MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 026bf743539f5a80425f898d07c7ffe4bdc687fe24af14f49a8e351cbe3e90bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Backdoor.TeamViewer


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 026bf743539f5a80425f898d07c7ffe4bdc687fe24af14f49a8e351cbe3e90bd
SHA3-384 hash: a157e6e254c6bb7c386ce8b53fe55f8dc8d9b488e8e6fd7a1a75a551fec057a0671e746a87f3871e43e305708044438d
SHA1 hash: 6386a0c87d918a8260bf3caf7b7d447f33322354
MD5 hash: f3ed1c73e7e23b81ee52a55f9a2a22c7
humanhash: snake-seven-jersey-mockingbird
File name:file
Download: download sample
Signature Backdoor.TeamViewer
Create hunting rule
File size:1'192'960 bytes
First seen:2023-10-10 03:20:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:DyosTUaiOT5/rKA8ZLxHqH980gTERC1j6du+T69dMJX:WosTy05Lv9ByGdXTYKJ
TLSH T1E8452303BBE54873D8751BB588F603C70F7AB8C2A9B4936B2B49940A4C72B945673737
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter andretavare5
Tags:Backdoor.TeamViewer exe


Avatar
andretavare5
Sample downloaded from http://77.91.68.249/navi/kur90.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Creating a file
Launching a process
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/026bf743539f5a80425f898d07c7ffe4bdc687fe24af14f49a8e351cbe3e90bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf0e1c55-b3f6-4a04-967f-cb97538e9168
Result
Threat name:
Amadey, Babadeda, Healer AV Disabler, My
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322537
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found API chain indicative of debugger detection
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Healer AV Disabler
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1322537 Sample: file.exe Startdate: 10/10/2023 Architecture: WINDOWS Score: 100 124 www3.l.google.com 2->124 126 www.google.com 2->126 128 9 other IPs or domains 2->128 154 Snort IDS alert for network traffic 2->154 156 Multi AV Scanner detection for domain / URL 2->156 158 Found malware configuration 2->158 160 20 other signatures 2->160 15 file.exe 1 4 2->15         started        18 svchost.exe 2->18         started        21 svchost.exe 1 2->21         started        23 9 other processes 2->23 signatures3 process4 file5 120 C:\Users\user\AppData\Local\...\zu9Xl57.exe, PE32 15->120 dropped 122 C:\Users\user\AppData\Local\...\5CO4Gc2.exe, PE32 15->122 dropped 25 zu9Xl57.exe 1 4 15->25         started        138 Changes security center settings (notifications, updates, antivirus, firewall) 18->138 140 Query firmware table information (likely to detect VMs) 21->140 29 WerFault.exe 23->29         started        31 WerFault.exe 2 23->31         started        33 WerFault.exe 23->33         started        signatures6 process7 file8 96 C:\Users\user\AppData\Local\...\rh5Dl87.exe, PE32 25->96 dropped 98 C:\Users\user\AppData\Local\...\4bI167gc.exe, PE32 25->98 dropped 172 Multi AV Scanner detection for dropped file 25->172 35 rh5Dl87.exe 1 4 25->35         started        39 Conhost.exe 29->39         started        signatures9 process10 file11 92 C:\Users\user\AppData\Local\...\Xx6eE84.exe, PE32 35->92 dropped 94 C:\Users\user\AppData\Local\...\3ds89qz.exe, PE32 35->94 dropped 162 Multi AV Scanner detection for dropped file 35->162 41 3ds89qz.exe 35->41         started        44 Xx6eE84.exe 1 4 35->44         started        signatures12 process13 file14 164 Multi AV Scanner detection for dropped file 41->164 166 Found API chain indicative of debugger detection 41->166 168 Writes to foreign memory regions 41->168 170 2 other signatures 41->170 47 AppLaunch.exe 41->47         started        50 WerFault.exe 41->50         started        112 C:\Users\user\AppData\Local\...\2vI4724.exe, PE32 44->112 dropped 114 C:\Users\user\AppData\Local\...\1CM55vd1.exe, PE32 44->114 dropped 52 2vI4724.exe 44->52         started        54 1CM55vd1.exe 9 44->54         started        signatures15 process16 signatures17 184 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->184 186 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 47->186 188 Maps a DLL or memory area into another process 47->188 202 2 other signatures 47->202 56 explorer.exe 47->56 injected 190 Found API chain indicative of debugger detection 52->190 192 Contains functionality to inject code into remote processes 52->192 194 Writes to foreign memory regions 52->194 204 2 other signatures 52->204 61 AppLaunch.exe 12 52->61         started        63 WerFault.exe 22 16 52->63         started        196 Modifies windows update settings 54->196 198 Disable Windows Defender notifications (registry) 54->198 200 Disable Windows Defender real time protection (registry) 54->200 process18 dnsIp19 130 5.42.65.80, 49743, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 56->130 132 77.91.68.29, 49716, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 