MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1131c1c7e209a016e6a64cca60e08d8f5efbc3465e55c6ee9551a9032f550e2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TeamBot

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	1131c1c7e209a016e6a64cca60e08d8f5efbc3465e55c6ee9551a9032f550e2c
SHA3-384 hash:	603d331350b790edca2779aed9bad37d617842ac0485cf09ccfebf26c1414405ec4dcb59caee5ce8db7c1515c4813e3e
SHA1 hash:	51b0e8c91ad419b2d416afd285a97bac97a8cdd7
MD5 hash:	a4e56f85f1f28d2a34d4179d25136e04
humanhash:	lithium-fillet-alaska-early
File name:	a4e56f85f1f28d2a34d4179d25136e04.exe
Download:	download sample
Signature	TeamBot Create hunting rule
File size:	270'336 bytes
First seen:	2022-02-02 00:26:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	13fe0c80afc1585ba6b2557231264a3e (6 x RedLineStealer, 1 x TeamBot)
ssdeep	3072:y3/cgsNKzzuQONJ4wtG2552QH9Cp87wBuG817pM/h3Lfed:yvcguCzNONSKZH9HEwP1dN
Threatray	4'185 similar samples on MalwareBazaar
TLSH	T13D44C03035D0C471C4961E709826CFE65EBEB8311A68864777B82B6BAF323F0A55635F
File icon (PE):
dhash icon	fcfcb4b4b4d4d9c1 (24 x RedLineStealer, 10 x Smoke Loader, 4 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe TeamBot

abuse_ch

TeamBot C2:
http://tzgl.org/test3/get.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://tzgl.org/test3/get.php	https://threatfox.abuse.ch/ioc/374456/

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a4e56f85f1f28d2a34d4179d25136e04.exe

Verdict:

No threats detected

Analysis date:

2022-02-02 00:36:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/aaa7eb89-541f-4656-b92e-41be6f10d968

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/229646/

Detection(s):

Win.Malware.Mikey-9917879-0

Win.Packed.Lockbit-9919158-0

Win.Malware.Generic-9937404-0

Win.Malware.Generic-9938009-0

Win.Dropper.Stop-9938040-0

Win.Dropper.Stop-9938042-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP POST request

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5737/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay

Link:

https://www.filescan.io/uploads/61f9cfe16d25ac9e79f8b636/reports/f8ab229e-3169-4d10-abe5-3ff8de492c63/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5338f5da-05f6-441e-9929-1ba1fcf82a54

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1131c1c7e209a016e6a64cca60e08d8f5efbc3465e55c6ee9551a9032f550e2c/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-01-31 23:35:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 43 (83.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cey4dr7cbgqbnzvgjtfgbyenr5ppxq2glzk4n3uvkguqgl2vbywa._file

Verdict:

malicious

TeamBot

b6f3db88b8c6070f8d31d9c36caa59ac7fbdf99b9eeb741ec3e25c73b23bc822

TeamBot

d56e5fd63229d155f3490e40ed3b77a5c5b7ede955ed8af77c0434056bb5087c

TeamBot

d64c8c01766cefa6cc6afda7ec2291fc7d18c59d179bdf90403a76b032b04785

TeamBot

ede12e010ddaffd96dbc21854ff8a5f24d75cd9766d6eb41fce18824c5c18889

TeamBot

f80be7705daaced45f4fdd7c1b612dc249d5edd442927c116c4cf39d33728065

TeamBot

+ 4'175 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220202-arrkwsdgg3/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/

Unpacked files

SH256 hash:

a7c864d00f3e1289f08710f5a47be1909c34fedb5a20066418fc804ffd61cea5

MD5 hash:

c8cdbc18bea69c8802c311a520c8e56e

SHA1 hash:

a440d612dfd453526653f0338a247c0ea86def45

Link:

https://www.unpac.me/results/3ab4819a-3893-420e-9b29-ea9c6f9a2126/

SH256 hash:

1131c1c7e209a016e6a64cca60e08d8f5efbc3465e55c6ee9551a9032f550e2c

MD5 hash:

a4e56f85f1f28d2a34d4179d25136e04

SHA1 hash:

51b0e8c91ad419b2d416afd285a97bac97a8cdd7

Link:

https://www.unpac.me/results/3ab4819a-3893-420e-9b29-ea9c6f9a2126/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1131c1c7e209a016e6a64cca60e08d8f5efbc3465e55c6ee9551a9032f550e2c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/229646/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample