MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da6332feebc2a530509de0c661231bbd427327c31d6607a6a9286db710b68795. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da6332feebc2a530509de0c661231bbd427327c31d6607a6a9286db710b68795
SHA3-384 hash: a8ac99703b9966ef5c3f0fabbcd389c11188e688f60f2d2f13c48f5decf0b19824276740f050537e756e8ada97f4111b
SHA1 hash: 50d2cfe3efe4e74fb02c73e95af4d066d396fd6c
MD5 hash: ae93af91e8e57397bce40bc97ba15e46
humanhash: sixteen-avocado-avocado-violet
File name:da6332feebc2a530509de0c661231bbd427327c31d660.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:2'361'099 bytes
First seen:2021-09-05 05:10:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:pAI+FnLWaYzjpemXXvzln6QnL6KV5NFf8XslqbdZoHb1uZPKYuXPnXr2KCs:pAI+FLWaYjpemX/B6QLv3NFkXkHb0ZCR
Threatray 1'314 similar samples on MalwareBazaar
TLSH T135B52335F081493BE0221671484BD3BA753ABA445F7CA4CFF3EA5D5C9C1B24929F86CA
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.173/ https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da6332feebc2a530509de0c661231bbd427327c31d660.exe
Verdict:
No threats detected
Analysis date:
2021-09-05 05:13:52 UTC
Tags:
installer
Link:
https://app.any.run/tasks/83660b5b-43a5-4f65-b5bd-8ab1e293a2a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185359/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Running batch commands
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Sending an HTTP POST request
Connecting to a non-recommended domain
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file in the system32 directory
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the system32 subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Searching for the window
Moving a file to the Program Files subdirectory
Replacing files
Modifying a system file
Launching the default Windows debugger (dwwin.exe)
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02b59cc9-526b-4f5a-9d01-5c7f5c28dfe2
Result
Threat name:
BitCoin Miner Cookie Stealer Cyberduck R
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845422
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected Cookie Stealer
Yara detected Cyberduck
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477853 Sample: da6332feebc2a530509de0c6612... Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 138 23.35.236.56 ZAYO-6461US United States 2->138 140 google.vrthcobj.com 2->140 156 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->156 158 Multi AV Scanner detection for domain / URL 2->158 160 Antivirus detection for URL or domain 2->160 162 20 other signatures 2->162 11 da6332feebc2a530509de0c661231bbd427327c31d660.exe 18 28 2->11         started        14 services32.exe 2->14         started        signatures3 process4 file5 116 C:\Program Files (x86)\SmartPDF\...\stats.exe, PE32 11->116 dropped 118 C:\Program Files (x86)\...\note866.exe, PE32 11->118 dropped 120 C:\Program Files (x86)\SmartPDF\...\lg.exe, PE32 11->120 dropped 124 4 other malicious files 11->124 dropped 17 PBrowFile15.exe 11->17         started        21 SmartPDF.exe 11->21         started        24 9840432e051a6fa1192594db02b80a4c1fd73456.exe 80 11->24         started        26 5 other processes 11->26 122 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 14->122 dropped 188 Adds a directory exclusion to Windows Defender 14->188 signatures6 process7 dnsIp8 126 172.67.141.201 CLOUDFLARENETUS United States 17->126 96 C:\Users\user\AppData\Roaming\7706568.exe, PE32 17->96 dropped 98 C:\Users\user\AppData\Roaming\6589590.exe, PE32 17->98 dropped 100 C:\Users\user\AppData\Roaming\5411454.exe, PE32 17->100 dropped 102 C:\Users\user\AppData\Roaming\3632203.exe, PE32 17->102 dropped 28 6589590.exe 17->28         started        32 7706568.exe 17->32         started        35 5411454.exe 17->35         started        37 3632203.exe 17->37         started        166 Adds a directory exclusion to Windows Defender 21->166 39 cmd.exe 21->39         started        41 cmd.exe 21->41         started        128 94.158.245.173, 49700, 80 MIVOCLOUDMD Moldova Republic of 24->128 130 telete.in 195.201.225.248, 443, 49699 HETZNER-ASDE Germany 24->130 104 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 24->104 dropped 112 58 other files (none is malicious) 24->112 dropped 168 Tries to steal Mail credentials (via file access) 24->168 43 cmd.exe 24->43         started        132 186.2.171.3 DDOS-GUARDCORPBZ Belize 26->132 134 192.168.2.1 unknown unknown 26->134 136 2 other IPs or domains 26->136 106 C:\Users\user\Documents\...\note866.exe, PE32 26->106 dropped 108 C:\Users\user\AppData\Local\...\stats.tmp, PE32 26->108 dropped 110 C:\Users\user\AppData\Local\Temp\...