Trojan:Win32/FileTour is a hybrid threat acting as both a deceptive adware downloader and a stealthy cryptomining loader.
Understanding FileTour
To the victim, FileTour significantly degrades system performance, causing the computer's fans to spin loudly and applications to freeze. For incident responders, FileTour is a dual-pronged attack. Initially posing as a media codec or software installer, it floods the system with traditional adware. However, its primary, highly profitable payload is the silent installation of XMRig (or similar) cryptocurrency miners that hijack the endpoint's CPU and GPU resources.
Execution and Evasion Strategies
FileTour is typically encountered on illegal streaming sites, torrent trackers, or fake software crack portals. Once executed, it drops a massive barrage of bundled software to distract the user. Simultaneously, it injects a highly obfuscated cryptomining payload into legitimate system processes (like svchost.exe or notepad.exe) to hide its resource consumption from Task Manager. It establishes persistence via the Windows Startup folder or scheduled tasks. FileTour often utilizes anti-analysis techniques, pausing the cryptominer if it detects mouse movement or the opening of Task Manager.
Indicators of Compromise (IoCs)
Threat hunters should immediately investigate endpoints displaying sustained 100% CPU utilization. Network analysts will observe persistent outbound TCP connections over non-standard ports (e.g., 3333, 4444, 14444) indicative of Stratum mining protocol communications with mining pools. The presence of dropped E-mail spam modules or secondary adware in the %Temp% directory are also strong IoCs.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_FILETOUR {
meta:
description = "Detects Filetour (pua)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "filetour" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Filetour Activity
id: 12d710c3aa98a072ccce3608c7fa0f12
status: experimental
description: Detects generic indicators of the filetour malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*filetour*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/filetour.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.