MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8b69bd4d7c6a8c131c5f9cd93ca7d0a3645f9cf1f207608bf8d209f3bcaa3b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8b69bd4d7c6a8c131c5f9cd93ca7d0a3645f9cf1f207608bf8d209f3bcaa3b3
SHA3-384 hash: 28e6e373d77bc0cf95978b851056b62fd654ea6bbe20651be7e20e847446769288531926b8ebff3533624eb82c3824d7
SHA1 hash: 34bf6fb1716f44c2078c49470ad35a816a11690e
MD5 hash: a68d49ece80078d1c2f742232f165b1d
humanhash: lima-video-alpha-juliet
File name:a68d49ece80078d1c2f742232f165b1d.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:3'886'449 bytes
First seen:2021-05-27 18:51:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 39 x VIPKeylogger)
ssdeep 98304:JD5FGDH+SH8WxrvXY/3Yo9hzjL0MopwuCkkgKAOwd:JD52HTcWVghypzC0Oo
Threatray 12 similar samples on MalwareBazaar
TLSH 000633CAF7A21863DFD2C57508A433B7656F53EA08A5D3E7A3E451843A0F634DE0670A
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://212.237.61.115/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://212.237.61.115/ https://threatfox.abuse.ch/ioc/65646/

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a68d49ece80078d1c2f742232f165b1d.exe
Verdict:
No threats detected
Analysis date:
2021-05-27 22:18:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66698657-1071-45e2-9834-7736ff6b1717

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162774/
Detection(s):
Win.Malware.Generic-9863888-0
Create hunting rule

