MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 9


Intelligence 9 IOCs 6 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
SHA3-384 hash: 911b3cd45866e4ae8e18239d1c320586283c2a3c9fb9b6e9727e84dd3fe47787e335e151892c5596cc1bb27c87a17222
SHA1 hash: 216f0ada991deb26c4607dd142ea5f0176484cc0
MD5 hash: 0b6b2968e8f090b22bc47abab70c4dd0
humanhash: charlie-mobile-jupiter-hydrogen
File name:0B6B2968E8F090B22BC47ABAB70C4DD0.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:5'990'810 bytes
First seen:2021-08-13 18:10:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yfa/a9mJY8p/79aJYpiPSnfCyg0+UA/bJMfcvPA5L2wvpvnSALNl5UL5nXSCC333:ymY+/BdsKnar0SWmIL2EqSNl5klZoZ
Threatray 319 similar samples on MalwareBazaar
TLSH T174563324520F60B3CE7277F1B65A19B990D2C60DE9E89283079BF1C4FFA5F1146AE187
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://ggc-partners.info/stats/remember.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.info/stats/remember.php https://threatfox.abuse.ch/ioc/184297/
http://ggc-partners.info/dlc/distribution.php https://threatfox.abuse.ch/ioc/184298/
http://ggc-partners.info/decision.php https://threatfox.abuse.ch/ioc/184302/
65.21.228.92:46802 https://threatfox.abuse.ch/ioc/184313/
http://34.77.115.2/ https://threatfox.abuse.ch/ioc/185163/
45.14.49.111:26475 https://threatfox.abuse.ch/ioc/185208/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179071/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cade012-9c58-498e-af16-298e65955390
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832619
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found C&C like URL pattern
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465047 Sample: 1S027Z3Q44.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 118 zertypelil.xyz 2->118 120 staticimg.youtuuee.com 2->120 122 23 other IPs or domains 2->122 130 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->130 132 Multi AV Scanner detection for domain / URL 2->132 134 Antivirus detection for URL or domain 2->134 138 15 other signatures 2->138 12 1S027Z3Q44.exe 10 2->12         started        15 svchost.exe 1 2->15         started        signatures3 136 Performs DNS queries to domains with low reputation 120->136 process4 file5 102 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->102 dropped 17 setup_installer.exe 8 12->17         started        process6 file7 58 C:\Users\user\AppData\...\setup_install.exe, PE32 17->58 dropped 60 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 17->60 dropped 62 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 17->62 dropped 64 3 other files (none is malicious) 17->64 dropped 20 setup_install.exe 9 17->20         started        process8 dnsIp9 124 marisana.xyz 172.67.186.33, 49721, 80 CLOUDFLARENETUS United States 20->124 126 127.0.0.1 unknown unknown 20->126 94 C:\Users\user\AppData\Local\...\f9a302645.exe, PE32 20->94 dropped 96 C:\Users\user\...\e9e6055abb695524.exe, PE32 20->96 dropped 98 C:\Users\user\AppData\Local\...\b001a8f56.exe, PE32 20->98 dropped 100 5 other files (4 malicious) 20->100 dropped 166 Performs DNS queries to domains with low reputation 20->166 25 cmd.exe 20->25         started        27 cmd.exe 1 20->27         started        29 cmd.exe 1 20->29         started        31 6 other processes 20->31 file10 signatures11 process12 process13 33 79d822fc709e78.exe 25->33         started        38 20383e5a9a4c5112.exe 15 9 27->38         started        40 27ce46284501.exe 3 29->40         started        42 3d0c613fcb2403.exe 1 15 31->42         started        44 2d7080268fee447.exe 31->44         started        46 b001a8f56.exe 31->46         started        48 2 other processes 31->48 dnsIp14 104 cdn.discordapp.com 33->104 110 15 other IPs or domains 33->110 66 C:\Users\...\yUE5cmQe8O4suUPgTCMGEa0Q.exe, PE32 33->66 dropped 68 C:\Users\...\srpcS1mCBpKPO3IKtSUUPFw4.exe, PE32 33->68 dropped 70 C:\Users\...