56->132 136 2 other IPs or domains 56->136 100 C:\Users\user\AppData\Local\Temp\B960.exe, PE32 56->100 dropped 102 C:\Users\user\AppData\Local\Temp\AB56.exe, PE32 56->102 dropped 104 C:\Users\user\AppData\Local\Temp\9905.exe, PE32 56->104 dropped 106 6 other files (5 malicious) 56->106 dropped 174 System process connects to network (likely due to code injection or exploit) 56->174 176 Benign windows process drops PE files 56->176 178 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->178 65 5C54.exe 56->65         started        69 60E9.exe 56->69         started        71 rundll32.exe 56->71         started        134 5.42.92.211, 49712, 49718, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 61->134 180 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->180 182 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->182 file20 signatures21 process22 file23 84 C:\Users\user\AppData\Local\...\vg1Gq6KM.exe, PE32 65->84 dropped 86 C:\Users\user\AppData\Local\...\6Vx27PT.exe, PE32 65->86 dropped 142 Antivirus detection for dropped file 65->142 144 Machine Learning detection for dropped file 65->144 73 vg1Gq6KM.exe 65->73         started        146 Multi AV Scanner detection for dropped file 69->146 148 Found API chain indicative of debugger detection 69->148 150 Writes to foreign memory regions 69->150 152 2 other signatures 69->152 76 AppLaunch.exe 69->76         started        signatures24 process25 file26 108 C:\Users\user\AppData\Local\...\Yh5EX2EA.exe, PE32 73->108 dropped 110 C:\Users\user\AppData\Local\...\5YB58fG.exe, PE32 73->110 dropped 78 Yh5EX2EA.exe 73->78         started        process27 file28 116 C:\Users\user\AppData\Local\...\wh8jb5wt.exe, PE32 78->116 dropped 118 C:\Users\user\AppData\Local\...\4OR264Ov.exe, PE32 78->118 dropped 81 wh8jb5wt.exe 78->81         started        process29 file30 88 C:\Users\user\AppData\Local\...\nU5sz5ww.exe, PE32 81->88 dropped 90 C:\Users\user\AppData\Local\...\3yz4Pu75.exe, PE32 81->90 dropped
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/026bf743539f5a80425f898d07c7ffe4bdc687fe24af14f49a8e351cbe3e90bd/
Threat name:
Win32.Trojan.Disabler
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 03:21:04 UTC
File Type:
PE (Exe)
Extracted files:
152
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajv7oq2tt5niaqs7rggqpr774s64nb76esxrj5e2ry2rzpr6sc6q._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:healer family:redline family:smokeloader botnet:6012068394_99 botnet:lutyr botnet:magia backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231010-dwbl1sce28/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Amadey
DcRat
Detects Healer an antivirus disabler dropper
Glupteba
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
77.91.124.55:19071
http://77.91.68.29/fks/
http://77.91.124.1/theme/index.php
https://pastebin.com/raw/8baCJyMF
Unpacked files
SH256 hash:
4e5cd82834477e6e315c1b643c14f7968df83a3ff02ff71f84e822ca722414bf
MD5 hash:
33199a6d5921243dab27785547ac92e7
SHA1 hash:
ddda6389b982069a1ae4b81974d390a858ffda1d
Link:
https://www.unpac.me/results/7fc63fd3-1dec-4221-ba04-850c40ed0004/
SH256 hash:
2ecc669a7f5e4db05bd4c07c459784a9e2f8b1f957189ef51c4166dc4975ac7e
MD5 hash:
f5c4e387fa2668c0d3696e99fdda0bcb
SHA1 hash:
f7ab275ac642386f9363894fe142b59ea76b62cb
Link:
https://www.unpac.me/results/7fc63fd3-1dec-4221-ba04-850c40ed0004/
SH256 hash:
431be214153fd5ffd4ff4fe2826276c8feb1459837eda7462a171c824bd63d31
MD5 hash:
94a8f3962afb223c692c8c8757e2b14d
SHA1 hash:
3d5a3f9bcd56b73a96a70cdfb9def93b54643c1e
Link:
https://www.unpac.me/results/7fc63fd3-1dec-4221-ba04-850c40ed0004/
SH256 hash:
bfa9b5fe9625d16a7c8e904fc81a42bbfbc0c2acc1380ada85b3fb9e67aad8d0
MD5 hash:
081c9bde20726f72840452faeea0cae7
SHA1 hash:
721847d28f5c5c5f53ba4eccfbdc814b72032b64
Link:
https://www.unpac.me/results/7fc63fd3-1dec-4221-ba04-850c40ed0004/
SH256 hash:
7ab5ad579d3cbe21f10b382408c030c76f307aa0398289de2c27a5dab5880206
MD5 hash:
47aec49d6a50c3884899084db112c452
SHA1 hash:
7269e9e406f2da4125b4f9e3f5ed025ed67ea3ea
Link:
https://www.unpac.me/results/7fc63fd3-1dec-4221-ba04-850c40ed0004/
SH256 hash:
146c18cabe95f2793efb56e47ddf4b962300b576750f3bbd8e87b01c8396efeb
MD5 hash:
39de5b859f5506f4c92440a4be5a3768
SHA1 hash:
44b40654fe34b5f3f687a1650a528a4c5ce7c8fc
Link:
https://www.unpac.me/results/7fc63fd3-1dec-4221-ba04-850c40ed0004/
SH256 hash:
026bf743539f5a80425f898d07c7ffe4bdc687fe24af14f49a8e351cbe3e90bd
MD5 hash:
f3ed1c73e7e23b81ee52a55f9a2a22c7
SHA1 hash:
6386a0c87d918a8260bf3caf7b7d447f33322354
Link:
https://www.unpac.me/results/7fc63fd3-1dec-4221-ba04-850c40ed0004/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/026bf743539f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/026bf743539f5a80425f898d07c7ffe4bdc687fe24af14f49a8e351cbe3e90bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2715539/

Comments