MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d39fe027734405f6c6c1c8ad2e2c9891065138ac699fdf992df36f3124dbbc8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d39fe027734405f6c6c1c8ad2e2c9891065138ac699fdf992df36f3124dbbc8f
SHA3-384 hash: c95796d4835a93090df4cb5c06de526199ea3f317694e0b64a2ba7a9f2ce59a9aba120ea87d78d320f3e369c63950f52
SHA1 hash: aadbc9607ab702b2c18a9bd52434e70ec661668d
MD5 hash: a3c9c82841337b5b63a33f2348b80745
humanhash: freddie-jersey-kitten-four
File name:A3C9C82841337B5B63A33F2348B80745.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:3'436'855 bytes
First seen:2021-08-31 10:30:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBdEwJ84vLRaBtIl9mVnxnSrXBpJCiPW+SpBw5PLOi6ymOSHMh7e6OAbedZrdG:xbCvLUBsgNqnwilSp25PN6XkFJedLG
Threatray 448 similar samples on MalwareBazaar
TLSH T127F5332079F9C4F5D94614358D85FFB2A2F7C3C81A32191BBBD5421BCF189AF612C62A
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://5.181.156.120/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.120/ https://threatfox.abuse.ch/ioc/203162/

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184166/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Deleting a recently created file
Creating a file
Creating a window
Sending an HTTP GET request to an infection source
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8074f019-f708-4e16-b24b-782e3b88efd4
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842496
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474927 Sample: 82SlX1K2mU.exe Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 68 104.21.17.130 CLOUDFLARENETUS United States 2->68 70 104.21.20.198 CLOUDFLARENETUS United States 2->70 72 5 other IPs or domains 2->72 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 13 other signatures 2->98 9 82SlX1K2mU.exe 16 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Sat08841108b5cc5b08.exe, PE32+ 9->44 dropped 46 C:\Users\user\...\Sat0866cae955d195e8.exe, PE32 9->46 dropped 48 11 other files (3 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 88 sornx.xyz 172.67.190.165, 49728, 80 CLOUDFLARENETUS United States 12->88 90 127.0.0.1 unknown unknown 12->90 124 Performs DNS queries to domains with low reputation 12->124 126 Adds a directory exclusion to Windows Defender 12->126 16 cmd.exe 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 1 12->20         started        22 7 other processes 12->22 signatures8 process9 signatures10 25 Sat0866cae955d195e8.exe 16->25         started        30 Sat084f3a1bd9cae6.exe 18->30         started        32 Sat08841108b5cc5b08.exe 1 13 20->32         started        100 Adds a directory exclusion to Windows Defender 22->100 34 Sat0859ca6bd75.exe 3 22->34         started        36 Sat08e111e7de0.exe 22->36         started        38 Sat085cd597e8.exe 22->38         started        40 3 other processes 22->40 process11 dnsIp12 74 37.0.10.214, 49731, 80 WKD-ASIE Netherlands 25->74 76 37.0.10.237, 49732, 80 WKD-ASIE Netherlands 25->76 82 9 other IPs or domains 25->82 50 C:\Users\...\kz5Wm4TFkfB99PgX1vynenjy.exe, PE32 25->50 dropped 52 C:\Users\...\ktUecaW_E8gB1lhN3pdWkKrb.exe, PE32 25->52 dropped 54 C:\Users\...\jkCjBBM9UjGOkgEj6uzZDfbd.exe, PE32 25->54 dropped 64 39 other files (35 malicious) 25->64 dropped 102 Drops PE files to the document folder of the user 25->102 104 May check the online IP address of the machine 25->104 106 Creates HTML files with .exe extension (expired dropper behavior) 25->106 108 Disable Windows Defender real time protection (registry) 25->108 110 Machine Learning detection for dropped file 30->110 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->112 114 Maps a DLL or memory area into another process 30->114 116 Checks if the current machine is a virtual machine (disk enumeration) 30->116 84 3 other IPs or domains 32->84 56 C:\Users\user\AppData\...\aaa_v013[1].dll, DOS 32->56 dropped 118 Tries to harvest and steal browser information (history, passwords, etc) 32->118 78 a.goatgame.co 104.21.79.144, 443, 49722 CLOUDFLARENETUS United States 34->78 58 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 34->58 dropped 120 Creates processes via WMI 34->120 80 192.168.2.1 unknown unknown 36->80 60 C:\Users\user\AppData\Local\Temp\2.exe, PE32 36->60 dropped 66 6 other files (none is malicious) 36->66 dropped 62 C:\Users\user\AppData\...\Sat085cd597e8.tmp, PE32 38->62 dropped 122 Antivirus detection for dropped file 38->122 86 2 other IPs or domains 40->86 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d39fe027734405f6c6c1c8ad2e2c9891065138ac699fdf992df36f3124dbbc8f/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 07:38:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2op6aj3tiqc7nrwbzcws4leysedfcofmngp57gjn6nxtcjg3xshq._file
Verdict:
unknown
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
Adware.FileTour
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
Adware.FileTour
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
Adware.FileTour
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
Adware.FileTour
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
Adware.FileTour
568b3a7273ccbb1436e42dd90f0541d7dc0da2a97944381ad0b31d7d437c4908
Adware.FileTour
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
Adware.FileTour
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
Adware.FileTour
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
Adware.FileTour
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
Adware.FileTour
+ 438 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:706 aspackv2 backdoor discovery evasion infostealer stealer themida trojan
Link:
https://tria.ge/reports/210831-trwrj86dae/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
02a8dcfdccd4aa0477a778f83e87c4498f62b62b97a5d2d0873db45d341eecfe
MD5 hash:
7126ee15e32790c50b815575e6d12756
SHA1 hash:
003a335c29dfe608cfb05f7e64c5f755efd3f499
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
43305d88f809b335f0c8fae37f65e16b82f6ad632ce9f290ea99e4bd94ce1edb
MD5 hash:
d52bafd747717b3a7dc070a73458f856
SHA1 hash:
e0c458a3b2045892fa87313befd89d4480f42bf5
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
f09fddf3b1dd1449eff4f9dfc45d2299619f9d1042180bd00863a9dfb06e52f0
MD5 hash:
028ec563b7ac44fe07f156cb30edca88
SHA1 hash:
9a7e8a12d5436093382f209480442a6cb63b73e0
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
258040068db114352a90d7d260948eec90d971de010530e7dfbf3c3c57eea3f4
MD5 hash:
bc92e13fa21dd75255a56c37efefb6ab
SHA1 hash:
91faad7fcd855d934d780487c74ff4bf57188657
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
d746ce1371b35b22e811b5bdbb9794cd885abe8b5a97dc0ec82710e07a907fb5
MD5 hash:
ae502bd14d0e0ddc22cdae39935cbe51
SHA1 hash:
85c08278272c15bd13a4af44cf342535f71f8862
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
b9f3d51b6635374a1590c61c9cdb961a862ffd29e2ca1b4b97295811213046c1
MD5 hash:
25ac95beb9a0959e462d32be14fb48b4
SHA1 hash:
2bae5741c3e3ea74e89b79f08bfdffda498385be
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
91b08b328635f4d11e2b1384aea013c72bea800e10b9f0f803b2bd42b3cd18a9
MD5 hash:
c31592f0606e9f454cb0e95a7901bda5
SHA1 hash:
068cfeccaf1896fa99b4ab223992cefae0e836f0
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
0549eb72ca5b1f6445fa86b0d716c231a0e673280defe5d9dda8b346f80ff5a4
MD5 hash:
08da4e4671b54e41eb3d3c95f717fc4e
SHA1 hash:
ffb05f86040cd53a238f265d20184c1694eee7a8
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
87c418270ff420af75b621ed4021e43439644ae9c5fac15cda7c62403144ef62
MD5 hash:
4eb59636c690374186d7d9764e36fa4e
SHA1 hash:
34c97ddc3d765238b9df2ee9c719ecfe1f1acb7d
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
4e48d42784b64acf0298231b268f1b628d2c3c3cf5c2d67cbf55497101914ffb
MD5 hash:
03d148ec9b62505086059df0d9dcd408
SHA1 hash:
d9cb60e77a78cdbcb404a01226e9d47b30ec4d67
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
8db0ab0ac4df9d0e896ddd83c4e3bb2fbac90967f9cab329522f83f01211a6b4
MD5 hash:
b3b4a338f089c2f4c8e84e836d9df76d
SHA1 hash:
a37827cf7b6d79fd8bfdae78876bad278946c9cb
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
SH256 hash:
d39fe027734405f6c6c1c8ad2e2c9891065138ac699fdf992df36f3124dbbc8f
MD5 hash:
a3c9c82841337b5b63a33f2348b80745
SHA1 hash:
aadbc9607ab702b2c18a9bd52434e70ec661668d
Link:
https://www.unpac.me/results/1b236c97-2765-42d6-aa4d-d4cb8413fe0d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d39fe0277344/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d39fe027734405f6c6c1c8ad2e2c9891065138ac699fdf992df36f3124dbbc8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184166/

Comments