\qayVNG779sicJmNlIPgA0DMB.exe, PE32 33->70 dropped 78 41 other files (35 malicious) 33->78 dropped 140 Drops PE files to the document folder of the user 33->140 142 May check the online IP address of the machine 33->142 144 Creates HTML files with .exe extension (expired dropper behavior) 33->144 146 Disable Windows Defender real time protection (registry) 33->146 112 2 other IPs or domains 38->112 80 5 other files (none is malicious) 38->80 dropped 148 Detected unpacking (changes PE section rights) 38->148 150 Detected unpacking (overwrites its own PE header) 38->150 152 Performs DNS queries to domains with low reputation 38->152 154 Query firmware table information (likely to detect VMs) 40->154 156 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->156 158 2 other signatures 40->158 114 3 other IPs or domains 42->114 72 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 42->72 dropped 74 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 42->74 dropped 160 2 other signatures 42->160 106 cdn.discordapp.com 162.159.129.233, 443, 49723, 49738 CLOUDFLARENETUS United States 44->106 76 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 44->76 dropped 50 LzmwAqmV.exe 44->50         started        116 2 other IPs or domains 46->116 82 12 other files (none is malicious) 46->82 dropped 162 2 other signatures 46->162 108 192.168.2.1 unknown unknown 48->108 164 2 other signatures 48->164 53 e9e6055abb695524.exe 48->53         started        file15 signatures16 process17 dnsIp18 84 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 50->84 dropped 86 C:\...\dcc7975c8a99514da06323f0994cd79b.exe, PE32 50->86 dropped 88 C:\Users\user\AppData\...\askinstall54.exe, PE32 50->88 dropped 92 5 other files (none is malicious) 50->92 dropped 128 live.goatgame.live 104.21.70.98, 443, 49724, 49901 CLOUDFLARENETUS United States 53->128 90 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 53->90 dropped 56 conhost.exe 53->56         started        file19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 09:38:18 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6fgbnpdszqkaljx2tk7duuohescpqo2aukc2stfdti4ez6qptaq._file
Verdict:
unknown
Similar samples:
088559f2192fe04ad85f83e1a3ac931f2bdbb5a88b4146154858d00c40b4b551
Adware.FileTour
0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68
Adware.FileTour
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
Adware.FileTour
65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca
Adware.FileTour
82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2
Adware.FileTour
befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
Adware.FileTour
c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed
Adware.FileTour
cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
Adware.FileTour
f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
Adware.FileTour
+ 309 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:916 botnet:937 botnet:93d3ccba4a3cbd5e268873fc1760b2335272e198 aspackv2 backdoor dropper evasion infostealer loader persistence spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210813-xew4hd2n4e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Unpacked files
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
87eb74021153f648bb975e6d715ea2dd4800a85d8a1a3208ea25b2544a55be3e
MD5 hash:
170524de76af5329d0fcfc11209d75b8
SHA1 hash:
f4dd14d658ee4f689ee687d282468c5095be9360
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
bd63cda547353a5b469d23ecae78105948287812d3f290dd3ebe3ca93a883e54
MD5 hash:
d3cba1cdea5c2c94909a14238f3a2f57
SHA1 hash:
c361e0d74339bd4d9318aee02d1294dc1f6de2d0
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
0d017311cfc1554b76481b6b0d40d1c150c1a0aedcda302f513c01de0b1f4e4c
MD5 hash:
fcce864840d6700d71a8d68668d7a538
SHA1 hash:
fef82b13a6565e5da4eaf24ce6566c513c6a58fd
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
09220ccea3bf0666da14a36ceeb17eef2439d1a52bc178baa332825190af2c55
MD5 hash:
0a4a63e0805097bb645d379079ce1848
SHA1 hash:
bbd4be326bc2e067c718a90d66b8a432936c0d11
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
09d1a1c650d8adda083e82579625c3e3b0245a84751314f9194d9de7bcf36ab6
MD5 hash:
8d4b3e0eab212c462fb4229fd2676a22
SHA1 hash:
8d0f5122c4492ec4eafd736d7a6fa64661fa9cf7
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
MD5 hash:
83cc20c8d4dd098313434b405648ebfd
SHA1 hash:
59b99c73776d555a985b2f2dcc38b826933766b3
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
8f9708160ad8e9261d0cc104f025d0d8d60cd84c1082b37f7c0dc268fab2d1f3
MD5 hash:
09146a43dad308ea787c4b67184725e0
SHA1 hash:
4a49f83b5ebd77d24723ae5b93d71c9d946c83d4
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
48207a4690d7d6bff43e11a2ea564fa367e75c7acdec4eeffc7ef6017fab4bfe
MD5 hash:
e76f4e6a5d2368bfad5f46a839abdbc9
SHA1 hash:
a15073d95d3aca5e76b056b983203d7135b1fc98
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
SH256 hash:
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
MD5 hash:
0b6b2968e8f090b22bc47abab70c4dd0
SHA1 hash:
216f0ada991deb26c4607dd142ea5f0176484cc0
Link:
https://www.unpac.me/results/5cf0f08d-1b63-4154-9db4-468d2bd3eedd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179071/

Comments