MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7010e15402dd81b0e1501490be034e92dc706ba28c38b6925dbd33e9ff45a5ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 12


Intelligence 12 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7010e15402dd81b0e1501490be034e92dc706ba28c38b6925dbd33e9ff45a5ad
SHA3-384 hash: 7ab95af8ee9fe389a88668b7716e21a8466b85850c258d398d2684ed88318fb485d518628575e28beada4eb92adff1c1
SHA1 hash: 9212c07c41a041412970a6bb5a116a758100fa8e
MD5 hash: c5a2bd8d056dae49330b8fcfce048d9f
humanhash: eight-glucose-william-mexico
File name:c5a2bd8d056dae49330b8fcfce048d9f.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:9'125'188 bytes
First seen:2022-03-19 00:40:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JOqxe9kFys1a0zNvQsQIbgKyuo9Pw4g8+m/SB2Z6RgQ:JOqxeON1lRvQsQlFu+w4laB2QD
Threatray 6'926 similar samples on MalwareBazaar
TLSH T19B9633ACE1BCE04EFEF9507399535D78B07A32BE05749E8B1B64D28C2DCB69848C41E5
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe TeamBot


Avatar
abuse_ch
TeamBot C2:
193.233.48.58:38989

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.233.48.58:38989 https://threatfox.abuse.ch/ioc/409201/
168.119.164.249:48788 https://threatfox.abuse.ch/ioc/409203/
5.182.5.203:48720 https://threatfox.abuse.ch/ioc/414482/

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252839/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9750/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe manuscrypt overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623526a3b94fb38cb4a84762/reports/2bf24b41-e113-4aec-b18e-a7ebb6d223da/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d4857d6-43f3-4bcb-8023-fc2564b034e9
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959935
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Disables Windows Defender (via service or powershell)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 592417 Sample: RE32GGHQRv.exe Startdate: 19/03/2022 Architecture: WINDOWS Score: 100 72 s3.pl-waw.scw.cloud 151.115.10.1, 49777, 80 OnlineSASFR United Kingdom 2->72 74 v.xyzgamev.com 104.21.40.196, 443, 49776 CLOUDFLARENETUS United States 2->74 76 2 other IPs or domains 2->76 94 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 15 other signatures 2->100 12 RE32GGHQRv.exe 10 2->12         started        signatures3 process4 file5 62 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->62 dropped 15 setup_installer.exe 21 12->15         started        process6 file7 64 C:\Users\user\AppData\...\setup_install.exe, PE32 15->64 dropped 66 C:\Users\...\622f1b91f3e0a_Mon109e8900b.exe, PE32 15->66 dropped 68 C:\...\622f1b91b1418_Mon1003719cdda0.exe, PE32 15->68 dropped 70 16 other files (10 malicious) 15->70 dropped 18 setup_install.exe 1 15->18         started        process8 signatures9 92 Adds a directory exclusion to Windows Defender 18->92 21 cmd.exe 1 18->21         started        23 cmd.exe 1 18->23         started        25 cmd.exe 18->25         started        27 12 other processes 18->27 process10 signatures11 30 622f1b82bcc7d_Mon103358ad6f7.exe 1 21->30         started        33 622f1b844d8d0_Mon105c417d3354.exe 3 23->33         started        35 622f1b91b1418_Mon1003719cdda0.exe 25->35         started        102 Adds a directory exclusion to Windows Defender 27->102 104 Disables Windows Defender (via service or powershell) 27->104 39 622f1b88ab062_Mon1005a501dd.exe 27->39         started        41 622f1b8e10785_Mon1046ab76f.exe 27->41         started        43 622f1b91f3e0a_Mon109e8900b.exe 27->43         started        45 8 other processes 27->45 process12 dnsIp13 106 Multi AV Scanner detection for dropped file 30->106 108 Detected unpacking (changes PE section rights) 30->108 110 Machine Learning detection for dropped file 30->110 112 Disables Windows Defender (via service or powershell) 30->112 47 cmd.exe 30->47         started        114 Antivirus detection for dropped file 33->114 130 2 other signatures 33->130 78 controlparks.com 208.91.199.233, 49785, 80 PUBLIC-DOMAIN-REGISTRYUS United States 35->78 80 blackhk1.beget.tech 5.101.153.227, 49783, 80 BEGET-ASRU Russian Federation 35->80 52 C:\Users\user\AppData\Local\TempbehaviorgraphJEL7.exe, PE32 35->52 dropped 54 C:\Users\user\AppData\Local\Temp\36J76.exe, PE32 35->54 dropped 116 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->116 118 Hides threads from debuggers 35->118 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->120 122 Maps a DLL or memory area into another process 39->122 124 Checks if the current machine is a virtual machine (disk enumeration) 39->124 82 ip-api.com 208.95.112.1, 49774, 80 TUT-ASUS United States 41->82 84 192.168.2.1 unknown unknown 41->84 126 May check the online IP address of the machine 41->126 88 2 other IPs or domains 43->88 86 194.36.188.138 HSAE Netherlands 45->86 90 2 other IPs or domains 45->90 56 C:\Users\...\622f1b9114737_Mon1000c496b0.tmp, PE32 45->56 dropped 58 C:\Users\...\622f1b871de02_Mon10313dc2.tmp, PE32 45->58 dropped 60 ab1e81bc-7a75-4b2b-b2d1-77fad0d1fe00.exe, PE32 45->60 dropped 128 Obfuscated command line found 45->128 file14 signatures15 process16 signatures17 132 Disables Windows Defender (via service or powershell) 47->132 50 powershell.exe 47->50         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7010e15402dd81b0e1501490be034e92dc706ba28c38b6925dbd33e9ff45a5ad/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 11:10:14 UTC
File Type:
PE (Exe)
Extracted files:
223
AV detection:
33 of 42 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oaiocvac3wa3bykqcsil4a2osloha25crq4lnes5xuz6t72fuwwq._file
Verdict:
malicious
Similar samples:
00581e2fa186e5b6f044427945709e2439aad5782b8718c73cd5587d2a65359e
TeamBot
1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
TeamBot
41df967faab672334124024b016e41d86660ade85d71d86a55b8c3c24fb70c99
TeamBot
62e2a9186c1fab1693c2db86b723cbfd4d51accdd03d6baa324f1e02e78e5913
TeamBot
738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea
TeamBot
73e25ced557e8008074958707573a4d6ad68e3861d04a98a22cfdaed57fab84f
TeamBot
b8319b0b5b554b983279cc8ceb7c23ba8a6a46446a06a6902b1b15eee964b010
TeamBot
c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224
TeamBot
feba9bf42249bc45378ea0c07e476dc7bbf2ec9665db5981757d37b75ebab3ca
TeamBot
+ 6'916 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:socelars botnet:media07780 aspackv2 discovery infostealer loader persistence spyware stealer vmprotect
Link:
https://tria.ge/reports/220319-a1sjjshbe7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
92.255.57.154:11841
Unpacked files
SH256 hash:
3b86c378db2d6b7279eb4448dd409433d9f7e2370014de6a0704a6cc5eae1b9d
MD5 hash:
d1de9812f07457395cce614680f4e2c6
SHA1 hash:
447489b85802d888676301fa574f13ba7d864eda
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
6cedae6e0d959293c3ba7db492843e650f00055f4ef033a8a8982a3c5467dcd6
MD5 hash:
80a5cf0c14ea8a3ed2f78417c0c6f64e
SHA1 hash:
7cba131eb83ae440007e2f87a55bff007eb568c6
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
2d1b056aedce639eaf70e1743ae43d90ef110012b26c887d0d5a8a4bcac22143
MD5 hash:
ba4b7e093671b1160729faff51efd765
SHA1 hash:
e95b4dbdc3a351c5edad2da2e7a59dd40ebe0233
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
7382632010b962fe845138c67406a369d1a00e77b293003a6aa89a206806f892
MD5 hash:
79d12bf220e9ea93125df294ac4a2c47
SHA1 hash:
d0d63a8d43e079f856cce3186f3714ea66cda844
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
a529d884db33050a99378541d059744875422995635e4907a6d2d0b318bc6048
MD5 hash:
089493115a2b9da826c3a5d90eceb199
SHA1 hash:
a85ca15ab6c6d60e252c4439db8783001fa053e8
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
51cf0dd1f1f1ff995d4d7d48c68869cdf40f314f5a9fb860ef2f02f8161e243d
MD5 hash:
9807d911a369f5c641409b5ade95f913
SHA1 hash:
8ac5ac36186aa0b3d1cb440bca4940608481a855
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
613d0aa609092cf0e626e994a579cf47f5e0cc61e78ef0f68949e8f4dc4e4b34
MD5 hash:
52c0a0675c92afdc1bda2cb05b2872fd
SHA1 hash:
89b096c87ee319e79e9fa7cddb388d588d76bb0c
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
b2051d2952f751dc32943d04a1254bc21158951f5392c69eead15e917df30bd6
MD5 hash:
45cccd21a7671fd18f03e6d6aa3f8bfc
SHA1 hash:
873cd5c9a9db4774a7fa98e2009b0f543842b1c2
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
0f821be4f0ddd2beca640934aa85c856c927c6beb961356490b204abb6417a51
MD5 hash:
f637fd1ebb2a751841971b8e5910fcb4
SHA1 hash:
2d5d4d8d23050b0302405a3c0d4ee49121a3109c
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
89916e8765a77a884a74a037d554e67e4541ac3a40b4dbfe3d60333361a93f79
MD5 hash:
47b7513a8434710d66d48489182a6ca8
SHA1 hash:
220391e3e03d2e3334c223c38011d2fde00029ef
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
9049ff744c56858b777adf1cf80f4e0f876a4d54dc23ea884c2f8aa39a3bef1d
MD5 hash:
31ebd93c9fb74de0bf3c9eac412f72fb
SHA1 hash:
b7c4e5e258b4b7a3742c23315c7a204d73bf72d4
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
84f745ceea980ed2342724f877d798e5c18ab46ba10af0986ee306c05d5a486f
MD5 hash:
fe2c8b8a149d61280c73d89ef54664ed
SHA1 hash:
03c9d039a43364b35ddeb4ae27a82aa3f9b284a3
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
5a4e8068cb1988fdf3cbd2ecfc0686643a11152fbb595625fc6e74254e0aef4e
MD5 hash:
78261133f7f831da4a7e6de353711996
SHA1 hash:
49e1f6d38fdf24c9480622d8323ec0126f25e66a
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
b2a61a4b8ed56c8f7d279da67196417abe6562e4bd09b77536b094cbfa232cda
MD5 hash:
117188c0980eca9f9db2fadc7183e569
SHA1 hash:
0b11ab83a5c969fb356160bc1c3e6359e72488f5
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
6425d17188c44958471a3b473ba6735d80a1bba2e4cb28d5a8758047cebedbb6
MD5 hash:
7fcc2db1b2723329e230a5019f669135
SHA1 hash:
37278c90c3586f46c523cd859d1753aac2fb9445
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
c1cb302a5ff4696dc7094ba13aae87165c9e7fde470b8d1732686171ed94e9f8
MD5 hash:
e4fe899ac76f3d80404e7acdd3ce84f8
SHA1 hash:
69e63162d4c316914b56765ec9eedfdadf210e6c
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
004db9b2d551300b2a43655fa1be42b3ab375f3e7f8f167cc1db9cb0bf68a860
MD5 hash:
7aceb36f403ee609a1853455a60a255e
SHA1 hash:
f3b61a42726017559bc15c0ee7535af1283e484b
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
e4755e82fdd578aacdb36ef3c0fe1f83e797831beb99caa1aef670c2278ab84b
MD5 hash:
85801a56116a763f3eb67f617e23dcc6
SHA1 hash:
e50f38aee01ab92f27ac3533324e68f5903a5ab9
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
e75064ad4b8a7b50b1ccb349c0a561829efb97636e79d26f3c766d820d05b622
MD5 hash:
384900700017a658d8313aa7da69573d
SHA1 hash:
c009b6d759366f59c37d89a46f924dffec8d4046
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
SH256 hash:
7010e15402dd81b0e1501490be034e92dc706ba28c38b6925dbd33e9ff45a5ad
MD5 hash:
c5a2bd8d056dae49330b8fcfce048d9f
SHA1 hash:
9212c07c41a041412970a6bb5a116a758100fa8e
Link:
https://www.unpac.me/results/2e4cdba5-5959-4bbe-913f-3e19e715163d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7010e15402dd81b0e1501490be034e92dc706ba28c38b6925dbd33e9ff45a5ad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/252839/

Comments