MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 657aa81665835f9c9ebe28e9a54c583e123498fd1284511ed95568b7d0597a55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 657aa81665835f9c9ebe28e9a54c583e123498fd1284511ed95568b7d0597a55
SHA3-384 hash: c64b06548a2c1caff59b949efeed4e28d3a63db722fedbb11b9d70a5b4557fde3680df01a0dbdb34d93640c0a17247cf
SHA1 hash: ced70c9a831b8f5dcc626cf628401a310f1c4eae
MD5 hash: 63f570204a3ffd852b2e75d03e001501
humanhash: mars-jupiter-nevada-william
File name:63f57020_by_Libranalysis
Download: download sample
File size:4'573'916 bytes
First seen:2021-04-27 23:00:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 25890460a2b98652bed7ba240be2c1d7 (3 x TVRat, 1 x AsyncRAT, 1 x Socks5Systemz)
ssdeep 49152:IEdLZjkymP8DEovU85BuTAdMg1khFtPfFwyUF1EJr8z6JsGRMbGQDCDSj0vw30fA:IWkTTsjdsfdzM1cqTGR6DL7cyT
Threatray 13 similar samples on MalwareBazaar
TLSH 97263307DBAC8C3BE14453703C758CB3EDEBB5593C758A8C224B24BD590E6A16E4DA1B
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
63f57020_by_Libranalysis
Verdict:
Malicious activity
Analysis date:
2021-04-27 23:07:13 UTC
Tags:
installer teamviewer tvrat rat
Link:
https://app.any.run/tasks/90ca8fed-d23d-45ba-ac31-bf9573c97fcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144723/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.51218.29540.22124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Moving a file to the %temp% subdirectory
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Modifying a system file
Changing a file
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/699754
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Drops batch files with force delete cmd (self deletion)
Monitors registry run keys for changes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 398795 Sample: 63f57020_by_Libranalysis Startdate: 28/04/2021 Architecture: WINDOWS Score: 96 46 tb.investimer.name 2->46 54 Multi AV Scanner detection for domain / URL 2->54 56 Antivirus detection for dropped file 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 2 other signatures 2->60 9 63f57020_by_Libranalysis.exe 2 2->9         started        12 svcc.exe 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\...36S-L50QR.tmp, PE32 9->36 dropped 14 NS-L50QR.tmp 36 9->14         started        process6 file7 38 C:\Users\user\AppData\Local\...38S-0645N.tmp, PE32 14->38 dropped 40 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 14->40 dropped 42 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 14->42 dropped 44 12 other files (none is malicious) 14->44 dropped 17 cmd.exe 2 14->17         started        process8 process9 19 xcopy.exe 24 17->19         started        23 svcc.exe 3 8 17->23         started        26 conhost.exe 17->26         started        dnsIp10 28 C:\Users\user\AppData\...\teamviewervpn.sys, PE32+ 19->28 dropped 30 C:\Users\user\AppData\Roaming\...\svcc.exe, PE32 19->30 dropped 32 C:\Users\user\AppData\Roaming\...\msi.dll, PE32 19->32 dropped 34 11 other files (1 malicious) 19->34 dropped 62 Drops batch files with force delete cmd (self deletion) 19->62 64 Sample is not signed and drops a device driver 19->64 48 tb.investimer.name 23->48 50 master15.teamviewer.com 185.188.32.25, 49715, 49716, 49717 TEAMVIEWER-ASDE Germany 23->50 52 3 other IPs or domains 23->52 66 Monitors registry run keys for changes 23->66 68 Contains functionality to detect sleep reduction / modifications 23->68 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/657aa81665835f9c9ebe28e9a54c583e123498fd1284511ed95568b7d0597a55/
Threat name:
Win32.Virus.TheRat
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 19:18:23 UTC
AV detection:
16 of 44 (36.36%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
02d3e29c37af562636fd0020a6c586711fbbab3838a82dbd25987d14ed919c65
54cc3426c8ad3f2d39543a8157843620af7108ea419589cc6755e77a31b96047
5d843a991e50d5cb0b420c0416b855aea512a3f7296a0964d1ccd224f3ac8718
6575a80b5fa70f2b72b0c5270e4bf316efbdda166b73267a783ebe8a56f3cd1e
65c1d6ac581446d3e242def64455c75697136add0d1780325f2269307478189b
818879e025de0edf6dc27fc9df7b763bec9ebac29952e6dda015f05307349520
d33a4d3ac76095145e6061009fc20432b5c2c6ec4a828c7b6956ea5f072f2c34
d73498e0aabb97375783af491aded66aa6710ba848247de3337f404fa02a35c0
f87ed79fbb1a2228c97fb59127eade39c4f8218fa28ddd76b50da177d81438e3
fdafb44be84ea918c76a99f4c24c08fbe8de6648a4ad73614f77450aa2b43484
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210427-2hfxj9wt76/
Behaviour
Enumerates system info in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
ad7b3af5709e5febc6313696c5f159c895b2785e658028e9500352980dce1c36
MD5 hash:
4fa33f0c32e3232be03aaaeb01633016
SHA1 hash:
3dbab4931922a57fa93c49377b67cf5316cfa766
Link:
https://www.unpac.me/results/5dc72a35-411c-442d-b23c-a0d99c315056/
SH256 hash:
e670a66243c2765aa65d92072a813b1ca09948a85559e322980068b34d65e97d
MD5 hash:
586bc9fb39812ee8c9aa7ef0455ca5ce
SHA1 hash:
4546e0d29e07fd43b16829d3da9673b4f62fd665
Link:
https://www.unpac.me/results/5dc72a35-411c-442d-b23c-a0d99c315056/
SH256 hash:
13d99be3f48e56cb9897fab6ecbb0245fc14ec9df08fb7ea508acde0624af960
MD5 hash:
51c881a274269d74dc5055cd4b6b4ca5
SHA1 hash:
b6e3b843fd6a442b30292f6d2cb011f9b8e6066e
Link:
https://www.unpac.me/results/5dc72a35-411c-442d-b23c-a0d99c315056/
SH256 hash:
31d66f9da7f6ef0abef8be6306b28cbe014674f8860cf276738e91eb19f7240f
MD5 hash:
fa3f0e99b7dac6fce5dd69a0f8b12062
SHA1 hash:
9be18d769c400296e68f0d87889021f14046b4b7
Link:
https://www.unpac.me/results/5dc72a35-411c-442d-b23c-a0d99c315056/
SH256 hash:
6b7430b33f6bfc3a3f7cdc997659a730fe7049677f87ec93163b78d0a5d097d7
MD5 hash:
18fe220e3342bbf8d9eb583459eeb559
SHA1 hash:
239b643f6715f04a47684f72995b93bc3277ee81
Link:
https://www.unpac.me/results/5dc72a35-411c-442d-b23c-a0d99c315056/
SH256 hash:
e6bc2f12a1aba3105779f24640f090425fe55af0d2bb47b4cd1281d66f2113df
MD5 hash:
e46ba46dd0bc1d58829ae681fad78020
SHA1 hash:
f44bffeb53642074663ece4a7c1227943eb053e0
Link:
https://www.unpac.me/results/5dc72a35-411c-442d-b23c-a0d99c315056/
SH256 hash:
4de3c608f7c2c3e4e1bd8e8602284fde3bdeef7f6bb5f95eebb4aa47a587bf2d
MD5 hash:
d48b5ae0f402a2702115d669f5d40e3e
SHA1 hash:
6cd9e1d2cfde6a534784f84d046f5ab2fa822191
Link:
https://www.unpac.me/results/5dc72a35-411c-442d-b23c-a0d99c315056/
SH256 hash:
c1aef16ec59ee3871a2adb82620177de1f1dd967c89647fe6b0534cb41935af5
MD5 hash:
901a18890eff8211dc8f5b016641ba7c
SHA1 hash:
a8c4700390fc5d0838c6e1f1d6d08f0616eda8af
Link:
https://www.unpac.me/results/5dc72a35-411c-442d-b23c-a0d99c315056/
SH256 hash:
657aa81665835f9c9ebe28e9a54c583e123498fd1284511ed95568b7d0597a55
MD5 hash:
63f570204a3ffd852b2e75d03e001501
SHA1 hash:
ced70c9a831b8f5dcc626cf628401a310f1c4eae
Link:
https://www.unpac.me/results/5dc72a35-411c-442d-b23c-a0d99c315056/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/657aa81665835f9c9ebe28e9a54c583e123498fd1284511ed95568b7d0597a55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144723/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-28 00:14:05 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
3) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
4) [C0032.001] Data Micro-objective::CRC32::Checksum
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0046] File System Micro-objective::Create Directory
8) [C0048] File System Micro-objective::Delete Directory
9) [C0047] File System Micro-objective::Delete File
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0052] File System Micro-objective::Writes File
13) [C0007] Memory Micro-objective::Allocate Memory
14) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
15) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
16) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
17) [C0017.003] Process Micro-objective::Create Suspended Process::Create Process
18) [C0017] Process Micro-objective::Create Process
19) [C0041] Process Micro-objective::Set Thread Local Storage Value
20) [C0018] Process Micro-objective::Terminate Process