MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a8307e808f656034bd30568bb99ba44dba2facbccbb43e30b2196e3697f390a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a8307e808f656034bd30568bb99ba44dba2facbccbb43e30b2196e3697f390a
SHA3-384 hash: 77e3d1192b87da581b5e8dc3a0c8690c48232af1ec54add17ca8592db043eb07cc099f70cf1d2815d853cf878e4c0cc1
SHA1 hash: ab291c8d2ee89c3da4636bbc0642bbc831231879
MD5 hash: cf00a1a01086b52cb5c55227c981a6f1
humanhash: victor-cold-november-lion
File name:cf00a1a01086b52cb5c55227c981a6f1.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:878'080 bytes
First seen:2021-05-25 14:14:40 UTC
Last seen:2021-05-25 15:03:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48ee726fc0825925a6e904e1bbf746c2 (3 x RedLineStealer, 1 x TeamBot, 1 x RaccoonStealer)
ssdeep 12288:aP9+D4SQSCPwPuJHJCh3SFdMYIZbByqJclKdeDppHZTePQQUGgy+useY:M+4IWHghiFCJJc1DHgPBgp
Threatray 125 similar samples on MalwareBazaar
TLSH B915F1337691C037E0F606B405B99278653A7DBAAB3450CF52C52BEE8A35AD4ED30787
Reporter abuse_ch
Tags:exe TeamBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf00a1a01086b52cb5c55227c981a6f1.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-25 23:59:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f6b0d618-4b4f-47c3-8e66-54e727d72c39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/161990/
Detection(s):
Win.Ransomware.Gandcrypt-9864650-0
Create hunting rule

Win.Malware.Generic-9864651-0
Create hunting rule

Win.Ransomware.Gandcrypt-9864652-0
Create hunting rule

Win.Dropper.Gandcrypt-9864689-0
Create hunting rule

Win.Dropper.Gandcrypt-9864806-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791722
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 424134 Sample: Z17dP4pSdq.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 49 api.2ip.ua 2->49 59 Multi AV Scanner detection for submitted file 2->59 61 Found ransom note / readme 2->61 63 Yara detected Djvu Ransomware 2->63 65 Machine Learning detection for sample 2->65 9 Z17dP4pSdq.exe 2->9         started        12 Z17dP4pSdq.exe 2->12         started        14 Z17dP4pSdq.exe 2->14         started        16 Z17dP4pSdq.exe 2->16         started        signatures3 process4 signatures5 69 Detected unpacking (changes PE section rights) 9->69 71 Detected unpacking (overwrites its own PE header) 9->71 73 Contains functionality to inject code into remote processes 9->73 18 Z17dP4pSdq.exe 1 16 9->18         started        75 Injects a PE file into a foreign processes 12->75 22 Z17dP4pSdq.exe 1 19 12->22         started        77 Multi AV Scanner detection for dropped file 14->77 79 Machine Learning detection for dropped file 14->79 25 Z17dP4pSdq.exe 12 14->25         started        27 Z17dP4pSdq.exe 12 16->27         started        process6 dnsIp7 51 api.2ip.ua 77.123.139.190, 443, 49718, 49722 VOLIA-ASUA Ukraine 18->51 37 C:\Users\user\AppData\...\Z17dP4pSdq.exe, PE32 18->37 dropped 39 C:\Users\...\Z17dP4pSdq.exe:Zone.Identifier, ASCII 18->39 dropped 29 Z17dP4pSdq.exe 18->29         started        32 icacls.exe 18->32         started        53 asvb.top 35.235.74.220, 49729, 80 GOOGLEUS United States 22->53 41 C:\_readme.txt, ASCII 22->41 dropped 43 C:\Users\user\Desktop\...\BNAGMGSPLO.png, data 22->43 dropped 45 C:\Users\user\Desktop\Z17dP4pSdq.exe, data 22->45 dropped 47 3 other files (2 malicious) 22->47 dropped 67 Modifies existing user documents (likely ransomware behavior) 22->67 55 192.168.2.1 unknown unknown 27->55 file8 signatures9 process10 signatures11 81 Injects a PE file into a foreign processes 29->81 34 Z17dP4pSdq.exe 12 29->34         started        process12 dnsIp13 57 api.2ip.ua 34->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a8307e808f656034bd30568bb99ba44dba2facbccbb43e30b2196e3697f390a/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 14:15:10 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
29 of 47 (61.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fkbqp2ai6zlags6tavulxgn2itn2f6wlzs5uhyyleglog2l7hefa._file
Verdict:
malicious
Similar samples:
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
TeamBot
20ebe8ff1da6f2023a43b3e3cbe14479961699f9dec0324f72070fa2b275eaae
TeamBot
32b0fbaf95fefcc9b89243be8721625592fc9ed92d76a48cab263898fd3d5c08
TeamBot
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
TeamBot
869bd0ca39150a6e0f87609ca7e927211ba9cf636b69c33c3cd09db85922dd94
TeamBot
b48348bce63f1ad4550e28f99b61f3166e30eec746299c4258632a5fae95df7d
TeamBot
c5e7c2f3efd209636294e9ae666d8784f63025aae3a3ba437e4d0c975dc9366c
TeamBot
e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be
TeamBot
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
TeamBot
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
TeamBot
+ 115 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1d76a465540f6a904ac9f1310fe3a3824b5b4549 discovery evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210525-jkc4tzcass/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies extensions of user files
Deletes Windows Defender Definitions
Raccoon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a8307e808f656034bd30568bb99ba44dba2facbccbb43e30b2196e3697f390a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TeamBot

Executable exe 2a8307e808f656034bd30568bb99ba44dba2facbccbb43e30b2196e3697f390a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/161990/
  
URLhaus
https://urlhaus.abuse.ch/url/1256494/
  
Delivery method
Distributed via web download

Comments