MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6e0cc68fa8dfa2c88e99869e277878e5889f083b8af884eea9c267abab47d7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6e0cc68fa8dfa2c88e99869e277878e5889f083b8af884eea9c267abab47d7b
SHA3-384 hash: 8cc2125774fbc4e71b73f631e16e081c09b7a5eeb11e30d71fe19c6c9335398b844e811409b16f11aa7a1c700157adcd
SHA1 hash: 01c0e61a5e07853b618ac053895901ffb9b866e3
MD5 hash: dd7f049cbce2dd902089a4975e745840
humanhash: diet-aspen-kitten-carpet
File name:SecuriteInfo.com.Adware.Relevant.189.32383.31454
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:658'080 bytes
First seen:2023-10-23 06:31:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 12288:ana9YDEpUsUssBRgfL8gM5EbX0PvkLMK83ekQhytBuEDbS+7hWVAbL:analUnDgw6MN3ekmoiiL
TLSH T158E423435BE00578E8A14A319D75A771AEB37D328CB3A14A32AD3D4DEE33643C515F8A
TrID 76.6% (.EXE) Inno Setup installer (109740/4/30)
9.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter SecuriteInfoCom
Tags:Adware.FileTour exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Adware.Relevant.189.32383.31454
Verdict:
Suspicious activity
Analysis date:
2023-10-23 06:54:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/06ea8354-455e-400f-922f-46aa12f5538e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Adware.Relevant.189.32383.31454.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6536136d43f333232fb1f90c/reports/e9fcb353-ba22-49e2-bb92-0ebaa76a3e3b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d6e0cc68fa8dfa2c88e99869e277878e5889f083b8af884eea9c267abab47d7b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/debf0ad2-3030-429c-938e-59e7f74ae11f
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/1330333
Signature
Creates HTML files with .exe extension (expired dropper behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1330333 Sample: SecuriteInfo.com.Adware.Rel... Startdate: 23/10/2023 Architecture: WINDOWS Score: 30 45 www.ntdlzone.com 2->45 47 www.365freesoft.com 2->47 49 rkverify.securestudies.com 2->49 59 Multi AV Scanner detection for domain / URL 2->59 61 Multi AV Scanner detection for submitted file 2->61 9 SecuriteInfo.com.Adware.Relevant.189.32383.31454.exe 2 2->9         started        signatures3 process4 file5 31 SecuriteInfo.com.A...189.32383.31454.tmp, PE32 9->31 dropped 12 SecuriteInfo.com.Adware.Relevant.189.32383.31454.tmp 20 38 9->12         started        process6 dnsIp7 57 www.ntdlzone.com 104.164.31.47, 49711, 49712, 80 EGIHOSTINGUS United States 12->57 33 C:\Users\user\AppData\...\itdownload.dll, PE32 12->33 dropped 35 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 12->35 dropped 37 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->37 dropped 39 4 other files (none is malicious) 12->39 dropped 63 Creates HTML files with .exe extension (expired dropper behavior) 12->63 17 chrome.exe 1 12->17         started        20 cmd.exe 1 12->20         started        22 HanoiTower.exe 12->22         started        file8 signatures9 process10 dnsIp11 41 192.168.2.7, 123, 138, 443 unknown unknown 17->41 43 239.255.255.250 unknown Reserved 17->43 24 chrome.exe 17->24         started        27 taskkill.exe 1 20->27         started        29 conhost.exe 20->29         started        process12 dnsIp13 51 172.253.122.101, 443, 49728 GOOGLEUS United States 24->51 53 clients.l.google.com 172.253.122.138, 443, 49714 GOOGLEUS United States 24->53 55 6 other IPs or domains 24->55
Score:
16%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/d6e0cc68fa8dfa2c88e99869e277878e5889f083b8af884eea9c267abab47d7b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6e0cc68fa8dfa2c88e99869e277878e5889f083b8af884eea9c267abab47d7b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2013-03-30 19:35:00 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
7 of 38 (18.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23qmy2h2rx5czchjtbu6e54hrzmit4edxcxyqtxktqthvovupv5q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231023-hamvdage76/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
2918981f03c70001901f1863ebd386be69c6406a47623b75a4cffd3f50326e1f
MD5 hash:
a5d4a05e2128678271128b5493108581
SHA1 hash:
d623c7a3190dd9a3e670545396e91435cf6b49b5
Link:
https://www.unpac.me/results/b5fef43b-56fb-4450-a012-ee63f937cf43/
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/b5fef43b-56fb-4450-a012-ee63f937cf43/
SH256 hash:
69cb49d3c3aadbc738afc6ba8b2b458e6504e49618aec754d6adc6a23ab1081e
MD5 hash:
7d8a1368d159aa599a3dfd968e6fc578
SHA1 hash:
1dfba2f28597d82931a7fbfa81da9f1797db28a1
Link:
https://www.unpac.me/results/b5fef43b-56fb-4450-a012-ee63f937cf43/
SH256 hash:
d6e0cc68fa8dfa2c88e99869e277878e5889f083b8af884eea9c267abab47d7b
MD5 hash:
dd7f049cbce2dd902089a4975e745840
SHA1 hash:
01c0e61a5e07853b618ac053895901ffb9b866e3
Link:
https://www.unpac.me/results/b5fef43b-56fb-4450-a012-ee63f937cf43/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments