MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 10


Intelligence 10 IOCs 5 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
SHA3-384 hash: 7f3a9cd2717c76a08eea5f190f61485722409219dabc77e9919330445b4c36059b089a106faeffa09bb379d0727a938e
SHA1 hash: 6ad1c96ac41546be9c8dc7e9135ce461bc4af668
MD5 hash: 2c663b3f330f2adfda4339c8990f53c2
humanhash: lamp-carolina-fourteen-magnesium
File name:b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:390'953 bytes
First seen:2021-06-11 12:35:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'453 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXCuoL8+Ee0CYDTAsdRfEMOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglMb:pQi3uoL8+iDNdRXlL//plmW9bTXeVhD4
Threatray 57 similar samples on MalwareBazaar
TLSH DC841203D6E11938E073CEB05CA5D5614A3F7D256DBC200476DDAD9E9F7FA82922A383
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
104.21.2.30:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.21.2.30:80 https://threatfox.abuse.ch/ioc/87999/
193.110.3.160:80 https://threatfox.abuse.ch/ioc/88461/
172.67.128.165:80 https://threatfox.abuse.ch/ioc/89410/
http://morika05.top/index.php https://threatfox.abuse.ch/ioc/90252/
http://olmsgv52.top/index.php https://threatfox.abuse.ch/ioc/90281/

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E12B3D810276E5300981CDBBE7CDA010.exe
Verdict:
Malicious activity
Analysis date:
2021-06-10 03:09:16 UTC
Tags:
trojan opendir evasion loader stealer vidar netsupport unwanted danabot rat redline
Link:
https://app.any.run/tasks/74908a7d-83f1-47f7-b760-c695fa2942d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166120/
Detection(s):
SecuriteInfo.com.PUA.OpenCandy.Gen-8.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Delayed reading of the file
Creating a file in the Program Files subdirectories
Deleting a recently created file
Sending a UDP request
Creating a process with a hidden window
Searching for the window
Creating a file
Creating a file in the Windows subdirectories
Launching a process
Connecting to a non-recommended domain
Reading critical registry keys
Connection attempt
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Setting a single autorun event
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b3d2d28-7698-4e1c-a2fd-2c6c97b1db83
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800851
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433247 Sample: b9f5bca9a22f08aad48674bc42e... Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 218 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->218 220 Found malware configuration 2->220 222 Antivirus detection for dropped file 2->222 224 14 other signatures 2->224 12 b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exe 2 2->12         started        process3 file4 168 b9f5bca9a22f08aad4...f72ab8aa3d652ba.tmp, PE32 12->168 dropped 15 b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.tmp 3 14 12->15         started        process5 dnsIp6 210 googlehosted.l.googleusercontent.com 142.250.180.225, 443, 49729, 49733 GOOGLEUS United States 15->210 212 ipinfo.io 34.117.59.81, 443, 49714, 49715 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->212 214 5 other IPs or domains 15->214 98 C:\Users\user\AppData\...\itdownload.dll, PE32 15->98 dropped 100 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 15->100 dropped 102 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->102 dropped 104 C:\Users\user\AppData\Local\...\Setup.exe, PE32 15->104 dropped 216 May check the online IP address of the machine 15->216 20 Setup.exe 14 15 15->20         started        file7 signatures8 process9 file10 110 C:\Program Files (x86)\...\lylal220.exe, PE32 20->110 dropped 112 C:\Program Files (x86)\...\hjjgaa.exe, PE32 20->112 dropped 114 C:\Program Files (x86)\...\guihuali-game.exe, PE32 20->114 dropped 116 5 other files (4 malicious) 20->116 dropped 23 guihuali-game.exe 6 20->23         started        26 lylal220.exe 20->26         started        28 RunWW.exe 90 20->28         started        32 4 other processes 20->32 process11 dnsIp12 118 C:\Users\user\AppData\Local\...\install.dll, PE32 23->118 dropped 120 C:\Users\user\AppData\...\adobe_caps.dll, PE32 23->120 dropped 34 rundll32.exe 23->34         started        37 conhost.exe 23->37         started        122 C:\Users\user\AppData\Local\...\lylal220.tmp, PE32 26->122 dropped 39 lylal220.tmp 26->39         started        200 159.69.20.131, 49740, 80 HETZNER-ASDE Germany 28->200 202 bandakere.tumblr.com 74.114.154.18, 443, 49739 AUTOMATTICUS Canada 28->202 124 C:\Users\user\AppData\...\softokn3[1].dll, PE32 28->124 dropped 126 C:\Users\user\AppData\...\freebl3[1].dll, PE32 28->126 dropped 128 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 28->128 dropped 134 9 other files (none is malicious) 28->134 dropped 242 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->242 244 Tries to harvest and steal browser information (history, passwords, etc) 28->244 246 Tries to steal Crypto Currency Wallets 28->246 43 cmd.exe 28->43         started        204 ezcube.ru 32->204 206 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 32->206 208 5 other IPs or domains 32->208 130 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 32->130 dropped 132 C:\Users\user\AppData\Local\...\LabPicV3.tmp, PE32 32->132 dropped 45 LabPicV3.tmp 32->45         started        47 jfiag3g_gg.exe 32->47         started        49 cmd.exe 32->49         started        51 3 other processes 32->51 file13 signatures14 process15 dnsIp16 226 Writes to foreign memory regions 34->226 228 Allocates memory in foreign processes 34->228 230 Creates a thread in another existing process (thread injection) 34->230 53 svchost.exe 34->53 injected 56 svchost.exe 34->56 injected 70 2 other processes 34->70 186 cor-tips.com 198.54.116.159, 49738, 49741, 80 NAMECHEAP-NETUS United States 39->186 188 192.168.2.1 unknown unknown 39->188 136 C:\Users\...\56FT____________________.exe, PE32 39->136 dropped 138 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 39->138 dropped 140 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->140 dropped 142 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->142 dropped 58 56FT____________________.exe 39->58         started        62 conhost.exe 43->62         started        72 2 other processes 43->72 144 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 45->144 dropped 146 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 45->146 dropped 148 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 45->148 dropped 150 C:\Users\user\AppData\...\_____________.exe, PE32 45->150 dropped 64 _____________.exe 45->64         started        232 Tries to harvest and steal browser information (history, passwords, etc) 47->232 66 conhost.exe 49->66         started        68 taskkill.exe 49->68         started        file17 signatures18 process19 dnsIp20 234 System process connects to network (likely due to code injection or exploit) 53->234 236 Sets debug register (to hijack the execution of another thread) 53->236 238 Modifies the context of a thread in another process (thread injection) 53->238 74 svchost.exe 53->74         started        78 svchost.exe 53->78         started        190 205.185.216.10 HIGHWINDS3US United States 58->190 192 162.0.210.44 ACPCA Canada 58->192 152 C:\Program Files (x86)\...\Vutifepapy.exe, PE32 58->152 dropped 154 C:\...\Vutifepapy.exe.config, XML 58->154 dropped 156 C:\Users\user\AppData\...\Sekiwatyno.exe, PE32 58->156 dropped 164 2 other files (none is malicious) 58->164 dropped 80 irecord.exe 58->80         started        83 Tanyhiqinae.exe 58->83         started        85 Sekiwatyno.exe 58->85         started        194 162.0.220.187 ACPCA Canada 64->194 158 C:\Program Files (x86)\...\Titizhokaexae.exe, PE32 64->158 dropped 160 C:\...\Titizhokaexae.exe.config, XML 64->160 dropped 162 C:\Users\user\AppData\...\Bonunaebysa.exe, PE32 64->162 dropped 166 2 other files (none is malicious) 64->166 dropped 87 prolab.exe 64->87         started        89 Bonunaebysa.exe 64->89         started        91 Lapaevybuma.exe 64->91         started        file21 signatures22 process23 dnsIp24 196 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 74->196 240 Query firmware table information (likely to detect VMs) 74->240 106 C:\Users\user\AppData\Local\...\irecord.tmp, PE32 80->106 dropped 93 irecord.tmp 80->93         started        108 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 87->108 dropped 96 prolab.tmp 87->96         started        198 142.250.180.196 GOOGLEUS United States 89->198 file25 signatures26 process27 file28 170 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 93->170 dropped 172 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 93->172 dropped 174 C:\Program Files (x86)\...\is-TH4N5.tmp, PE32 93->174 dropped 182 13 other files (none is malicious) 93->182 dropped 176 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 96->176 dropped 178 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 96->178 dropped 180 C:\Program Files (x86)\...\is-U7F8M.tmp, PE32 96->180 dropped 184 8 other files (none is malicious) 96->184 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-26 09:12:59 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xh23zkncf4ekvvegos6efzhk64vlrkr5muv2piinyrugwwyyhizq._file
Verdict:
malicious
Similar samples:
2c44f7515715ebafdc7bb8cf40adf36adce1e1bf7fd2555d56427a6d73a850d8
Adware.FileTour
3b36f51b91f67c01015777197970e7ea37e291ff8b6401a853e9582b0a1d90cb
Adware.FileTour
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
Adware.FileTour
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
Adware.FileTour
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
Adware.FileTour
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
Adware.FileTour
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
Adware.FileTour
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
Adware.FileTour
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
Adware.FileTour
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
Adware.FileTour
+ 47 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:vidar discovery evasion persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210611-zkrv2dpr4n/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Program crash
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
PlugX
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Unpacked files
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/13b11655-9609-42b3-ad6e-d655b277aff8/
SH256 hash:
017339a1e5a96fa3b2fb72d63a95bba8a5f5a0ba04598c029ff253c0acbdee1f
MD5 hash:
2e1c4eaee66deba7971ce75142da0d89
SHA1 hash:
e3a6d42c5777c203d1ce503a97b168ac814cc86a
Link:
https://www.unpac.me/results/13b11655-9609-42b3-ad6e-d655b277aff8/
SH256 hash:
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
MD5 hash:
2c663b3f330f2adfda4339c8990f53c2
SHA1 hash:
6ad1c96ac41546be9c8dc7e9135ce461bc4af668
Link:
https://www.unpac.me/results/13b11655-9609-42b3-ad6e-d655b277aff8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166120/

Comments