MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 248ee491268455c00f934e8867fbef87e4b756c8a0004a9e580d575c5793f6b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
TeamBot
Vendor detections: 12
| SHA256 hash: | 248ee491268455c00f934e8867fbef87e4b756c8a0004a9e580d575c5793f6b3 |
|---|---|
| SHA3-384 hash: | 9993ba05320fc4b6fecaf8d9d484d45501e5b1dabf11aa9577f0477d56fa321c3468b7c5286e50c7e8de0c99ec1893bd |
| SHA1 hash: | a8ffe117a63f85e37309d52060efcba8fb53d713 |
| MD5 hash: | 93799e22d1a86e30be05fbe0b39ede40 |
| humanhash: | uranus-pennsylvania-river-three |
| File name: | 93799e22d1a86e30be05fbe0b39ede40.exe |
| Download: | download sample |
| Signature | TeamBot |
| File size: | 716'800 bytes |
| First seen: | 2022-08-03 08:05:44 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 16efb6b0368de80f5b2f8ee7ed5ecc80 (2 x Stop, 1 x Smoke Loader, 1 x TeamBot) |
| ssdeep | 12288:amFitxTRuYFJ6I/a8Z18XTOvyNVPPvMNGFIaLpaiNcGSDz0Frd5jx7js:amyK0GC6TOvwVPdFjLptN+z0H59s |
| Threatray | 1'399 similar samples on MalwareBazaar |
| TLSH | T122E41211B6E2C433E5BB217D48B4F6A54A7FF4231A72DACB33A412691E756C16E3430B |
| TrID | 40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3) |
| File icon (PE): |  |
| dhash icon | 38b078cccacccc53 (62 x Smoke Loader, 25 x Stop, 21 x RedLineStealer) |
| Reporter |  abuse_ch |
| Tags: | exe TeamBot |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://116.202.183.213/ | https://threatfox.abuse.ch/ioc/841218/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
93799e22d1a86e30be05fbe0b39ede40.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 08:16:12 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
greyware packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Verdict:
Malicious
Result
Threat name:
Djvu
Detection:
malicious
Classification:
rans.troj.evad
Score:
92 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Raccrypt
Status:
Malicious
First seen:
2022-08-03 08:00:48 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
22 of 25 (88.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 1'389 additional samples on MalwareBazaar
Result
Malware family:
djvu
Score:
10/10
Tags:
family:djvu discovery persistence ransomware spyware stealer
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://acacaca.org/fhsgtsspen6/get.php
Unpacked files
SH256 hash:
2d993966223f9e5e54104da1a4432796cb404ec5aa0c80c6f59053a19432909c
MD5 hash:
e039ac840b5dcebc6d241eb5d6fcbf92
SHA1 hash:
d9ca97d692b6df8063dad7b952a0e031fe3899e8
Detections:
win_stop_auto
Parent samples :
125f585eab3177c154ed5fe243f4417a51e0ca2c3793a17c5c78d96297a3178c
fee2107bea8cccba3a5ee33cc7ab66c0c4494f19211d829483e50713326da4d3
5b65c5510322530f4abfe6446edda29609d8989ad53614c75634bb1c2c9af395
520a51268d301ee757d97b617758c1110a6cc91d1e1387d57abd4c3f7131b336
