Filetour

Category: pua · Aliases: None known · Sample count (EMBER 2018): 3,238 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/FileTour is a hybrid threat acting as both a deceptive adware downloader and a stealthy cryptomining loader.

Understanding FileTour
To the victim, FileTour significantly degrades system performance, causing the computer's fans to spin loudly and applications to freeze. For incident responders, FileTour is a dual-pronged attack. Initially posing as a media codec or software installer, it floods the system with traditional adware. However, its primary, highly profitable payload is the silent installation of XMRig (or similar) cryptocurrency miners that hijack the endpoint's CPU and GPU resources.

Execution and Evasion Strategies
FileTour is typically encountered on illegal streaming sites, torrent trackers, or fake software crack portals. Once executed, it drops a massive barrage of bundled software to distract the user. Simultaneously, it injects a highly obfuscated cryptomining payload into legitimate system processes (like svchost.exe or notepad.exe) to hide its resource consumption from Task Manager. It establishes persistence via the Windows Startup folder or scheduled tasks. FileTour often utilizes anti-analysis techniques, pausing the cryptominer if it detects mouse movement or the opening of Task Manager.

Indicators of Compromise (IoCs)
Threat hunters should immediately investigate endpoints displaying sustained 100% CPU utilization. Network analysts will observe persistent outbound TCP connections over non-standard ports (e.g., 3333, 4444, 14444) indicative of Stratum mining protocol communications with mining pools. The presence of dropped E-mail spam modules or secondary adware in the %Temp% directory are also strong IoCs.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1496Resource HijackingImpact
T1055Process InjectionDefense Evasion
T1562.001Impair Defenses: Disable or Modify ToolsDefense Evasion
T1105Ingress Tool TransferCommand and Control
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_FILETOUR {
    meta:
        description = "Detects Filetour (pua)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "filetour" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Filetour Activity
id: 12d710c3aa98a072ccce3608c7fa0f12
status: experimental
description: Detects generic indicators of the filetour malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*filetour*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Disconnect the endpoint from the network to sever the Stratum protocol connection, immediately halting the cryptomining activity.
  2. Utilize EDR or memory forensics to identify and terminate the legitimate processes (like <code>svchost.exe</code>) that have been injected with the mining payload.
  3. Audit the firewall logs to identify the mining pool IP addresses and block them enterprise-wide.
  4. Perform a full system sweep to remove the vast amount of secondary adware and bundleware dropped by the FileTour installer.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not trust Task Manager to identify the malicious process; FileTour actively hooks APIs to hide its CPU usage or pauses when monitoring tools are opened.
  2. Avoid leaving the machine in a prolonged infected state, as the extreme thermal stress caused by cryptomining can cause hardware failure.

References & External Analysis

Related Families (Category: pua)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/filetour.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.