MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Backdoor.TeamViewer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65
SHA3-384 hash: 25c4989137c2ba0e93cd543c0854c14ace96dd9c25a4de0a5c547ba21508a3f1424c0c2eb4a883eae3de6f7a6b557095
SHA1 hash: fc11ed49290469aff8dd5317aa4afe7c14508745
MD5 hash: ed9e90b0007f394b441343db587c9930
humanhash: alabama-uncle-single-victor
File name:file
Download: download sample
Signature Backdoor.TeamViewer
Create hunting rule
File size:1'254'133 bytes
First seen:2023-09-06 02:33:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 80417b621299e3e1de617305557a3c68 (48 x GCleaner, 44 x Backdoor.TeamViewer, 31 x Socks5Systemz)
ssdeep 24576:KI39dp80npMs7Vf09t2AM3GGJRAGmK38wEdnAIXDMBSyFV/uN4vxt:K6dp80nS+wED2GJRAlK38wEKIXDmuCt
Threatray 834 similar samples on MalwareBazaar
TLSH T140452367C91A90B7F171D5B12DBBE880897F790A853920F8B9C8DECC8E627E06750713
TrID 50.8% (.EXE) Win32 Executable PowerBASIC/Win 9.x (148303/79/28)
37.6% (.EXE) Inno Setup installer (109740/4/30)
4.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:Backdoor.TeamViewer exe


Avatar
andretavare5
Sample downloaded from http://myfilebest.com/order/set17.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-06 02:35:11 UTC
Tags:
installer
Link:
https://app.any.run/tasks/651452c9-86f6-4e54-b76a-b1e525f1a9aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446433/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader25.56768.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Sending a custom TCP request
Modifying a system file
Creating a file
Creating a service
Launching a process
Enabling autorun for a service
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware installer lolbin overlay packed packed shell32
Link:
https://www.filescan.io/uploads/64f7e51b2a262962b7949025/reports/9f23d35e-254b-4b50-a601-6b354395fce6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/68f0eccc-c19f-467c-86d5-1452a195a56b
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303990
Signature
Antivirus detection for URL or domain
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1303990 Sample: file.exe Startdate: 06/09/2023 Architecture: WINDOWS Score: 100 43 tse1.mm.bing.net 2->43 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 8 other signatures 2->57 9 file.exe 2 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 41 C:\Users\user\AppData\Local\...\is-E6J86.tmp, PE32 9->41 dropped 16 is-E6J86.tmp 10 20 9->16         started        process6 file7 31 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->31 dropped 33 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 16->33 dropped 35 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 16->35 dropped 37 6 other files (5 malicious) 16->37 dropped 19 previewer.exe 1 17 16->19         started        22 previewer.exe 1 3 16->22         started        25 net.exe 1 16->25         started        process8 dnsIp9 45 aispnyd.ru 185.141.63.172, 49764, 80 BELCLOUDBG Bulgaria 19->45 47 37.187.142.187, 1074, 49765 OVHFR France 19->47 49 datasheet.fun 172.67.166.109, 49761, 80 CLOUDFLARENETUS United States 19->49 39 C:\ProgramData\...\ContentDWSvc.exe, PE32 22->39 dropped 27 conhost.exe 25->27         started        29 net1.exe 1 25->29         started        file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65/
Threat name:
Win32.Trojan.Synder
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 02:34:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jbbjvfydt3xxi4yedfk73vad6tlk44rtftd7t3pfngdbm6jazvsq._file
Verdict:
malicious
Similar samples:
1357aed783ad4b524540bcf99d980eaeac3aa21357b696b32c412ee44b925eab
Backdoor.TeamViewer
18a003b69166425415dd944dad47c33490eb9196780f29802296d80a301e1548
Backdoor.TeamViewer
501283772e11d99ca3cb7bb173b79029de83d237cf68eddd07b6b105a1b39cb4
Backdoor.TeamViewer
65faccff1bd94971f57d4ab74662a11e0de5e9b84c64db56c2290b419c2ad59b
Backdoor.TeamViewer
6cccc777cf4eeebb2a17f4d13732f5dfeb0f6dbf50e6b96c743f101c481a44b6
Backdoor.TeamViewer
759e28b5e743ef6368816dafb62507ba7133cdbb38853e21ff98964aa3c0d454
Backdoor.TeamViewer
9053d2ad5fc31e78eec56fd8ac9f5a5330b568ab7880b54941ed0c9d6172c3e2
Backdoor.TeamViewer
973b44c741b1e12417e6a99a806b519b1fb2a1095d2931c154d10a92fabcb01b
Backdoor.TeamViewer
af766ba5f46115470242fa6033f4f4ba85c82b6d5a001ebfee8482e51d793e1d
Backdoor.TeamViewer
c02e920086d41efee570ff2aa367640d63394f1ef86bffb1ced03aafa9bebf4b
Backdoor.TeamViewer
+ 824 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230906-c2fbqach67/
Behaviour
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
5ec7060d0236e3db0306d200d685ca6a3e482be76849b7d4c6c3937d99bb7950
MD5 hash:
63f76d97ea7a4b179d1efc1289968cb6
SHA1 hash:
7ef2ec738e85e793c0558a97ef0f004a407575f9
Link:
https://www.unpac.me/results/92b2f961-0713-4079-91e0-ddc58007f637/
SH256 hash:
794c34e79eae56bdcfde64470428ecc789e45b0aaaf7200ba9162658f11e028b
MD5 hash:
94e450a5f39f024c335b8a3804329fd0
SHA1 hash:
b85a04f83099d8f4702dcd542e9b3a4cd1cb4abd
Link:
https://www.unpac.me/results/92b2f961-0713-4079-91e0-ddc58007f637/
SH256 hash:
d13787d68ce9c896eed653497edf624d06348608b86033971fe2537e53cb350a
MD5 hash:
19b34566d72dee6cf393b805de5f2446
SHA1 hash:
eeb5203e6103d3e619d64e7b33a5b00d08fab7c2
Link:
https://www.unpac.me/results/92b2f961-0713-4079-91e0-ddc58007f637/
SH256 hash:
bfd8f7e40ee95eea9dbffa78693c1732f3c30efec0af93daa2e2b49e8047a61d
MD5 hash:
5c5b9e7aa298aaa94b860fd596ec0ef1
SHA1 hash:
e068dff23750787d176d4fa21c25979b9da90ea0
Link:
https://www.unpac.me/results/92b2f961-0713-4079-91e0-ddc58007f637/
SH256 hash:
48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65
MD5 hash:
ed9e90b0007f394b441343db587c9930
SHA1 hash:
fc11ed49290469aff8dd5317aa4afe7c14508745
Link:
https://www.unpac.me/results/92b2f961-0713-4079-91e0-ddc58007f637/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/446433/

Comments