4 other files (1 malicious) 10->60 dropped 13 Folder.exe 6 10->13         started        16 KRSetp.exe 15 7 10->16         started        20 IDWCH1.exe 10->20         started        22 4 other processes 10->22 process6 dnsIp7 62 C:\Users\user\AppData\Local\...\install.dll, PE32 13->62 dropped 64 C:\Users\user\AppData\...64ewtonsoft.Json.dll, PE32 13->64 dropped 24 rundll32.exe 13->24         started        27 conhost.exe 13->27         started        106 topnewsdesign.xyz 172.67.206.72, 443, 49715 CLOUDFLARENETUS United States 16->106 108 192.168.2.1 unknown unknown 16->108 66 C:\Users\user\AppData\Roaming\2277071.exe, PE32 16->66 dropped 68 C:\Users\user\AppData\Roaming\1587755.exe, PE32 16->68 dropped 70 C:\Users\user\AppData\Roaming\2347807.exe, PE32 16->70 dropped 132 Detected unpacking (changes PE section rights) 16->132 134 Detected unpacking (overwrites its own PE header) 16->134 136 May check the online IP address of the machine 16->136 138 Performs DNS queries to domains with low reputation 16->138 29 1587755.exe 16->29         started        32 2277071.exe 16->32         started        35 2347807.exe 16->35         started        72 C:\Users\user\AppData\Local\...\IDWCH1.tmp, PE32 20->72 dropped 37 IDWCH1.tmp 20->37         started        110 101.36.107.74, 49710, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 22->110 112 ip-api.com 208.95.112.1, 49711, 80 TUT-ASUS United States 22->112 114 7 other IPs or domains 22->114 74 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 22->74 dropped 76 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 22->76 dropped 78 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 22->78 dropped 140 DLL reload attack detected 22->140 142 Drops PE files to the document folder of the user 22->142 144 Tries to harvest and steal browser information (history, passwords, etc) 22->144 146 2 other signatures 22->146 39 jfiag3g_gg.exe 22->39         started        41 jfiag3g_gg.exe 22->41         started        file8 signatures9 process10 dnsIp11 158 Contains functionality to infect the boot sector 24->158 160 Contains functionality to inject threads in other processes 24->160 162 Contains functionality to inject code into remote processes 24->162 174 5 other signatures 24->174 43 svchost.exe 24->43 injected 80 C:\Users\user\AppData\...\WinHoster.exe, PE32 29->80 dropped 164 Detected unpacking (changes PE section rights) 29->164 166 Detected unpacking (overwrites its own PE header) 29->166 168 Creates multiple autostart registry keys 29->168 116 videoconvert-download12.xyz 172.67.192.171, 443, 49727 CLOUDFLARENETUS United States 32->116 94 7 other files (none is malicious) 32->94 dropped 170 Performs DNS queries to domains with low reputation 32->170 118 172.67.163.99 CLOUDFLARENETUS United States 35->118 82 C:\ProgramData\70\vcruntime140.dll, PE32 35->82 dropped 84 C:\ProgramData\70\sqlite3.dll, PE32 35->84 dropped 96 5 other files (none is malicious) 35->96 dropped 120 limesfile.com 198.54.126.101, 49717, 80 NAMECHEAP-NETUS United States 37->120 86 C:\Users\user\...\8__________________67.exe, PE32 37->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 37->88 dropped 90 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 37->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 37->92 dropped 46 8__________________67.exe 37->46         started        172 Tries to harvest and steal browser information (history, passwords, etc) 39->172 file12 signatures13 process14 dnsIp15 176 System process connects to network (likely due to code injection or exploit) 43->176 178 Sets debug register (to hijack the execution of another thread) 43->178 180 Modifies the context of a thread in another process (thread injection) 43->180 50 svchost.exe 43->50         started        126 198.54.116.159 NAMECHEAP-NETUS United States 46->126 128 2.20.142.210 AKAMAI-ASN1EU European Union 46->128 130 2 other IPs or domains 46->130 98 C:\Users\user\AppData\...\Kavocuwaeme.exe, PE32 46->98 dropped 100 C:\Users\user\AppData\...\Takujidumy.exe, PE32 46->100 dropped 102 C:\Program Files (x86)\...\Jahimudeho.exe, PE32 46->102 dropped 104 4 other files (3 malicious) 46->104 dropped 182 Creates multiple autostart registry keys 46->182 file16 signatures17 process18 dnsIp19 124 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 50->124 156 Query firmware table information (likely to detect VMs) 50->156 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-05 05:29:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqjkio55mwmidcqp4fl7ke74rv2om5bqwu5y6kpk57oowv7hxafq._file
Verdict:
malicious
Similar samples:
04361291bf3ae8acd73f886bf5cab71fa35097256e12c0bb1b2360d4603a40e7
Adware.FileTour
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
Adware.FileTour
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
Adware.FileTour
445d39df326616cbfd206707370348697ee1ad8ffb5ce1edc330afe9bf49266e
Adware.FileTour
6a966d8a8bc18b016f35a159c110eb8dd5527b83e39db5fa7300e4634c9cb096
Adware.FileTour
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
Adware.FileTour
e55e95de03dff2a35cb8304d855c944a5309c56ff8d369af0a542e600faa6808
Adware.FileTour
e6e11a92390d1e01775514d1a4f047f5b94471070a07bf82b6e9fe5c547d55a8
Adware.FileTour
ea50cc254fa1cc865d19d13bbdf206dc69092d6f723cb56a3843d74ba83e64a0
Adware.FileTour
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
Adware.FileTour
+ 700 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:elysiumstealer family:plugx family:redline family:smokeloader family:vidar backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210607-anjj99qhzn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
ElysiumStealer
PlugX
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
45.153.230.81:6945
Unpacked files
SH256 hash:
e77cdc6d91da7a5293f4b9ec11524dd8302c63b44d3aa2eaa5ea6691e5216237
MD5 hash:
2724973fee4e3d0f9e3da19e32be212c
SHA1 hash:
632e40eece8d06f9d8bcb88488ecfe34b608ead3
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
12b2a34db1f822c089218f1b46c1870462a0afb65ff0364e0f0ba043e93c1e5a
MD5 hash:
a7732204d9c883a4373c8b615c97de43
SHA1 hash:
017de30fc0647908eb8dd532982ce6644fb13e59
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
0edfac6be11732ddd99db66821ee47408c2dc1e9bed68e5ef9a8e130c565b79b
MD5 hash:
cbd6029abaa8e977d3b7435c6f70dd0e
SHA1 hash:
ebb89d4d7659ef77b658a86ad00dba0ead869f4c
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
9a9a50f91b2ae885d01b95069442f1e220c2a2a8d01e8f7c9747378b4a8f5cfc
MD5 hash:
957460132c11b2b5ea57964138453b00
SHA1 hash:
12e46d4c46feff30071bf8b0b6e13eabba22237f
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
8ec643e9420705ceff89994f894da621eca957aec6181e049df70635d6adb92d
MD5 hash:
b592e7b8d28101b2959aeaf11fc97b74
SHA1 hash:
710f8fd367df8bd3b4494eed025c3428d34bb840
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
0677c997384db10fb20e0da804457fbb8224523f73b808974eae4a7d2060079b
MD5 hash:
03288cf1f4a57d6c5ae70ae35afedf61
SHA1 hash:
049cc6175ceed15bc66e1291fa4e7b825b869550
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
1badef9c89d708a864b0f9fc7cc036601e3f9ea88ea50545647a5c76e59a5e65
MD5 hash:
0c969ac813005e77997ea50a2451d3f5
SHA1 hash:
d2330287caa11e8979fb2c6454aa844fe8edb88a
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
1bfbd2e00e56583e0d36d469d3c735366948a8d61f30099a33a5b85cd8735cef
MD5 hash:
00d286039cb95d0d972a5cebc338038d
SHA1 hash:
f928410b11b8eb84b4c2670316ba94c8a1c6084f
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
c91ca77355ae6a9e392f031bc96eee3dde5fbf5a7de4f14e130b9ae10af706f4
MD5 hash:
25a084656cf004bcb417101b2fb17327
SHA1 hash:
48909f92d090ee35f67a1a0b440b5f57f94aee87
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
1650ed9fbd71f307c937c7dbb5932fe18d5b54cfb80abea1b1096611e3b0c230
MD5 hash:
343686a31f33500feecf5639f4889c8e
SHA1 hash:
2d71c2e686d27d41e1b4fdaab0a82bb85ad26238
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
994102b70b85b29b8b802e3bdfaa20ed48846e64f39ada455358db47770b0cf8
MD5 hash:
5483e3f0f6f95776715b4db251a84a80
SHA1 hash:
5c5c27c1d94737f595eba0f5a9ec456d3ed2f0ed
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
SH256 hash:
b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b
MD5 hash:
82d8fe8523a17596a64f5ec94845e7c0
SHA1 hash:
8ef260f55055d4a7242d6e3cbf0359d2793bc374
Link:
https://www.unpac.me/results/7603580d-c356-4457-9b11-24f6b7ea80f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164837/

Comments