MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Backdoor.TeamViewer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47
SHA3-384 hash: cca41b66ef76fd945e51d5e127224b270344f7b11f4a2cf25fffda69e8e5fbf0317e28cac306080b09d337893cb45dd1
SHA1 hash: 801d9c530001ccbb756b09976d2e53ee103deb5a
MD5 hash: 0711e23d2902f70311f03cc4a658362a
humanhash: angel-diet-high-montana
File name:0711e23d2902f70311f03cc4a658362a.exe
Download: download sample
Signature Backdoor.TeamViewer
Create hunting rule
File size:760'832 bytes
First seen:2023-10-21 15:00:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:8Mrly90l3AxD1OdMC1kLGed/X/uuAfmVK9WOMJF5E8G6JItDuTuAVhwR7+yi:BycED1On1G3X/rAfBvC5HmWu1R7+yi
Threatray 1'848 similar samples on MalwareBazaar
TLSH T10BF41266E2E8A236DDB5277009F617D30F3BBCE28C78435B3755584A4CB36889839727
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Backdoor.TeamViewer exe


Avatar
abuse_ch
Backdoor.TeamViewer C2:
193.26.115.207:2001

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-17 18:02:03 UTC
Tags:
stealc stealer redline sinkhole amadey botnet trojan opendir loader
Link:
https://app.any.run/tasks/1d3aa62d-97a0-4ba0-818e-da071f68f82a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Malware.Agen-10011664-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Сreating synchronization primitives
Launching a service
Creating a file
Creating a window
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
91%
Tags:
advpack anti-vm CAB confuserex control explorer installer lolbin lolbin packed packed redline rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6533e7af4678fc28dfc2dd8a/reports/cc80d74e-405f-4dcf-b40f-ffe5380ea830/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28ee304a-b94f-48be-9513-10e48669a8bd
Result
Threat name:
Amadey, LummaC Stealer, Mystic Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329696
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329696 Sample: cu3YHc5Gw1.exe Startdate: 21/10/2023 Architecture: WINDOWS Score: 100 172 www.challenger-am.com 2->172 174 api.ip.sb 2->174 176 6 other IPs or domains 2->176 222 Snort IDS alert for network traffic 2->222 224 Multi AV Scanner detection for domain / URL 2->224 226 Found malware configuration 2->226 228 19 other signatures 2->228 15 cu3YHc5Gw1.exe 1 4 2->15         started        18 svchost.exe 2->18         started        21 svchost.exe 2->21         started        23 3 other processes 2->23 signatures3 process4 dnsIp5 160 C:\Users\user\AppData\Local\...\Ox9BM04.exe, PE32 15->160 dropped 162 C:\Users\user\AppData\Local\...\4mJ794pk.exe, PE32 15->162 dropped 25 Ox9BM04.exe 1 4 15->25         started        29 4mJ794pk.exe 2 15->29         started        178 127.0.0.1 unknown unknown 18->178 164 C:\ProgramData\Microsoft164etwork\...\qmgr.jfm, DOS 18->164 dropped 32 WerFault.exe 21->32         started        file6 process7 dnsIp8 156 C:\Users\user\AppData\Local\...\gN7fp67.exe, PE32 25->156 dropped 158 C:\Users\user\AppData\Local\...\3pI47ZV.exe, PE32 25->158 dropped 274 Multi AV Scanner detection for dropped file 25->274 276 Machine Learning detection for dropped file 25->276 34 3pI47ZV.exe 25->34         started        37 gN7fp67.exe 1 4 25->37         started        192 77.91.124.55, 19071 ECOTEL-ASRU Russian Federation 29->192 278 Antivirus detection for dropped file 29->278 file9 signatures10 process11 file12 200 Multi AV Scanner detection for dropped file 34->200 202 Machine Learning detection for dropped file 34->202 204 Writes to foreign memory regions 34->204 206 2 other signatures 34->206 40 AppLaunch.exe 34->40         started        146 C:\Users\user\AppData\Local\...\2lQ9351.exe, PE32 37->146 dropped 148 C:\Users\user\AppData\Local\...