MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bc660c1295624da421b31b1eaf463492681a7ecc3873f7209cd711d43654526. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bc660c1295624da421b31b1eaf463492681a7ecc3873f7209cd711d43654526
SHA3-384 hash: 80c9e599273981c5fb067e3735cc1c6bfa498df007236206771725f359a49a6a3d947ee49825a7f8fef9c756fa6863d0
SHA1 hash: cd6e3a3e1e080b67d2b5065a7fb71b1f060f741b
MD5 hash: e28178f30f6f97d6a51fe35f2a691494
humanhash: yellow-victor-uncle-victor
File name:file
Download: download sample
Signature TeamBot
Create hunting rule
File size:839'680 bytes
First seen:2022-09-17 06:21:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 04e7b82a32dc5589b43748f7508a8f78 (5 x Smoke Loader, 3 x GCleaner, 2 x Stop)
ssdeep 24576:cITPaB75Rd9zExtiGdKNnr+yHmzuRDcO2tYbVU7TXyiy:cKaFHO8ayHmqSFtwi/X
Threatray 1'901 similar samples on MalwareBazaar
TLSH T1BD050221BA95C4B1D5319CB058148FA427BFFC2216745A4FA7907F2E2EB329069763CF
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 38b078cccacccc53 (62 x Smoke Loader, 25 x Stop, 21 x RedLineStealer)
Reporter andretavare5
Tags:exe TeamBot


Avatar
andretavare5
Sample downloaded from http://rgyui.top/dl/build.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-17 06:24:04 UTC
Tags:
trojan ransomware stop loader stealer
Link:
https://app.any.run/tasks/b1f3d2f5-01a1-40e4-bcca-4d5b6614507a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310835/
Detection(s):
Win.Packed.Tofsee-9951336-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file
Launching a process
Creating a process with a hidden window
Creating a file in the system32 subdirectories
Adding an access-denied ACE
Сreating synchronization primitives
Sending an HTTP GET request
Deleting a recently created file
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6325678db564f001cc90b62a/reports/42de41d3-24d7-4d45-b923-19c2b464ce36/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/935dde1d-3cb2-41e6-b8fe-00975699dced
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1072114
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 704656 Sample: file.exe Startdate: 17/09/2022 Architecture: WINDOWS Score: 80 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Yara detected Djvu Ransomware 2->45 47 2 other signatures 2->47 8 file.exe 2->8         started        11 file.exe 2->11         started        13 file.exe 2->13         started        15 file.exe 2->15         started        process3 signatures4 49 Injects a PE file into a foreign processes 8->49 17 file.exe 1 16 8->17         started        21 file.exe 12 11->21         started        51 Machine Learning detection for dropped file 13->51 23 file.exe 12 15->23         started        process5 dnsIp6 37 api.2ip.ua 162.0.217.254, 443, 49710, 49711 ACPCA Canada 17->37 33 C:\Users\user\AppData\Local\...\file.exe, PE32 17->33 dropped 35 C:\Users\user\...\file.exe:Zone.Identifier, ASCII 17->35 dropped 25 file.exe 17->25         started        28 icacls.exe 17->28         started        file7 process8 signatures9 53 Injects a PE file into a foreign processes 25->53 30 file.exe 12 25->30         started        process10 dnsIp11 39 api.2ip.ua 30->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bc660c1295624da421b31b1eaf463492681a7ecc3873f7209cd711d43654526/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-09-17 06:22:07 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dpdgbqjjkysnuqq3ggy6v5ddjetidj7myodt64qjzvyr2q3fiuta._file
Verdict:
malicious
Similar samples:
4d06c8d3c4fdf4deeea0a286fb758e3478de2b4969b7a21da686efe224a8536f
TeamBot
53273f74d14d08f30b348131249213ed89cb9b9ec260245d2d5e6098a1f425ff
TeamBot
757f224af2011afcf0cf966da9a88fa0c6c465a581832e82c15a96f8c7e06bb9
TeamBot
a137ef69c31ccb16b44e956b49a71361b8ad50c06d82b508032239b573677f4d
TeamBot
dc93dc6e3f38d8e8a8961ecb9366572adc01cac682c3649714b94bbd6e8b10c1
TeamBot
ebe9d795ebe7b5b98a4d4eb27bcdfaee9d9567424a563cc74ffb4fd2fa712744
TeamBot
ec93ce8cce6f314e3df3ff7e7bed1e2acbe48e6871584c7ec4ef49a5febd4aa9
TeamBot
fae85f9f8092c35c0a2d2057f231f4e4886163679ecbf0fe43c2d232414efa82
TeamBot
+ 1'891 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220917-g4wtpsdbfk/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://acacaca.org/test3/get.php
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f3156ed2-0907-469d-8685-1027a3832647
Unpacked files
SH256 hash:
0aba73a2a06e2c6bdab81394881b76ac0e0c96a381db370307ec353fda9c54a3
MD5 hash:
288b26f0920921562f223418a01f250f
SHA1 hash:
3ca9a69806f607e87bd3612dae9513556e72a18d
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/5d11063a-2b7f-4036-aa21-5833ab188e58/
Parent samples :
93d818b012256459ff0f782dd92e6b1898f5db642d266481353696556ee487a2
782fb22496386aeb1f9b182ed5aa0a25b5181e35fbe6e1850edbf7cb7ef1896a
977c701b19d3fbe26f52be5f46b7d77b47f30a953beaac7f08f8d6e3c41a0f84
467e231d1869afbfd1d2b70076338a3d69ffbf5d04b85e74a3b41db2a6014f87
528f4b8565a6941bcd72f1f90af1034fe4b93e401609bde90437fba1a3227e2b
b2e22ae293663c18db89e99b3c03fe06668b87c3b09d101d6f4a6650eebe7176
99c95c563249163c3c9206ebbfc745fac737e47f217e4c177f04e39e0072336c
29237d94c93da76b6c5bd0d4bcd13d10136f1590fabb307db9fd8bbdbcca52d8
2237e16aeb792c9f4d5f4f17ff059474b1d9f8100068a3e0287a2bfbbcc1eb9d
651b658ae3680460305dc22f982cf8cb1f105fd0bad8ea7cbbeec962ef497dad
4a6bf87deddf68d11d3fabe6e73b88d1b69080367ef3d798582958a5c6eebdfd
c3d4eee86b30d1a1454f77d5dc506a4d1c81880a997b35bab8c5fcae2dbb2a3e
ba4a9c4919c13eb9ed00b0afc3eb0b83216517c728d1f9de0798560fa783abd8
ec12bb53d94b1a84e4715f0b671b87eeaff4360217c6336897622c225499b3b9
e3ad0fc5b521683dfefac6709a8313009380072bfd1df8847056507f7f9c1941
d2cad027199e9f2ea725280ee1cbad72fefcb4d51cefabb6efb4847e44478b1e
888249fe054645eb0a669bfb9f7e4be41f753d86e6a4786bc40bb18746985b8b
7df90fdb832e168c563ffa89c8590a61680f6d75e98a9c36de9b6fa32817197e
8eb8b057cce7a0df5651d57a61fd3907d873dda063f6076d75a0b7485d7d40e2
02a87215da30b1e27f605464c85f8098db4f3a811de81ee9984050501c0ab779
dd9a64a470c39aedc3a50899e5ade2369338a03c71ba1f06e2a58bb42383102c
79e5e857263ed2c700be510f2457689da61829e196fc85ec19f9b46f3ee35015
6b1f30c4699f3eaa120cdcbf4cf358407f5ac08560abf0200981f9804d1a214a
2e9fcbdd6718795f322263283b544144d79b0cfd6b855cff8d74658737715548
1bc660c1295624da421b31b1eaf463492681a7ecc3873f7209cd711d43654526
1fb6494bcd0a6ea99dbceb61e14991e1465fe23baf84a1a9f0d238a120d03efd
541b50664fa0c8d7bd2855e1603f5b2f36b4e4ff2f68b2094ad44717a6674889
f6bd9d48fb4212dedc0bac315cdfbaf44eb28bfe32697de833a8bdc3bf4badc5
2cb1f9b55d4bd3fb71a8eddf8f430c28430832f0a7797d49321a7446b4c0d922
2f44136a35b7f695c5cd0038d5756a59d6b8db8647615ab0d6a9614b2233aaa1
b18d8839243f18d050a81ba2f2ce14197bc8c47e7ea5f85298e3d52718987441
2d90da4155ab8b267818fcfcd010a936fab3464e4ac2bf919d6b30fc0afb5ab2
f4e04a7953cad1ae01d94321f841a44fd83815125180383a10da394414812c7c
d3c2fd728d40f941be34f20f1c008231b54c4385b8f9405006a7984684ed6e19
1debced9ee26d7fa5d33c3d9292add160955ef31e65f3160cbdc7fca22dc8ba4
8c1d8eb318f6cc9f2c4a4c8c1c130bf45273a723fc2ad7f86f1aec01bcbb7cd4
249cb4680de5cf06721fa03944054178a62fa79bdfb484ab1bcaea4b0d66a33e
659823ae1fe8e59eb90bbfa5d240f78c834278097e1d167df2d25298afc441e0
acd67a6af207e7556ecccc036103ae96cbc4414002e55a562082a60f7b3dbc59
4c2e6a6a03ea90c0160a4b46c824579162c6cbd867981c4fdd7021eba973a526
ef95ce8788316a417aa86974c8de6e54224f6ab146ec62b691607c4f8488c386
ff28004aacec4cbefc33fb65f48f1cad715a28cffaba2cd118f00c3a9065cea2
82ab5478db7101f4174aff1f1482acaeeafa611d8430090ede28d9f71b1f765d
ad7a3ed7588e17eb3b936d17854eb28d93bf7515f8ef4137cac1ad4f44cf52e7
f46c470877cb393ca6bbf78428aad69cb8fafd7c823f3fbaa891079067e96378
242659cb4c52cce89ca226e370df288dcbe94e5c487fc977f1a5ebcc9b9fe38e
c31c0f32e30ede19c6ca3cd0bd53a204f147c058b2c1e878a9282db8f4d2cefe
09e51b77be7c23aaea7346719be389967ce45b70e50aabe8595a75d6650a8758
15982bfcee4d970b4869f11060c54f978fbd505eb7368adcde4ddf9168b6cae9
0ad2c9a91e0c9382f813d69b55021783b113bd10f1d5881d7d4ca5258eec386e
SH256 hash:
1bc660c1295624da421b31b1eaf463492681a7ecc3873f7209cd711d43654526
MD5 hash:
e28178f30f6f97d6a51fe35f2a691494
SHA1 hash:
cd6e3a3e1e080b67d2b5065a7fb71b1f060f741b
Link:
https://www.unpac.me/results/5d11063a-2b7f-4036-aa21-5833ab188e58/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1bc660c12956/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1bc660c1295624da421b31b1eaf463492681a7ecc3873f7209cd711d43654526

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/310835/

Comments