MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 15


Intelligence 15 IOCs 5 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
SHA3-384 hash: a35397dd2cbb0f651a8db99784e96b0f9e532db657d49d37a491bee623de8054d8490a8e6654e5c6b5f399582c5b88de
SHA1 hash: 69680a99121d56023816bd8cb7218d0a320b8745
MD5 hash: 8ac2aa386d2ab6edb792785243dbde6b
humanhash: apart-virginia-asparagus-idaho
File name:24D4DAEDBA9B8060BF0D09B4383849B69E8D1741C3FFA.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:7'407'662 bytes
First seen:2022-05-20 18:03:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:J7jguSTvT9QduE6y75YFUlTzsP14uOX9s5gSmSec:JR0v5QduS0otGm9c
Threatray 1'739 similar samples on MalwareBazaar
TLSH T16E7633B8B241C871E5AA503F51939379ABFCCE007E69DA0D9250E77AB25313D341FA72
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe TeamBot


Avatar
abuse_ch
TeamBot C2:
91.211.251.186:41933

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.211.251.186:41933 https://threatfox.abuse.ch/ioc/616164/
65.21.192.182:47562 https://threatfox.abuse.ch/ioc/616166/
194.36.177.138:81 https://threatfox.abuse.ch/ioc/616167/
193.124.22.2:4633 https://threatfox.abuse.ch/ioc/616168/
193.124.22.34:19489 https://threatfox.abuse.ch/ioc/616169/

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
24D4DAEDBA9B8060BF0D09B4383849B69E8D1741C3FFA.exe
Verdict:
No threats detected
Analysis date:
2022-05-20 18:29:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b27c620-4ab7-45f6-bcfb-cd5d3b962075

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273139/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19285/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6287d82aefe9af159cbadfc9/reports/3f7c8d04-1153-4d6f-9307-2066eb0de690/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/697166e2-6db4-41a6-957e-a9fe6487067d
Result
Threat name:
Nymaim, RedLine, SmokeLoader, Socelars,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998812
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 631309 Sample: 24D4DAEDBA9B8060BF0D09B4383... Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 97 www.hhiuew33.com 2->97 99 witra.ru 2->99 101 7 other IPs or domains 2->101 115 Snort IDS alert for network traffic 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for URL or domain 2->119 121 20 other signatures 2->121 12 24D4DAEDBA9B8060BF0D09B4383849B69E8D1741C3FFA.exe 10 2->12         started        15 WmiPrvSE.exe 2->15         started        signatures3 process4 file5 81 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->81 dropped 17 setup_installer.exe 26 12->17         started        process6 file7 65 C:\Users\user\AppData\...\setup_install.exe, PE32 17->65 dropped 67 C:\Users\user\AppData\...\Thu12e3bda7b3b.exe, PE32 17->67 dropped 69 C:\Users\user\...\Thu12dfaef06b23a8c8.exe, PE32 17->69 dropped 71 18 other files (13 malicious) 17->71 dropped 20 setup_install.exe 1 17->20         started        process8 dnsIp9 103 127.0.0.1 unknown unknown 20->103 105 hornygl.xyz 20->105 149 Performs DNS queries to domains with low reputation 20->149 151 Adds a directory exclusion to Windows Defender 20->151 153 Disables Windows Defender (via service or powershell) 20->153 24 cmd.exe 20->24         started        26 cmd.exe 20->26         started        28 cmd.exe 20->28         started        30 15 other processes 20->30 signatures10 process11 signatures12 33 Thu12a415e61b3e719c.exe 24->33         started        38 Thu1257009f8d487.exe 26->38         started        40 Thu1252478656668c7.exe 28->40         started        155 Adds a directory exclusion to Windows Defender 30->155 157 Disables Windows Defender (via service or powershell) 30->157 42 Thu12a24946b3a3734.exe 30->42         started        44 Thu127eb49ed9c20.exe 30->44         started        46 Thu12d451e8b45d0b.exe 30->46         started        48 11 other processes 30->48 process13 dnsIp14 83 ip-api.com 208.95.112.1, 49773, 80 TUT-ASUS United States 33->83 85 www.hhiuew33.com 45.136.151.102, 49796, 49814, 49826 ENZUINC-US Latvia 33->85 73 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 33->73 dropped 123 Antivirus detection for dropped file 33->123 125 May check the online IP address of the machine 33->125 127 Machine Learning detection for dropped file 33->127 50 11111.exe 33->50         started        89 2 other IPs or domains 38->89 129 Multi AV Scanner detection for dropped file 38->129 131 Detected unpacking (overwrites its own PE header) 38->131 91 2 other IPs or domains 40->91 133 Detected unpacking (changes PE section rights) 40->133 135 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->135 137 Maps a DLL or memory area into another process 42->137 139 Checks if the current machine is a virtual machine (disk enumeration) 42->139 53 explorer.exe 42->53 injected 141 Sample uses process hollowing technique 44->141 143 Injects a PE file into a foreign processes 44->143 93 2 other IPs or domains 46->93 87 212.193.30.45, 49763, 49767, 80 SPD-NETTR Russian Federation 48->87 95 2 other IPs or domains 48->95 75 C:\Users\user\...\Thu123a745334fdbd.tmp, PE32 48->75 dropped 145 Obfuscated command line found 48->145 147 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 48->147 55 Thu12dfaef06b23a8c8.exe 48->55         started        58 Thu123a745334fdbd.tmp 48->58         started        61 WerFault.exe 48->61         started        file15 signatures16 process17 dnsIp18 109 Multi AV Scanner detection for dropped file 50->109 111 Machine Learning detection for dropped file 50->111 113 Tries to harvest and steal browser information (history, passwords, etc) 50->113 107 ad-postback.biz 55->107 63 WerFault.exe 55->63         started        77 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 58->77 dropped 79 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->79 dropped file19 signatures20 process21
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-12-24 00:38:22 UTC
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etknv3n2toagbpynbg2dqocjw2pi2f2byp72vwavnk4m7jlpqysq._file
Verdict:
malicious
Similar samples:
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
TeamBot
38066ee9fea009a8a6c2575e1a05fadd49a2cfe205dd8a6604eea85f5c7a42bd
TeamBot
bcfa6e6fb8a5b32e164fd8a7b49d448e65482fae38fe17e48cc35cb6427a360e
TeamBot
ca5309eca6c4688b50a8dd11520273ad243177d016b7b35282cc73a17ca768ed
TeamBot
cc2d611eb3f0e462f0c136b1664348fc05669fbac46ebb4b28c900c4dff94318
TeamBot
e4fb57012d7a31e6511c4bac952323093e8bb51f138841f994f58259162dfd6e
TeamBot
fe528bf935539942838fb5349548427eacab028c2ae3947c30e3f93e84ae02d0
TeamBot
+ 1'729 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:socelars botnet:media24pns botnet:userv1 aspackv2 evasion infostealer loader spyware stealer suricata trojan
Link:
https://tria.ge/reports/220520-wnk5labdg3/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
OnlyLogger Payload
Modifies Windows Defender Real-time Protection settings
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Malware Config
C2 Extraction:
http://www.biohazardgraphics.com/
65.108.69.168:13293
159.69.246.184:13127
Unpacked files
SH256 hash:
012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781
MD5 hash:
8bacb64db8fb73308faefd14b863fd43
SHA1 hash:
c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
SH256 hash:
9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec
MD5 hash:
29fa5c5ade39d4ae5a0f564949278923
SHA1 hash:
376051004220051779d97fcb44065a8724de370b
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
SH256 hash:
4f7016fb630595204b4cb47d03f4cdf9a75597d2586fa9bbd244a0407a567748
MD5 hash:
ec94b9dbbb8502ae096f9d7e1f33901c
SHA1 hash:
d5f73eaaa6df419e83bb2c58f30d28ba2e348b72
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
Parent samples :
e4fb57012d7a31e6511c4bac952323093e8bb51f138841f994f58259162dfd6e
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
a5cb08b5c9d66e3751795d06b6a15ccfe0f5c30519cd151ca46ba550696714d8
MD5 hash:
457ebf3cd64e9e5ee17e15b9ee7d3d52
SHA1 hash:
bd9ff2e210432a80635d8e777c40d39a150dbfa1
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
SH256 hash:
ebfbf072b43bf867ce6d28061eb03e497d9b3b2178fb6f487943dcfd6cde532d
MD5 hash:
d0bdd9f765a3bc338ccc23768ec05994
SHA1 hash:
fd75c806f8189349b200b90a03e69f23e9d4dccf
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
SH256 hash:
7c3a152b9e7a46ecfde36b7aac04e1d973fbb57f1812e6d2ae7bc8a1f49990a3
MD5 hash:
6b331ddca53dd1431419dde7ea8d79e3
SHA1 hash:
0b6983d8d4d32c9972b2904b28c7280d65464b41
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
SH256 hash:
6ef7f601f03e4c0903ac573efa3b9be8940592bb5dfa26a015da66481aa45440
MD5 hash:
230f329ef336ac3114ce627bb0ac6d71
SHA1 hash:
795ae73f602deb1691434a49edb14878685ea67e
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
SH256 hash:
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
MD5 hash:
8ac2aa386d2ab6edb792785243dbde6b
SHA1 hash:
69680a99121d56023816bd8cb7218d0a320b8745
Link:
https://www.unpac.me/results/d11c61eb-0964-4936-a6c2-1e990de250dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273139/

Comments