\1tc84Sk1.exe, PE32 37->148 dropped 43 1tc84Sk1.exe 37->43         started        45 2lQ9351.exe 12 37->45         started        signatures13 process14 dnsIp15 244 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->244 246 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->246 248 Maps a DLL or memory area into another process 40->248 256 2 other signatures 40->256 48 explorer.exe 64 42 40->48 injected 250 Multi AV Scanner detection for dropped file 43->250 252 Contains functionality to inject code into remote processes 43->252 254 Writes to foreign memory regions 43->254 258 2 other signatures 43->258 53 AppLaunch.exe 9 1 43->53         started        194 5.42.92.88, 49712, 49719, 49765 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 45->194 signatures16 process17 dnsIp18 166 5.42.65.80, 49761, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 48->166 168 77.91.68.29, 49717, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 48->168 170 5 other IPs or domains 48->170 118 C:\Users\user\AppData\Local\Temp\FDDB.exe, PE32 48->118 dropped 120 C:\Users\user\AppData\Local\Temp\F9B3.exe, PE32 48->120 dropped 122 C:\Users\user\AppData\Local\Temp\F770.exe, PE32 48->122 dropped 124 14 other files (13 malicious) 48->124 dropped 208 System process connects to network (likely due to code injection or exploit) 48->208 210 Benign windows process drops PE files 48->210 212 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->212 55 A493.exe 48->55         started        59 B89D.exe 48->59         started        61 CC28.exe 48->61         started        64 6 other processes 48->64 214 Modifies windows update settings 53->214 216 Disable Windows Defender notifications (registry) 53->216 218 Disable Windows Defender real time protection (registry) 53->218 file19 signatures20 process21 dnsIp22 150 C:\Users\user\AppData\Local\...\Yv9Iq9Uz.exe, PE32 55->150 dropped 152 C:\Users\user\AppData\Local\...\6nW39CU.exe, PE32 55->152 dropped 260 Antivirus detection for dropped file 55->260 262 Multi AV Scanner detection for dropped file 55->262 264 Machine Learning detection for dropped file 55->264 66 Yv9Iq9Uz.exe 55->66         started        154 C:\Users\user\AppData\Local\...\explothe.exe, PE32 59->154 dropped 70 explothe.exe 59->70         started        196 185.196.9.65, 49772, 80 SIMPLECARRIERCH Switzerland 61->196 266 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->266 268 Found many strings related to Crypto-Wallets (likely being stolen) 61->268 270 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->270 272 Tries to harvest and steal browser information (history, passwords, etc) 61->272 198 85.209.176.128, 80 ASDETUKhttpwwwheficedcomGB United Kingdom 64->198 73 chrome.exe 64->73         started        75 chrome.exe 64->75         started        77 conhost.exe 64->77         started        79 2 other processes 64->79 file23 signatures24 process25 dnsIp26 130 C:\Users\user\AppData\Local\...\lC7EY8RZ.exe, PE32 66->130 dropped 132 C:\Users\user\AppData\Local\...\5kg44bc.exe, PE32 66->132 dropped 230 Antivirus detection for dropped file 66->230 232 Multi AV Scanner detection for dropped file 66->232 234 Machine Learning detection for dropped file 66->234 81 lC7EY8RZ.exe 66->81         started        180 77.91.124.1, 49739, 49740, 49746 ECOTEL-ASRU Russian Federation 70->180 134 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 70->134 dropped 136 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 70->136 dropped 236 Creates an undocumented autostart registry key 70->236 238 Uses schtasks.exe or at.exe to add and modify task schedules 70->238 85 cmd.exe 70->85         started        87 schtasks.exe 70->87         started        89 rundll32.exe 70->89         started        182 192.168.2.5, 19071, 443, 49705 unknown unknown 73->182 184 239.255.255.250 unknown Reserved 73->184 91 chrome.exe 73->91         started        94 chrome.exe 73->94         started        96 chrome.exe 73->96         started        98 chrome.exe 75->98         started        file27 signatures28 process29 dnsIp30 126 C:\Users\user\AppData\Local\...\Bk9Yf2ib.exe, PE32 81->126 dropped 128 C:\Users\user\AppData\Local\...