MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43bde3d98d64146df981b68d0cbbdc5aa012e24988230f8d32eee3dc0f7ad249. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TeamBot

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	43bde3d98d64146df981b68d0cbbdc5aa012e24988230f8d32eee3dc0f7ad249
SHA3-384 hash:	12641cf86df47c7844ba20c41722682afe5347275698fa28134b26ced6be8e213171532e77ea1adc3e692e8a1d771b2c
SHA1 hash:	4182d725695c5ced68f1a2644cbb34c48e2bb5e6
MD5 hash:	eb609796a7c36bae9dfed03f1369edd3
humanhash:	glucose-king-december-august
File name:	eb609796a7c36bae9dfed03f1369edd3.exe
Download:	download sample
Signature	TeamBot Create hunting rule
File size:	791'040 bytes
First seen:	2021-08-08 15:20:25 UTC
Last seen:	2021-08-08 16:01:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3d213b98c14cd3c3750955e4d1b081cd (3 x DanaBot, 1 x TeamBot, 1 x Stop)
ssdeep	12288:Ks92pX7gHhrgad0iHS3BNvpWHDcvQUeR7vvg3v04eMP4yN9C5M:Ks92pX7gHhrB0iHSTuYoUCjVe9H
Threatray	432 similar samples on MalwareBazaar
TLSH	T1C5F4123076A0FC73E8574831359ED3A8FB69AD519F1142432B692F7E2EB73806B58319
dhash icon	1036787c72767636 (2 x RaccoonStealer, 1 x Socelars, 1 x TeamBot)
Reporter	abuse_ch
Tags:	exe TeamBot

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

eb609796a7c36bae9dfed03f1369edd3.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-08 15:21:48 UTC

Tags:

installer

Link:

https://app.any.run/tasks/a90ca8fc-b9af-4a59-ac57-a822de7417ef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/177250/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.8118.28746.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Launching a process

Creating a process with a hidden window

Adding an access-denied ACE

Deleting a recently created file

Sending an HTTP GET request

Connection attempt to an infection source

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e2d4f30f-507d-461b-abf9-61b7381f0746

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/828817

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/43bde3d98d64146df981b68d0cbbdc5aa012e24988230f8d32eee3dc0f7ad249/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-08 15:21:03 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=io66hwmnmqkg36mbw2gqzo64lkqbfysjrarq7djs53r5yd322jeq._file

Verdict:

malicious

TeamBot

44f6676314c6c50f2807f34a33335abd58ca254f95c213496205825257f7b4d6

TeamBot

456079ac17674de342836dee558093a80c9b6fb869b5a7562a615db1bbe1b42d

TeamBot

63c696185eacdb5998d82e02e8cc0afd09db991ece9f72f5e99007e2aa36f4c3

TeamBot

a4520e17b63c5503219d9c36435b26054ac63e4539883c5244b3129535d82879

TeamBot

dc9fcb210bb6436bee5b9cac39a3a5f9dd06a2e5ebf4062cf0b0e66d14d5236f

TeamBot

+ 422 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:517 discovery persistence spyware stealer suricata

Link:

https://tria.ge/reports/210808-ytz16jt2s2/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Vidar

suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Malware Config

C2 Extraction:

https://prophefliloc.tumblr.com/

Unpacked files

SH256 hash:

d459f6df74ee30219819b78ba2a514221820baf1897fb6c299587d71f2abd974

MD5 hash:

daa79e7e403deffea26d3537500f1f95

SHA1 hash:

cf33f01bf3b1f053f38f223994c7805002d9ac68

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/9e6bef05-2609-4180-9e43-51ac874a735c/

Parent samples :

456079ac17674de342836dee558093a80c9b6fb869b5a7562a615db1bbe1b42d
5651c726a433d942eb9cdbe74c6631178fa3e243e0953e0a55f54f1752e05682
a4520e17b63c5503219d9c36435b26054ac63e4539883c5244b3129535d82879
adc2c80f4a9f969a641f2674c94bd576420b34d338b12ba5b4cab09e6c51a466
0c1571e0f22ecc1c3ed2b80ee90df329d820e287ac0be834aa905726ea96887e
5d232ce70bfdc3344ad9c117da898e5d72ea5a5ff0704933735abb186714c9f4
be8b6e6da114bdcb1a060a06ace28d03550173a4a719b4704510e65ee6e47f02
dc9fcb210bb6436bee5b9cac39a3a5f9dd06a2e5ebf4062cf0b0e66d14d5236f
9735f688e3338582266589c582a22bdac2a0accbc423225ffb5d792801d0d1a5
44f6676314c6c50f2807f34a33335abd58ca254f95c213496205825257f7b4d6
dc6f024b81983ce22d883ccc346b3888d984e360196b3e472c1cce3f79b70fa0
9b87dcaaf50d205d4eb5217c857e52d0afa4790716a793f5f6e563a955f632b1
d9e93860c1b468911168c4c30564817dc0b788cceab0e073d0be8850c95590d4
1c8f1643dd2d7c1c8224caa017aeb9f4447370e3849862d25b19844def08f384
bd9cde1e9bb1cff550575161a3d967753a8b7667fb4824fae2d1c2274f552f47
63c696185eacdb5998d82e02e8cc0afd09db991ece9f72f5e99007e2aa36f4c3
43bde3d98d64146df981b68d0cbbdc5aa012e24988230f8d32eee3dc0f7ad249
9d45043266ad627224c951cb91f37261bc7bd393aa8ce87a39e8b42f3a543dbf

SH256 hash:

43bde3d98d64146df981b68d0cbbdc5aa012e24988230f8d32eee3dc0f7ad249

MD5 hash:

eb609796a7c36bae9dfed03f1369edd3

SHA1 hash:

4182d725695c5ced68f1a2644cbb34c48e2bb5e6

Link:

https://www.unpac.me/results/9e6bef05-2609-4180-9e43-51ac874a735c/

Malware family:

STOP

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/43bde3d98d64/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/43bde3d98d64146df981b68d0cbbdc5aa012e24988230f8d32eee3dc0f7ad249

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TeamBot

exe 43bde3d98d64146df981b68d0cbbdc5aa012e24988230f8d32eee3dc0f7ad249

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1463721/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/177250/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample