MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b90c23b8130fffdfbff412f4535b474a3c207fa2228f78e6b822a38fae2d3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0b90c23b8130fffdfbff412f4535b474a3c207fa2228f78e6b822a38fae2d3f
SHA3-384 hash: c98d7e184282bbf8893a4b355898b68acaf6611938c1e86cae141178ce947c235fb07c9a52521c23acdf37ec8aeaaf4f
SHA1 hash: 17c76282c08667b9cdef64b009f6a646449d6a3f
MD5 hash: 47be12d63d2262e5f73cc86ad4abff97
humanhash: august-eleven-hot-vermont
File name:47BE12D63D2262E5F73CC86AD4ABFF97.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:390'055 bytes
First seen:2021-05-27 18:50:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'503 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXCeJm+ksmpk3U9jW1U4P9bKOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZogE:pQi3es6m6URA3PhKlL//plmW9bTXeVh8
Threatray 24 similar samples on MalwareBazaar
TLSH 45841292B7E54838E073CEB05C90DA22893B79655C7CA50873ECAD8F9F3F6819256743
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://162.55.189.102/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://162.55.189.102/ https://threatfox.abuse.ch/ioc/65642/

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
47BE12D63D2262E5F73CC86AD4ABFF97.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-27 21:41:59 UTC
Tags:
installer
Link:
https://app.any.run/tasks/7ffe0455-d6eb-4190-a959-32f1c37c285e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162757/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Sending an HTTP POST request
Creating a file
Deleting a recently created file
Replacing files
Adding an access-denied ACE
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Connection attempt
Unauthorized injection to a recently created process
Setting a single autorun event
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/793396
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425791 Sample: f2fR2CiaRu.exe Startdate: 27/05/2021 Architecture: WINDOWS Score: 84 115 www.profitabletrustednetwork.com 2->115 117 www.gearbest.com 2->117 119 78 other IPs or domains 2->119 154 Antivirus detection for URL or domain 2->154 156 Antivirus detection for dropped file 2->156 158 Multi AV Scanner detection for submitted file 2->158 162 3 other signatures 2->162 11 f2fR2CiaRu.exe 2->11         started        13 ZHafiqyshitae.exe 2->13         started        signatures3 160 Performs DNS queries to domains with low reputation 117->160 process4 dnsIp5 17 f2fR2CiaRu.tmp 3 19 11->17         started        150 limesfile.com 13->150 95 C:\Program Files (x86)\...\Windows Update.exe, PE32 13->95 dropped 97 C:\...\Windows Update.exe.config, XML 13->97 dropped 21 Windows Update.exe 13->21         started        file6 process7 dnsIp8 113 limesfile.com 198.54.126.101, 49737, 49751, 49834 NAMECHEAP-NETUS United States 17->113 71 C:\Users\user\...\_________Solk___ing.exe, PE32 17->71 dropped 73 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 17->73 dropped 75 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 17->75 dropped 77 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->77 dropped 23 _________Solk___ing.exe 22 20 17->23         started        file9 process10 dnsIp11 136 global-sc-ltd.com 199.188.201.83, 49748, 80 NAMECHEAP-NETUS United States 23->136 138 iplogger.org 88.99.66.31, 443, 49755, 49853 HETZNER-ASDE Germany 23->138 140 3 other IPs or domains 23->140 79 C:\Program Files (x86)\...\ZHafiqyshitae.exe, PE32 23->79 dropped 81 C:\...\ZHafiqyshitae.exe.config, XML 23->81 dropped 83 C:\Users\user\AppData\...\Fydykaelocu.exe, PE32 23->83 dropped 85 2 other files (none is malicious) 23->85 dropped 164 Detected unpacking (overwrites its own PE header) 23->164 28 Fydykaelocu.exe 14 5 23->28         started        31 irecord.exe 23->31         started        33 Cixaxynaeqa.exe 14 8 23->33         started        file12 signatures13 process14 dnsIp15 142 connectini.net 28->142 36 iexplore.exe 28->36         started        39 iexplore.exe 28->39         started        41 iexplore.exe 28->41         started        46 16 other processes 28->46 43 irecord.tmp 5 30 31->43         started        144 akenkraken.com 45.91.67.130, 49854, 80 NILSATBG Russian Federation 33->144 146 2.56.154.227, 49855, 80 HIZHOSTINGTR Turkey 33->146 148 3 other IPs or domains 33->148 67 C:\Users\user\AppData\Local\...\installer.exe, PE32 33->67 dropped 69 C:\Users\user\AppData\Local\...\ebook.exe, PE32 33->69 dropped file16 process17 dnsIp18 121 www.cloud-security.xyz 36->121 123 cloud-security.xyz 36->123 48 iexplore.exe 36->48         started        125 www.profitabletrustednetwork.com 39->125 132 4 other IPs or domains 39->132 51 iexplore.exe 39->51         started        53 iexplore.exe 39->53         started        127 vexacion.com 41->127 55 iexplore.exe 41->55         started        87 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 43->87 dropped 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 43->89 dropped 91 C:\Program Files (x86)\...\is-SQ00U.tmp, PE32 43->91 dropped 93 13 other files (none is malicious) 43->93 dropped 57 i-record.exe 43->57         started        129 www.profitabletrustednetwork.com 46->129 134 5 other IPs or domains 46->134 59 iexplore.exe 46->59         started        61 iexplore.exe 46->61         started        63 iexplore.exe 46->63         started        65 iexplore.exe 46->65         started        file19 152 Performs DNS queries to domains with low reputation 129->152 signatures20 process21 dnsIp22 101 7 other IPs or domains 48->101 103 2 other IPs or domains 51->103 105 35 other IPs or domains 53->105 107 2 other IPs or domains 55->107 109 2 other IPs or domains 59->109 111 2 other IPs or domains 61->111 99 vexacion.com 63->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0b90c23b8130fffdfbff412f4535b474a3c207fa2228f78e6b822a38fae2d3f/
Threat name:
Win32.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-24 01:13:25 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yc4qyi5ycmh77x576qjpiu23i5fdyid7uiri66hgxarkhd5ofu7q._file
Verdict:
malicious
Similar samples:
13282c40dd66c53e866c60202f428781cf9562bb0f02e30027ebb7fb41efb5b8
Adware.FileTour
3b36f51b91f67c01015777197970e7ea37e291ff8b6401a853e9582b0a1d90cb
Adware.FileTour
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
Adware.FileTour
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
Adware.FileTour
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
Adware.FileTour
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
Adware.FileTour
aa9be79c40da851c806a4cbd196aad2731e57090c5c4e0bb107437073e0ebd11
Adware.FileTour
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
Adware.FileTour
ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39
Adware.FileTour
f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9
Adware.FileTour
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence spyware stealer upx vmprotect
Link:
https://tria.ge/reports/210527-hyp9ps2492/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0b90c23b8130fffdfbff412f4535b474a3c207fa2228f78e6b822a38fae2d3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162757/

Comments