MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45dfef1ead7a4d8741edf4314147d94afd538b963d8a950d1dd9cb5d14c8c952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TeamBot

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	45dfef1ead7a4d8741edf4314147d94afd538b963d8a950d1dd9cb5d14c8c952
SHA3-384 hash:	2f3d29f5b9914b7b04820e852251f7afede1bfe21d937cb11a1edd6da21a213db28c194f045f4cb79b99b5cd2b6f87bf
SHA1 hash:	338d370a060a089bec6f0e33a7460afb7e66fa34
MD5 hash:	36571267c8e50b0c1c7f1975079f2c7a
humanhash:	lamp-yankee-nineteen-beryllium
File name:	data64_6.bin
Download:	download sample
Signature	TeamBot Create hunting rule
File size:	1'795'252 bytes
First seen:	2022-05-23 12:33:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:+DWHSb4Nc0PnYFrSCCd/Dn4CsIu1VeNYRjBnpwG/Kf3+8Sg4aLhlhMBDPhO:t84h+vA/Zu1VBRj3pwSdclhU7Q
Threatray	1'730 similar samples on MalwareBazaar
TLSH	T1C985F14BA6B040B0E5D7CA711A775B21DE327C60AF24985B7392725CD7313D0EF68AE2
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	JAMESWT_WT
Tags:	exe TeamBot teambot2

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

Setup.zip

Verdict:

Malicious activity

Analysis date:

2022-04-10 10:49:48 UTC

Tags:

evasion trojan socelars stealer loader opendir rat redline vidar ransomware stop

Link:

https://app.any.run/tasks/010da107-fe12-4e2d-8e4c-07a2f9c6b8b9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/273668/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Launching a process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19670/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay setupapi.dll shdocvw.dll shell32.dll update.exe

Link:

https://www.filescan.io/uploads/628b7f23efe9af159cbbac91/reports/f7c028b2-f3d0-445b-98ec-e180b6c58f11/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ce5fefa6-77a6-45eb-9254-eabf43d7dc5c

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1000113

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/45dfef1ead7a4d8741edf4314147d94afd538b963d8a950d1dd9cb5d14c8c952/

Threat name:

Win32.Trojan.Qshell

Status:

Malicious

First seen:

2022-04-10 07:17:31 UTC

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ixp66hvnpjgyoqpn6qyucr6zjl6vhc4whwfjkdi53hfv2fgizfja._file

Verdict:

malicious

TeamBot

660a687ba975d3b8dc2f69a3f019377eed0684a20638a6dc1c109499c6bd5e48

TeamBot

6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c

TeamBot

7e4bc5c98691dd99d7c856dc26110113c15d72fb5b8a73db75a9c9b2bee021e2

TeamBot

b0b851f99f1cc076735446c7604066a790017d08654f864851622781847ea92e

TeamBot

cf0f62c6105ceec3db23af296678feed3ea95d14ff032223d5397c7351cfc9e0

TeamBot

d2330df06094349f53773a89ff96e2f009e744b249fb1960e536bbbfaf7b5321

TeamBot

+ 1'720 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220523-prrm8agfgm/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

45dfef1ead7a4d8741edf4314147d94afd538b963d8a950d1dd9cb5d14c8c952

MD5 hash:

36571267c8e50b0c1c7f1975079f2c7a

SHA1 hash:

338d370a060a089bec6f0e33a7460afb7e66fa34

Link:

https://www.unpac.me/results/5b274667-f33e-4258-b441-503b0b3d7e24/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/45dfef1ead7a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/45dfef1ead7a4d8741edf4314147d94afd538b963d8a950d1dd9cb5d14c8c952

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/273668/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample