MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791
SHA3-384 hash: cbc1e0846ecc8b2bf1196e45276534f87addc636378dafbc7a14b21596ad44e7b7c711d106fb09552fd1d03e169ed6ff
SHA1 hash: 8fc75411fae94208b303c30faf3f4ba7385f8e22
MD5 hash: ab0bd8932a92421272b5911e2ebf488b
humanhash: solar-monkey-fruit-artist
File name:ab0bd8932a92421272b5911e2ebf488b.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:10'129'611 bytes
First seen:2021-11-19 18:11:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JVFI28sPdy549mzraGOcSya8U4XTPtc0jnhti4qW5mYx1WRWDR58M0NeJwc:JbI2kFaSSy3U4jtDVti4qWhsWDMM0QL
Threatray 709 similar samples on MalwareBazaar
TLSH T103A633664FA60783F217C8720BB7E901AFA5DF538CE6CD230DD0F615A91B6A09D50B1B
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe TeamBot


Avatar
abuse_ch
TeamBot C2:
77.232.40.51:20166

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.232.40.51:20166 https://threatfox.abuse.ch/ioc/251021/

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab0bd8932a92421272b5911e2ebf488b.exe
Verdict:
No threats detected
Analysis date:
2021-11-19 18:18:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2f4e8034-e251-460d-a73e-97bf74855d63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys mokes overlay packed
Link:
https://www.filescan.io/uploads/6197e8f74912a8c920a3ff6a/reports/75bc1992-5f33-4a72-84ed-4b9fc1ec22a2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e57fdb0-83dc-4261-98c6-b7da0766d5dc
Result
Threat name:
Generic malware RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892851
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525324 Sample: 6ZYg7h0ynL.exe Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 74 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->74 76 172.67.204.112 CLOUDFLARENETUS United States 2->76 96 Antivirus detection for URL or domain 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 17 other signatures 2->102 11 6ZYg7h0ynL.exe 10 2->11         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->48 dropped 14 setup_installer.exe 21 11->14         started        process6 file7 50 C:\Users\user\AppData\...\setup_install.exe, PE32 14->50 dropped 52 C:\Users\user\...\Mon13d453d994180b.exe, PE32 14->52 dropped 54 C:\Users\user\AppData\...\Mon13be6b39578.exe, PE32 14->54 dropped 56 16 other files (9 malicious) 14->56 dropped 17 setup_install.exe 1 14->17         started        process8 signatures9 92 Adds a directory exclusion to Windows Defender 17->92 94 Disables Windows Defender (via service or powershell) 17->94 20 cmd.exe 17->20         started        22 cmd.exe 17->22         started        24 cmd.exe 17->24         started        26 13 other processes 17->26 process10 signatures11 29 Mon13136643d24e51.exe 20->29         started        34 Mon13be6b39578.exe 22->34         started        36 Mon134ab4d3e88a4d3e.exe 24->36         started        104 Adds a directory exclusion to Windows Defender 26->104 106 Disables Windows Defender (via service or powershell) 26->106 38 Mon135d1cd0566c227c.exe 14 5 26->38         started        40 Mon1348816450.exe 26->40         started        42 Mon13470f9aa951f871.exe 26->42         started        44 7 other processes 26->44 process12 dnsIp13 78 103.155.93.165 TWIDC-AS-APTWIDCLimitedHK unknown 29->78 80 212.193.30.29 SPD-NETTR Russian Federation 29->80 86 10 other IPs or domains 29->86 58 C:\Users\...\tXtXB3d7eIFf1wVJSRn4mYiv.exe, PE32+ 29->58 dropped 60 C:\Users\...\JqKhV2YE3XkYMRLWM2rD38VI.exe, PE32 29->60 dropped 62 C:\Users\user\AppData\...\Setup12[1].exe, PE32 29->62 dropped 72 31 other files (8 malicious) 29->72 dropped 108 Antivirus detection for dropped file 29->108 110 Creates HTML files with .exe extension (expired dropper behavior) 29->110 112 Tries to harvest and steal browser information (history, passwords, etc) 29->112 114 Disable Windows Defender real time protection (registry) 29->114 64 C:\Users\user\AppData\Local\...\tkools.exe, PE32 34->64 dropped 116 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->116 118 Machine Learning detection for dropped file 34->118 120 Tries to detect virtualization through RDTSC time measurements 34->120 122 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->122 124 Checks if the current machine is a virtual machine (disk enumeration) 36->124 88 2 other IPs or domains 38->88 66 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 38->66 dropped 82 208.95.112.1 TUT-ASUS United States 40->82 84 192.168.2.1 unknown unknown 40->84 126 Contains functionality to steal Chrome passwords or cookies 40->126 128 Injects a PE file into a foreign processes 42->128 90 3 other IPs or domains 44->90 68 C:\Users\user\...\Mon13073304e5395.tmp, PE32 44->68 dropped 70 C:\Users\user\...\Mon13d453d994180b.tmp, PE32 44->70 dropped 130 Obfuscated command line found 44->130 46 mshta.exe 44->46         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 12:22:37 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=meuz6ieogxww7itlczrz75ev2n4pmt4uq2tqykpk5aczfwjq46iq._file
Verdict:
malicious
Similar samples:
096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
TeamBot
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
TeamBot
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
TeamBot
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
TeamBot
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
TeamBot
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
TeamBot
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
TeamBot
f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
TeamBot
+ 699 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:media151 aspackv2 backdoor infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211119-ws68maeca2/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Amadey
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
http://www.gianninidesign.com/
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
91.121.67.60:51630
185.215.113.45/g4MbvE/index.php
Unpacked files
SH256 hash:
4feb70ee4d54dd933dfa3a8d0461dc428484489e8a34b905276a799e0bf9220f
MD5 hash:
ed5b2c2bf689ca52e9b53f6bc2195c63
SHA1 hash:
f61d31d176ba67cfff4f0cab04b4b2d19df91684
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
18c5c91d5f256c8c1e24936dbee5fd7fa6b7b91a5464cbefdc1a36b6dfed27be
MD5 hash:
e49f343a65b938acd1b6d91601240b81
SHA1 hash:
dffa8a42250c65ea9b6b05e627805438e01191af
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
0617625c22a72634d223aa7e503baa61cecd6adf8a846450407f11a3955a65c7
MD5 hash:
1dd71bef171c149ca399d5b36ae2a564
SHA1 hash:
068bb3be3ac193b1bdf3cfc695b2bc0f76f59518
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
188da30341680680a23d42b909c202a6c0cc2acaec2df51a8c6eef9773f25088
MD5 hash:
d1b9b90bbab7ddd72d53bfd54431491f
SHA1 hash:
b15550cf6bebcf1f6c9b51bc930b2c4d1e4814a3
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
f1c467e091505308b0a1d06214efdb8040b75625205c628b301f684ff4f72683
MD5 hash:
cf331e904d5e3484e697503d9dd56aab
SHA1 hash:
c36eb706494218d29802047e7217bf9e9aa732fb
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
fd3467342ea89580344fa1096dd44b9a11dee3310298ba19a9225f56279a7ea4
MD5 hash:
9b9baf68a21a33248994efc9f48d644e
SHA1 hash:
06b714302251537dada4038a424b7022ecb3b7f7
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
7953ad2df6be86c4d4e624eb8516d18dfaa852222099ecb614748131fdb26fbc
MD5 hash:
732b7471dc64ac51aa7f1306219c0aaf
SHA1 hash:
fa97748410e0e76123ce885f4013ae41a37f5a8e
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
ff64865d28e16e978664eeb2edb57f0211c7d6606551c45886f2290cfb8aa825
MD5 hash:
7582d154a918ef569fbee68f4228b5b1
SHA1 hash:
f21071ff67436886e6d405fb80e1eca8122045a5
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
042da3ab049d2234af9c4aba681c029da6f6bc21faac724f4959b62d66b8c20b
MD5 hash:
bf41ab95b61e7a82d4032cdc001daf20
SHA1 hash:
e771292bf7041dce95b86152a174a6791f8a7280
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
abde10f3103c7b6fa2ebdf68379e90d56aaa94d194fe46d4ac45305a18163cac
MD5 hash:
8fa6d81fb36a61739edc4568ae929a86
SHA1 hash:
c098c10e15314b21251201f20a76bb0f3a42ce1a
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
544e67e044dafbf651dc08606d63ab2718024c986ab7e0e403246a1e3f32eb87
MD5 hash:
c084fd0820b600f3617d8d91e03fc88b
SHA1 hash:
ba1bdcd94e02b887d0911e5604ce0c8d13c026af
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
f836b822c3b1fe64ec076667084cf17b6d027c9e390160364873526d8e768933
MD5 hash:
c8bac65109715fe06ecba86f1e07026d
SHA1 hash:
5420811cb925e57484f30873e4c1b44a69c72f10
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
75c6dbfa9b5fddc57bc7a6122104989073e82df304eacdb7fd83a570fded56d2
MD5 hash:
ea6eb6c6538663e6702301f0da27fcf8
SHA1 hash:
14a0ad7ace3a3861f2f5c86e9f3ac4ec48eb553c
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
0c5dc5d5186aee4eb35d5c10df4c1ff7c8a2742330697d6aa89aad966c665fb1
MD5 hash:
b6abca9b25ea0b23cee2311085622d72
SHA1 hash:
0d072dc2a3619e88be6046a82760004d4515a550
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
93c4cba30e4e919db036ca03b25885094ff34caf6a52125dc5647c16c454e700
MD5 hash:
f0380d884cef856b846e2128714e63be
SHA1 hash:
a51466452c7ad1b604335cfcf00f6547ba326dfb
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
152e12547ca933b021d0f1c04474b72b74e50983548d965c2eeac398c0a84d6c
MD5 hash:
d98fccb15197651fe8f2f823acf2c85c
SHA1 hash:
5a79a53acb83e5b330ca05798e3639c01e29e03e
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
73f7d9bcdb5dccf82b324c3f5384de3240d4feff887a1c929a9174beb55194ce
MD5 hash:
5500d82a7c8e8ee2b1cee17749c0bc70
SHA1 hash:
9b831c0c04732453b3a28f1278d5ae047cdd1e53
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
03b913a47ca3bf99528b98189562facfc2b440c4551dab8700e4daaff5a9f5af
MD5 hash:
e7528725729460bc41e2163eeaa63070
SHA1 hash:
3bef8d6c542fd39374c9941ede33b0376df0a29c
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
03d64b51e97815da70e09b66c41bf44303f12a8663719d4694610154239e0d00
MD5 hash:
71c1261401884cc02ad2e7f614652747
SHA1 hash:
2ebedaf38d165e4c4bdc3d4f1ff2fa1c17e039da
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
8cc9247e21034e5156fed3acaded4d4774cd3f8bd23ce148dd216712598f40d2
MD5 hash:
51fbb93e9fc87437b943a7540699b8ac
SHA1 hash:
fe0e596a62b23d1c2efd6e460e80353ba4b6cb32
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
d59ffefec7d4466d154f6b93301147ae8cd35948eade74b74dfa58d50c2b12db
MD5 hash:
b90bdb9203fddc147ba865fbeb7400b7
SHA1 hash:
5f6e3169e186978272b0e3b4dc2bd7a2705d94ac
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
d0503909dc58cc4a7192bd3c01fd45371014cc4bf04887dd0221415bd055a0a0
MD5 hash:
22539ac47ce1d5ecd25f828a5b422da1
SHA1 hash:
7a51d2a619d599957f68b7b5efe4f1abb26f6dcf
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
841a055416ba8f7971cdc4bf95ff436bd47028f1fa267a98404d5971f92249b8
MD5 hash:
bcc6603f031b44a6e4982615a086f58c
SHA1 hash:
4746025743956ac81bf163ee692c8e236f084d67
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
1ca42304876d18f4367e975b7f3a2179c18fd1ac16cc8b16d15eb8ad72690a89
MD5 hash:
ac95e70833740a7114a7335a5dfa1dc8
SHA1 hash:
5c7cbbb96b778274bf96c15c248b0e1e47f9ba71
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
SH256 hash:
61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791
MD5 hash:
ab0bd8932a92421272b5911e2ebf488b
SHA1 hash:
8fc75411fae94208b303c30faf3f4ba7385f8e22
Link:
https://www.unpac.me/results/3e6ff76b-fc61-46a4-8284-7448e0991cf4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207660/

Comments