17ed810d90f3bb088e2522fb72ae260be6c51da60e6181f166e24a10eb796c97
8c2e9284e983ceef11b73b585ec1def479fe4861685ae4ba17c9ce0367796f94
c888e619328ea2038b36269f3e04edf1ddfd8abb5c5354b85ca1efdeb6a09665
abbacb7399152ab2d433b53f1a267c928be0723a72d00e7592d95335f973e6df
a482097fd8842a2c06a53b65671a520c894858ecf98d0a2a28b1a2d6203f40be
e2b3da8d14d014deeb7e5060d84b325949f38d2c97943f948f2c6cc27ea549c3
c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347
4415e5241c3772536b77ba46a6ebd25996929976392353066a0242450a7e1769
835432a2d3e090695bd3c5a33dbad4fea2812574d14b7a35824d2da0c9b1d1e0
68ebbccc69f5a723a9e6b043e0635a9faa2b152869dcf91cb25b3178cc7605a0
af0993f99a960d8ba4b2cbea959c4ab4ca83bc3c13f7d8da3560a118b253f1eb
198c71bdd5274a68b4d0b4a6de12cf3a4e942b7fe6dfca74c8d2231734b11a76
4677ed8abd40be0dfb0a619a941361436cf8fbf3f1720fd3d93624f4cd97d31f
8bc73215171bdb3ebc39873e2a2e085a5ab2dabd6616fcdf79beba118d00e97d
cad1e059313d17cdfa5c63ef4e99f8f7e38e2741aab0947a2075b86f345fef68
8488228e9da15a7468ce9469ad159c41ff2021525b3c0ab47a8f2e5b5bd90670
4def6a06acbd299ccb45aa12992c846c5ca8e352c215065d169db818f44d4557
0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af
bba3f787ad9e52f3964d51190ee889a590ab81bcf341eeabe5f226cf2f3eb3e2
bfacecf810b14187b30c9ee86f066dff0f3675b8b1bcf4c05f13af88ef1fbf51
58b70f07241065a3febcfb419e7b1a3a4c0e63d0d4d978bbd3ba329092d737b5
d8195ca0091f9d86ecb281a497456ef0d084ecad4f8f1a8caef6b570d5abdc14
d06f5d3657996e3b3a342d96e3b859ba3bbaa1dd3e59d6a3f88f385317ab7d45
298595ed376152c56fa4ba8ee453be7f12fac8175f6b64bd0dcd8ef7641d784c
897afcd11e6b3d400943267334bb66a460bf58c2e035f1367fcf57fd60989bd7
f409d0e94acc4c29dac55fc1196d9d9ad4f5a47223e3381003731fac147c651a
80d5c6f6ce20885e243eaa54cc71d0d9890c98f4458e2c4c9a2b69019499076e
6718c35947bf87c571c55debaf8e71aa017162ac6e3b9126f670ac94817f390e
38cbd610f38e27ae9927d723806923926d206f9552f4d5b38891f1c7ea422f37
688af7fad79c9afe7b00646aaaee46d2328a8c5d10a71865d11447b98af905f5
248ee491268455c00f934e8867fbef87e4b756c8a0004a9e580d575c5793f6b3
b065240e43335f44f4d113f0566093bb40f3dcabc37bc52ee6155ee002f76d86
3887028a0090bfa67d9c9ead0a6e30b0fd41a0ab974e2cdf4fb4fffc0f505f3d
36bf00125e0982c8037f04ad0dd3a354b5e8c95fe899c3083344730d0f4c2682
a4f6fc8c12b08c7957bd3c76abbfa82157ab298c89a769c0ed06e14a5b830bcb
ebe9d795ebe7b5b98a4d4eb27bcdfaee9d9567424a563cc74ffb4fd2fa712744
fee2107bea8cccba3a5ee33cc7ab66c0c4494f19211d829483e50713326da4d3
5b65c5510322530f4abfe6446edda29609d8989ad53614c75634bb1c2c9af395
520a51268d301ee757d97b617758c1110a6cc91d1e1387d57abd4c3f7131b336
17ed810d90f3bb088e2522fb72ae260be6c51da60e6181f166e24a10eb796c97
8c2e9284e983ceef11b73b585ec1def479fe4861685ae4ba17c9ce0367796f94
c888e619328ea2038b36269f3e04edf1ddfd8abb5c5354b85ca1efdeb6a09665
abbacb7399152ab2d433b53f1a267c928be0723a72d00e7592d95335f973e6df