\VPN.tmp, PE32 26->110 dropped 170 Tries to harvest and steal browser information (history, passwords, etc) 26->170 45 chrome.exe 18 26->45         started        47 4 other processes 26->47 file9 signatures10 process11 dnsIp12 142 185.177.125.94 WORLDSTREAMNL Netherlands 28->142 144 172.67.75.172 CLOUDFLARENETUS United States 28->144 174 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->174 176 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->176 178 Tries to harvest and steal browser information (history, passwords, etc) 28->178 180 Tries to steal Crypto Currency Wallets 28->180 49 conhost.exe 28->49         started        146 104.21.34.192 CLOUDFLARENETUS United States 32->146 78 C:\ProgramData\44\vcruntime140.dll, PE32 32->78 dropped 80 C:\ProgramData\44\sqlite3.dll, PE32 32->80 dropped 92 5 other files (none is malicious) 32->92 dropped 182 Detected unpacking (changes PE section rights) 32->182 148 104.21.24.17 CLOUDFLARENETUS United States 35->148 82 C:\Users\user\AppData\...\WinHoster.exe, PE32 37->82 dropped 51 svchost32.exe 39->51         started        55 conhost.exe 39->55         started        184 Uses schtasks.exe or at.exe to add and modify task schedules 41->184 186 Adds a directory exclusion to Windows Defender 41->186 57 conhost.exe 41->57         started        59 powershell.exe 41->59         started        61 powershell.exe 41->61         started        63 conhost.exe 43->63         started        65 timeout.exe 43->65         started        150 iplis.ru 88.99.66.31, 443, 49707, 49711 HETZNER-ASDE Germany 45->150 152 7 other IPs or domains 45->152 84 C:\Users\user\AppData\Local\...\Cookies, SQLite 45->84 dropped 154 5 other IPs or domains 47->154 86 C:\Users\user\AppData\...\itdownload.dll, PE32 47->86 dropped 88 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->88 dropped 90 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->90 dropped 94 7 other files (none is malicious) 47->94 dropped 67 conhost.exe 47->67         started        file13 signatures14 process15 file16 114 C:\Windows\System32\services32.exe, PE32+ 51->114 dropped 164 Drops executables to the windows directory (C:\Windows) and starts them 51->164 69 services32.exe 51->69         started        72 cmd.exe 51->72         started        signatures17 process18 signatures19 172 Adds a directory exclusion to Windows Defender 69->172 74 conhost.exe 72->74         started        76 schtasks.exe 72->76         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da6332feebc2a530509de0c661231bbd427327c31d6607a6a9286db710b68795/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 20:04:00 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3jrtf7xlykstaue54ddgciy3xvbhgj6ddvtapjvjfbw3oefwq6kq._file
Verdict:
suspicious
Similar samples:
4569c2ca16175dd869475526af97004f47e2918edb583043b609fceb86b35161
Adware.FileTour
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
Adware.FileTour
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
Adware.FileTour
a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3
Adware.FileTour
d99ac72301d4d4c55ee0c6e33ad4e4551bac90b71f80515eea1a3dfe426abf23
Adware.FileTour
f2dc381b529cbc75c03ca8bf1886b0ee6b1e2622f8918a27a876c50889e2ae7e
Adware.FileTour
f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d
Adware.FileTour
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
Adware.FileTour
+ 1'304 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:208cae76e27fe102019484f9b1e2c6db71cd743e discovery evasion infostealer persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210905-ft9r5shhgj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
SH256 hash:
e2a652f0d48dd116e6cbfa0a4ee7cd626a188b536767728b95515aa4ed49332d
MD5 hash:
b5ac3301996922db16b590f16c80143f
SHA1 hash:
51147ea003dcc78b47655edf5ab11f7959988aba
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
SH256 hash:
e99ea87eb6e734e9a81c01bea0c15e01ba5f88f746b196f4ecedb4fb4f42db3a
MD5 hash:
164df065ab3beb181a32f47499e946bc
SHA1 hash:
260d38c0aaf032ab12d8b8bfc9697507d2fae876
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
SH256 hash:
57be9f7a121a806502c17adb4dfde9da957553ed21acc3ceab62fdba5573ce76
MD5 hash:
e1060379914c122f7d36ac4cb3f912f5
SHA1 hash:
9f4eba1e14b8d9b9aeb237d491e95e0ffbc8eede
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
SH256 hash:
289d77a01836cf0cfc2fa4d3a06f283c7a3d821ee4587f3534b9149c9959725e
MD5 hash:
edab3dcf370920b8ea75a0484c8e5254
SHA1 hash:
7c5fda205f31585a2de7088eb07edb4b8c89422c
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
SH256 hash:
997f64ca06b6aa2b8974b1862062040684b329498e139f20b7163eeec32ef5b7
MD5 hash:
054d0d342df0cf97b0d4020b47ee77ce
SHA1 hash:
68c59684917fc18524dde7ef24df8db8fc9d5880
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
SH256 hash:
da6332feebc2a530509de0c661231bbd427327c31d6607a6a9286db710b68795
MD5 hash:
ae93af91e8e57397bce40bc97ba15e46
SHA1 hash:
50d2cfe3efe4e74fb02c73e95af4d066d396fd6c
Link:
https://www.unpac.me/results/895f960f-5bd7-4ee1-8910-eba265fb2437/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/da6332feebc2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da6332feebc2a530509de0c661231bbd427327c31d6607a6a9286db710b68795

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185359/

Comments