MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
SHA3-384 hash: e9da31658320d83624c3a741c7261aaa666db1a47172defb342e0a245078fec3a38a2ecc6075ce7a6bd16c470f2d967f
SHA1 hash: 0c745cd386c529d2f06d51e260fdca4b34ad0942
MD5 hash: ab378a91bd7a186c0eb724c264c836fb
humanhash: one-table-arizona-diet
File name:e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62a.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:6'344'930 bytes
First seen:2021-10-27 14:51:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:itjyxliX+dZegkxKbgyPu5q5fcKtvEglYtgt:sy7VdZegIKb4q1f3Yat
TLSH T16D56332CE1C29971C1760A3B8C5BF7FBF13D620859BD76CEA7C91D8868533052EB6249
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
144.202.13.247:33577

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
144.202.13.247:33577 https://threatfox.abuse.ch/ioc/238428/

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6609814701637632.zip
Verdict:
Malicious activity
Analysis date:
2021-10-27 12:41:31 UTC
Tags:
autoit trojan evasion rat redline stealer vidar opendir loader formbook smoke raccoon
Link:
https://app.any.run/tasks/62303bf3-9cf1-4cdc-9db7-516eab9d77c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200574/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Replacing files
Creating a file in the Windows subdirectories
Launching a service
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive fingerprint greyware overlay packed
Link:
https://www.filescan.io/uploads/61796794db358dd15ee008d0/reports/3cc28a1f-b5b9-4342-a95e-82c32025a183/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d84b112c-d567-4b0c-aeda-6acc0fc64439
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878089
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Creates HTML files with .exe extension (expired dropper behavior)
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies Chrome's extension installation force list
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Schedule system process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510520 Sample: e6dff8475541ebddc1f0db47a31... Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 84 psttbk.com 206.81.21.194, 49766, 80 DIGITALOCEAN-ASNUS United States 2->84 86 collect.installeranalytics.com 3.232.36.43, 443, 49774, 49776 AMAZON-AESUS United States 2->86 88 6 other IPs or domains 2->88 110 Antivirus detection for URL or domain 2->110 112 Antivirus detection for dropped file 2->112 114 Multi AV Scanner detection for dropped file 2->114 116 13 other signatures 2->116 8 e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62a.exe 18 11 2->8         started        12 msiexec.exe 2->12         started        14 svchost.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 52 C:\Program Files (x86)\FastPc\...\Faster.exe, PE32 8->52 dropped 54 C:\Program Files (x86)\FastPc\...\Fast_.exe, PE32 8->54 dropped 56 C:\Program Files (x86)\FastPc\...\FastPCV.exe, PE32 8->56 dropped 64 3 other malicious files 8->64 dropped 130 Modifies Chrome's extension installation force list 8->130 18 Armentieres.exe 15 5 8->18         started        23 FastPCV.exe 2 8->23         started        25 Faster.exe 14 5 8->25         started        27 4 other processes 8->27 58 C:\...\Windows Updater.exe, PE32 12->58 dropped 60 C:\...\AdvancedWindowsManager.exe, PE32+ 12->60 dropped 62 C:\Windows\Installer\MSIF1C3.tmp, PE32 12->62 dropped 66 14 other files (none is malicious) 12->66 dropped 132 Changes security center settings (notifications, updates, antivirus, firewall) 14->132 signatures6 process7 dnsIp8 90 www.google.com 142.250.185.228, 49754, 80 GOOGLEUS United States 18->90 42 C:\Windows\System32\WindowsPro\svchost.exe, PE32+ 18->42 dropped 44 C:\Windows\System32\drivers\etc\hosts, ASCII 18->44 dropped 118 Changes the view of files in windows explorer (hidden files and folders) 18->118 120 Modifies the hosts file 18->120 122 Adds a directory exclusion to Windows Defender 18->122 46 C:\Users\user\AppData\Local\...\FastPCV.tmp, PE32 23->46 dropped 29 FastPCV.tmp 20 19 23->29         started        92 source7.boys4dayz.com 172.67.148.61, 443, 49744 CLOUDFLARENETUS United States 25->92 94 duzlwewk2uk96.cloudfront.net 13.224.194.144, 49865, 80 AMAZON-02US United States 25->94 48 C:\Users\user\AppData\Local\Temp\vpn.exe, PE32 25->48 dropped 50 C:\Users\user\AppData\Local\...\installer.exe, PE32 25->50 dropped 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->124 34 installer.exe 25->34         started        96 144.202.13.247, 33577, 49751 AS-CHOOPAUS United States 27->96 98 3.17.66.208, 50383 AMAZON-02US United States 27->98 126 Tries to harvest and steal browser information (history, passwords, etc) 27->126 128 Tries to steal Crypto Currency Wallets 27->128 36 conhost.exe 27->36         started        38 taskkill.exe 27->38         started        40 conhost.exe 27->40         started        file9 signatures10 process11 dnsIp12 100 ipinfo.io 34.117.59.81, 443, 49742, 49743 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 29->100 102 otisrebe.xyz 92.38.184.204, 49746, 49747, 80 GCOREAT Austria 29->102 104 proxycheck.io 104.26.8.187, 49745, 80 CLOUDFLARENETUS United States 29->104 68 C:\Users\user\AppData\...\itdownload.dll, PE32 29->68 dropped 70 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 29->70 dropped 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->72 dropped 80 2 other files (none is malicious) 29->80 dropped 134 May check the online IP address of the machine 29->134 136 Creates HTML files with .exe extension (expired dropper behavior) 29->136 138 Performs DNS queries to domains with low reputation 29->138 106 3.209.18.1, 443, 49861 AMAZON-AESUS United States 34->106 108 collect.installeranalytics.com 34->108 74 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 34->74 dropped 76 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 34->76 dropped 78 C:\Users\user\AppData\...\Windows Updater.exe, PE32 34->78 dropped 82 4 other files (none is malicious) 34->82 dropped file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3/
Threat name:
Win32.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 19:37:13 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=43p7qr2vihv53qpq3nd2geplfqsvqg35lzrk7adg2wocqmiuyljq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar botnet:1045 botnet:drakdong botnet:v4 discovery evasion infostealer spyware stealer trojan upx
Link:
https://tria.ge/reports/211027-r8qtcsfca6/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Vidar Stealer
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
3.17.66.208:50383
https://mas.to/@lilocc
144.202.13.247:33577
Unpacked files
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/00318e97-f4c2-4fb6-8140-0553e05eb428/
SH256 hash:
666229757b0d7cde94f804d447cab99e20eab8b7bdc99ca8c2fa2de3a2d610f9
MD5 hash:
edad118fcd98e1796954ea4cebeae02e
SHA1 hash:
59ebd7107f7d422088865156ecfd338c63391a62
Link:
https://www.unpac.me/results/00318e97-f4c2-4fb6-8140-0553e05eb428/
SH256 hash:
e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
MD5 hash:
ab378a91bd7a186c0eb724c264c836fb
SHA1 hash:
0c745cd386c529d2f06d51e260fdca4b34ad0942
Link:
https://www.unpac.me/results/00318e97-f4c2-4fb6-8140-0553e05eb428/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e6dff8475541/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200574/

Comments