Win.Malware.Jaik-9865266-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793525
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates files with lurking names (e.g. Crack.exe)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425921 Sample: pERdgN6fmS.exe Startdate: 27/05/2021 Architecture: WINDOWS Score: 100 119 news-systems.xyz 2->119 121 iphoneapps.xyz 2->121 123 2 other IPs or domains 2->123 177 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->177 179 Antivirus detection for URL or domain 2->179 181 Antivirus detection for dropped file 2->181 183 14 other signatures 2->183 12 pERdgN6fmS.exe 9 2->12         started        signatures3 process4 dnsIp5 139 192.168.2.1 unknown unknown 12->139 113 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->113 dropped 16 setup_installer.exe 15 12->16         started        file6 process7 file8 69 C:\Users\user\AppData\...\setup_install.exe, PE32 16->69 dropped 71 C:\Users\user\AppData\Local\...\metina_7.exe, PE32 16->71 dropped 73 C:\Users\user\AppData\Local\...\metina_6.exe, PE32 16->73 dropped 75 10 other files (4 malicious) 16->75 dropped 19 setup_install.exe 1 16->19         started        process9 dnsIp10 125 bryexhsg.xyz 104.21.92.229, 49729, 80 CLOUDFLARENETUS United States 19->125 127 127.0.0.1 unknown unknown 19->127 185 Detected unpacking (changes PE section rights) 19->185 187 Performs DNS queries to domains with low reputation 19->187 23 cmd.exe 1 19->23         started        25 cmd.exe 1 19->25         started        27 cmd.exe 1 19->27         started        29 8 other processes 19->29 signatures11 process12 process13 31 metina_6.exe 14 18 23->31         started        36 metina_2.exe 1 25->36         started        38 metina_7.exe 27->38         started        40 metina_4.exe 2 29->40         started        42 metina_5.exe 1 1 29->42         started        44 metina_1.exe 16 29->44         started        46 metina_3.exe 5 29->46         started        dnsIp14 141 privacytools.xyz 45.139.187.152, 49739, 80 HostingvpsvilleruRU Russian Federation 31->141 143 log.hackacademy.me 31->143 151 14 other IPs or domains 31->151 77 C:\Users\...\x9Vpwnci6kvbu2MBjmorbFfe.exe, PE32 31->77 dropped 79 C:\Users\...\d01q4KGRvTS4OGfMKZge7rav.exe, PE32 31->79 dropped 81 C:\Users\...\UET35NnPKnqjNhRiDMLAkaPc.exe, PE32 31->81 dropped 93 11 other files (4 malicious) 31->93 dropped 155 Antivirus detection for dropped file 31->155 157 Performs DNS queries to domains with low reputation 31->157 159 Machine Learning detection for dropped file 31->159 48 kdKxsUfN8oCUiPQG76HQpUS5.exe 31->48         started        51 UET35NnPKnqjNhRiDMLAkaPc.exe 31->51         started        55 SuNVIgnO3xwLGXDYrGOOUeFl.exe 31->55         started        63 10 other processes 31->63 83 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 36->83 dropped 161 Detected unpacking (changes PE section rights) 36->161 163 Renames NTDLL to bypass HIPS 36->163 165 Maps a DLL or memory area into another process 36->165 171 2 other signatures 36->171 85 C:\Users\user\AppData\Local\...\Crack.exe, PE32 38->85 dropped 87 C:\Users\user\AppData\Local\...\BTRSetp.exe, PE32 38->87 dropped 167 Creates files with lurking names (e.g. Crack.exe) 38->167 89 C:\Users\user\AppData\Local\...\metina_4.tmp, PE32 40->89 dropped 57 metina_4.tmp 40->57         started        145 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 42->145 153 3 other IPs or domains 42->153 169 May check the online IP address of the machine 42->169 59 jfiag3g_gg.exe 42->59         started        147 94.130.58.199 HETZNER-ASDE Germany 44->147 149 api.faceit.com 104.17.62.50 CLOUDFLARENETUS United States 44->149 91 C:\Users\user\AppData\Local\...\install.dll, PE32 46->91 dropped 61 rundll32.exe 46->61         started        file15 signatures16 process17 dnsIp18 95 C:\Program Files (x86)\Company\...\runme.exe, PE32 48->95 dropped 97 C:\Program Files (x86)\...\md8_8eus.exe, PE32 48->97 dropped 99 C:\Program Files (x86)\Company\...\lij.exe, PE32 48->99 dropped 107 3 other files (2 malicious) 48->107 dropped 129 8.209.75.180 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 51->129 189 Detected unpacking (changes PE section rights) 51->189 191 Detected unpacking (overwrites its own PE header) 51->191 101 C:\Users\user\AppData\Roaming\...\38987.exe, PE32 55->101 dropped 103 C:\Users\user\AppData\Local\...\slideshow.mp4, PE32 55->103 dropped 193 Drops PE files to the startup folder 55->193 195 Renames NTDLL to bypass HIPS 55->195 131 limesfile.com 198.54.126.101, 49745, 80 NAMECHEAP-NETUS United States 57->131 105 C:\Users\user\...\_____Zi____DanE______10.exe, PE32 57->105 dropped 109 3 other files (none is malicious) 57->109 dropped 65 _____Zi____DanE______10.exe 57->65         started        197 Creates a thread in another existing process (thread injection) 61->197 133 45.153.230.32 TEAM-HOSTASRU Russian Federation 63->133 135 217.107.34.191 RTCOMM-ASRU Russian Federation 63->135 137 3 other IPs or domains 63->137 111 3 other files (1 malicious) 63->111 dropped 199 May check the online IP address of the machine 63->199 201 Tries to harvest and steal browser information (history, passwords, etc) 63->201 203 Sample uses process hollowing technique 63->203 205 Injects a PE file into a foreign processes 63->205 file19 signatures20 process21 dnsIp22 115 13.107.4.50 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 65->115 117 162.0.210.44 ACPCA Canada 65->117 173 Antivirus detection for dropped file 65->173 175 Machine Learning detection for dropped file 65->175 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8b69bd4d7c6a8c131c5f9cd93ca7d0a3645f9cf1f207608bf8d209f3bcaa3b3/
Threat name:
Win32.PUA.PassView
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 11:41:06 UTC
AV detection:
28 of 47 (59.57%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7c3jxvgxy2umcmof7hgzhst5bi3el6opd4qhmcf7ruqj6o6kuozq._file
Verdict:
unknown
Similar samples:
2cafa910950afa826e2e255ebe4c40a611bcb12c012a502a36efeb2f4effe320
Adware.FileTour
542a06a554ad5e9acfece719248d219215e7376338b1b55dd98eb94a169dd800
Adware.FileTour
6552cf64c39a8bd219e97300c065290e11394898334a02f916f58566e2fbc7d7
Adware.FileTour
679d4240ec3562404c1222d91bb2594cb90843b5aec479ce75bd47d4a4e8b780
Adware.FileTour
bf568d0e239dab8af1d9c25155a62eeef59bf250c187b38b860cca90cf8ebcee
Adware.FileTour
c65d8512251131ad80b98ba840dc5338b921eee93a8ca1b0392ea21c269d74a8
Adware.FileTour
d472f0cb1d205de54297693f856eae5ad6d0d90be070a6d3e105a79987a54a06
Adware.FileTour
ec606c6695e9c2716c8b3eb6c8b45d085caa03658274366a846ad37c452bd65f
Adware.FileTour
f1a553c411aaf180797dd27f75317ed6ab65e166c72845b913273d2bcae4f211
Adware.FileTour
f3b3bf03f311300ba76f4de3376ff21b3b1971ccbc90e24638ab15c2b42ef79b
Adware.FileTour
+ 2 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:redline family:vidar family:xmrig botnet:servj aspackv2 discovery infostealer miner persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210527-xhar8qrarn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
PlugX
RedLine
RedLine Payload
Vidar
xmrig
Malware Config
C2 Extraction:
87.251.71.4:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8b69bd4d7c6a8c131c5f9cd93ca7d0a3645f9cf1f207608bf8d209f3bcaa3b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162774/

Comments