a482097fd8842a2c06a53b65671a520c894858ecf98d0a2a28b1a2d6203f40be
e2b3da8d14d014deeb7e5060d84b325949f38d2c97943f948f2c6cc27ea549c3
c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347
4415e5241c3772536b77ba46a6ebd25996929976392353066a0242450a7e1769
835432a2d3e090695bd3c5a33dbad4fea2812574d14b7a35824d2da0c9b1d1e0
68ebbccc69f5a723a9e6b043e0635a9faa2b152869dcf91cb25b3178cc7605a0
af0993f99a960d8ba4b2cbea959c4ab4ca83bc3c13f7d8da3560a118b253f1eb
198c71bdd5274a68b4d0b4a6de12cf3a4e942b7fe6dfca74c8d2231734b11a76
4677ed8abd40be0dfb0a619a941361436cf8fbf3f1720fd3d93624f4cd97d31f
8bc73215171bdb3ebc39873e2a2e085a5ab2dabd6616fcdf79beba118d00e97d
cad1e059313d17cdfa5c63ef4e99f8f7e38e2741aab0947a2075b86f345fef68
8488228e9da15a7468ce9469ad159c41ff2021525b3c0ab47a8f2e5b5bd90670
4def6a06acbd299ccb45aa12992c846c5ca8e352c215065d169db818f44d4557
0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af
bba3f787ad9e52f3964d51190ee889a590ab81bcf341eeabe5f226cf2f3eb3e2
bfacecf810b14187b30c9ee86f066dff0f3675b8b1bcf4c05f13af88ef1fbf51
58b70f07241065a3febcfb419e7b1a3a4c0e63d0d4d978bbd3ba329092d737b5
d8195ca0091f9d86ecb281a497456ef0d084ecad4f8f1a8caef6b570d5abdc14
d06f5d3657996e3b3a342d96e3b859ba3bbaa1dd3e59d6a3f88f385317ab7d45
298595ed376152c56fa4ba8ee453be7f12fac8175f6b64bd0dcd8ef7641d784c
897afcd11e6b3d400943267334bb66a460bf58c2e035f1367fcf57fd60989bd7
f409d0e94acc4c29dac55fc1196d9d9ad4f5a47223e3381003731fac147c651a
80d5c6f6ce20885e243eaa54cc71d0d9890c98f4458e2c4c9a2b69019499076e
6718c35947bf87c571c55debaf8e71aa017162ac6e3b9126f670ac94817f390e
38cbd610f38e27ae9927d723806923926d206f9552f4d5b38891f1c7ea422f37
688af7fad79c9afe7b00646aaaee46d2328a8c5d10a71865d11447b98af905f5
248ee491268455c00f934e8867fbef87e4b756c8a0004a9e580d575c5793f6b3
b065240e43335f44f4d113f0566093bb40f3dcabc37bc52ee6155ee002f76d86
3887028a0090bfa67d9c9ead0a6e30b0fd41a0ab974e2cdf4fb4fffc0f505f3d
36bf00125e0982c8037f04ad0dd3a354b5e8c95fe899c3083344730d0f4c2682
a4f6fc8c12b08c7957bd3c76abbfa82157ab298c89a769c0ed06e14a5b830bcb
ebe9d795ebe7b5b98a4d4eb27bcdfaee9d9567424a563cc74ffb4fd2fa712744
SH256 hash:
248ee491268455c00f934e8867fbef87e4b756c8a0004a9e580d575c5793f6b3
MD5 hash:
93799e22d1a86e30be05fbe0b39ede40
SHA1 hash:
a8ffe117a63f85e37309d52060efcba8fb53d713
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | MALWARE_Win_STOP |
|---|---|
| Author: | ditekSHen |
| Description: | Detects STOP ransomware |
| Rule name: | pdb_YARAify |
|---|---|
| Author: | @wowabiy314 |
| Description: | PDB |
| Rule name: | SUSP_XORed_URL_in_EXE |
|---|---|
| Author: | Florian Roth |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | SUSP_XORed_URL_in_EXE_RID2E46 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | win_stop_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.stop. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.