\4PP120Nf.exe, PE32 81->128 dropped 220 Multi AV Scanner detection for dropped file 81->220 100 Bk9Yf2ib.exe 81->100         started        104 conhost.exe 85->104         started        106 cmd.exe 85->106         started        108 cacls.exe 85->108         started        112 4 other processes 85->112 110 conhost.exe 87->110         started        186 play.google.com 142.251.163.102, 443, 49790 GOOGLEUS United States 91->186 188 142.251.163.106 GOOGLEUS United States 91->188 190 12 other IPs or domains 91->190 file31 signatures32 process33 file34 142 C:\Users\user\AppData\Local\...\DH6RB5lU.exe, PE32 100->142 dropped 144 C:\Users\user\AppData\Local\...\3by5MD51.exe, PE32 100->144 dropped 242 Multi AV Scanner detection for dropped file 100->242 114 DH6RB5lU.exe 100->114         started        signatures35 process36 file37 138 C:\Users\user\AppData\Local\...\2Ze484sG.exe, PE32 114->138 dropped 140 C:\Users\user\AppData\Local\...\1Ku25OO5.exe, PE32 114->140 dropped 240 Multi AV Scanner detection for dropped file 114->240 signatures38
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-17 17:39:06 UTC
File Type:
PE (Exe)
Extracted files:
116
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckp4pxxklk4zqxabn3liqlrmlqpu56lrlaegfnupv6ym7y4h5zdq._file
Verdict:
malicious
Similar samples:
16d1a075654019ae8daaa42fdd5de6900f9956c9bcd76d0213678af49acacacf
Backdoor.TeamViewer
48f7a5ea24629389edc536091f1926ebc0ed159a000f31e847e90c9fa5d5ab34
Backdoor.TeamViewer
4fcea54a9c17fac90f3b6b0d80308d5f2b7ae10c2bf51e495aed311cf2dee18a
Backdoor.TeamViewer
64219b448e6239125597fce4a61477bb627f5e5f25bbda18c1d332f3a7f335f6
Backdoor.TeamViewer
7c5e9ace70e1d7b0e4b4b326839a1f1d82ae8c1c4136fe3e86b627b278d59b4a
Backdoor.TeamViewer
95b032534407f098cd6afaf8388a08348f7c3ce991059cd65eb66885451018cf
Backdoor.TeamViewer
97a6ff69b40f3587e4a792235f4cddd5dbc76940ae8630e9e474c807ad1634e4
Backdoor.TeamViewer
b3ef8346783b53a63fd52fa50cfba5f0322ee95dc1f723bee0405c4d5c44263b
Backdoor.TeamViewer
c279bdf117c56f3ae2931ce5864df8d291f523c359342ef48ced08ed47b72127
Backdoor.TeamViewer
f88cd251b69365735b28791a22f55c246039ea1358b594f08972ca465fae617c
Backdoor.TeamViewer
+ 1'838 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:5141679758_99 botnet:breha botnet:pixelscloud2.0 botnet:rapta botnet:up3 botnet:wolfa botnet:yt&team cloud backdoor brand:google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan
Link:
https://tria.ge/reports/231021-sdvz9sgg32/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
Amadey
DcRat
Detected google phishing page
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Malware Config
C2 Extraction:
77.91.124.55:19071
http://77.91.68.29/fks/
http://77.91.124.1/theme/index.php
85.209.176.128:80
https://pastebin.com/raw/8baCJyMF
185.216.70.238:37515
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/753628dc-1e50-4f01-93bc-362fa3b103c8/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
28228daae502c37db1fe6486fce85dedefcccabd26dd43d552bb08724f40075e
MD5 hash:
8967529fa24faf910048228776df8b90
SHA1 hash:
99a7f5dcb4f86e49c80abfe061d2936aee407d3d
Link:
https://www.unpac.me/results/753628dc-1e50-4f01-93bc-362fa3b103c8/
SH256 hash:
78b620e26174f8e327b518a4c536474eec5d396f151b27e14b065d4bc66d305d
MD5 hash:
27e9b5232103d4a25347d0bc62bec348
SHA1 hash:
576771387e4829e3643d2362f19da246c3b3f2b7
Link:
https://www.unpac.me/results/753628dc-1e50-4f01-93bc-362fa3b103c8/
SH256 hash:
6f9db3cda943efd8d764cbae2e185d9267d570c304015b8787f3125d8bbec920
MD5 hash:
abaa37e3765896e5f3137530f3ea0323
SHA1 hash:
46b8335975c33f33f740d733d1918e0927f82b38
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/753628dc-1e50-4f01-93bc-362fa3b103c8/
Parent samples :
3b75fef36f2d68ceed33969816c1c90b4094db8c1a2bc98d848857f904da21e2
1dea9c6b0fc19dfd27ab6bf075d698ecd49d2dc7ef0c816e486129ab98dc7028
129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47
SH256 hash:
129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47
MD5 hash:
0711e23d2902f70311f03cc4a658362a
SHA1 hash:
801d9c530001ccbb756b09976d2e53ee103deb5a
Link:
https://www.unpac.me/results/753628dc-1e50-4f01-93bc-362fa3b103c8/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/129fc7deea5a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments