MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Backdoor.TeamViewer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483
SHA3-384 hash: 3afd526a86cfbe9d982a40a0111069050f44cbe90575eda3259514ea31aa1b1874ba8d9004ae50746f71cb0281ad50b3
SHA1 hash: b6ec0466faa0ba389da3f04e490e4cf1bbaa06d7
MD5 hash: d5cf6841dd3e1a7e76d77d0a96c34789
humanhash: ink-single-california-bulldog
File name:file
Download: download sample
Signature Backdoor.TeamViewer
Create hunting rule
File size:1'295'428 bytes
First seen:2023-09-07 17:50:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 80417b621299e3e1de617305557a3c68 (48 x GCleaner, 44 x Backdoor.TeamViewer, 31 x Socks5Systemz)
ssdeep 24576:WI39dKbYY4mwVWmsWQy8Iw3mys1Z/QUo7swnaDL4me1i9RYhgebVKoyInpD:W6dkCWHW1BwYZf4meY0VbvfnpD
Threatray 117 similar samples on MalwareBazaar
TLSH T1A6553311E76198F9E47187F8AD27F2050EB6FC32101C194835FE0E9B8B6F6A59C8635B
TrID 50.8% (.EXE) Win32 Executable PowerBASIC/Win 9.x (148303/79/28)
37.6% (.EXE) Inno Setup installer (109740/4/30)
4.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:Backdoor.TeamViewer exe


Avatar
andretavare5
Sample downloaded from http://myfilebest.com/order/set17.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-07 17:52:58 UTC
Tags:
installer
Link:
https://app.any.run/tasks/0a564b58-b4d7-4cdd-ae72-2e611196fbbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447266/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader25.56768.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Modifying a system file
Creating a file
Creating a service
Launching a process
Enabling autorun for a service
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware installer lolbin overlay packed packed shell32
Link:
https://www.filescan.io/uploads/64fa0d8a560864d1b6777fc8/reports/6c5df4c2-2926-4b4b-a53b-d30ddb868ebf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a4ab29f-53bd-4741-a600-a9363d0aed76
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1305634
Signature
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305634 Sample: file.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Antivirus detection for URL or domain 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 5 other signatures 2->61 8 file.exe 2 2->8         started        11 svchost.exe 2->11         started        14 svchost.exe 3 2->14         started        16 5 other processes 2->16 process3 file4 45 C:\Users\user\AppData\Local\...\is-GLJV3.tmp, PE32 8->45 dropped 18 is-GLJV3.tmp 10 21 8->18         started        63 Changes security center settings (notifications, updates, antivirus, firewall) 11->63 21 MpCmdRun.exe 1 11->21         started        65 Query firmware table information (likely to detect VMs) 14->65 signatures5 process6 file7 37 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->37 dropped 39 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 18->39 dropped 41 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->41 dropped 43 7 other files (6 malicious) 18->43 dropped 23 previewer.exe 1 17 18->23         started        26 previewer.exe 1 3 18->26         started        29 net.exe 1 18->29         started        31 conhost.exe 21->31         started        process8 dnsIp9 49 enobaqd.ua 185.141.63.172, 49734, 49736, 49737 BELCLOUDBG Bulgaria 23->49 51 195.154.235.51, 1074, 49735, 49757 OnlineSASFR France 23->51 53 datasheet.fun 104.21.89.251, 49733, 80 CLOUDFLARENETUS United States 23->53 47 C:\ProgramData\...\ContentDWSvc.exe, PE32 26->47 dropped 33 conhost.exe 29->33         started        35 net1.exe 1 29->35         started        file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483/
Threat name:
Win32.Trojan.Synder
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 17:51:08 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=owtud22oleaqwsksb2c4ssogcdo6yvonrhvjkqlyuexgwrkvcsbq._file
Verdict:
malicious
Similar samples:
1357aed783ad4b524540bcf99d980eaeac3aa21357b696b32c412ee44b925eab
Backdoor.TeamViewer
25e34355c90e9b96478a3a316c4b3280f3254e3677bc9c10e8146efbaaf29c39
Backdoor.TeamViewer
38161de5bca7cef0ff24bf693f500bcabf1583c2e1d0ed40d85e40a8b6d2cb4d
Backdoor.TeamViewer
43c7be1300ee7bb7ce2c317ca2a38735f339542e1addc521150c017d6cf598e0
Backdoor.TeamViewer
449d46143fac008f3c90ea25156bf2e1f3492c7e55e11a45670b98c076924f34
Backdoor.TeamViewer
54a477f68ee0f09eb5b30d5ec19be8e74ef886d74c63de4ee063a2f0a23342e7
Backdoor.TeamViewer
9b914a04a6b4acb86915551f54a471fd3fc5edda4f8b948416db38808fa291bf
Backdoor.TeamViewer
d97003a8bb3ea16f36a0a668a8c896a0b5bd84c063ad9f3e06f02459216739a1
Backdoor.TeamViewer
ee5ce35a68761315dc14c27af6cb25128952bbde67a699b5c69cb21081a3bd75
Backdoor.TeamViewer
f90f03ae635ffe64a3c0eab707f030283e461a717c64de890dab298b54a8feed
Backdoor.TeamViewer
+ 107 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230907-we5smsce9v/
Behaviour
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
9f5d8de8b7c03998094bb4bdc3a779347577c1d91017c266a6bd83e20e105df2
MD5 hash:
c56715bada0143f50276d848a9d9cf3a
SHA1 hash:
e08e2c69348aa2e3cc3ddfdb1a5a3c64cfdad3f6
Link:
https://www.unpac.me/results/e0415f35-ce6b-4642-a137-57cbf61482d9/
SH256 hash:
9d52bc67f2e7e16b9608a0d81458f1c3d70b781bc8528b99609014e7f050bb05
MD5 hash:
7cdc7b54b7ba43ef44ce5153cace54b3
SHA1 hash:
d64d722a2eea7cebaef82561667496cc11d3f9dc
Link:
https://www.unpac.me/results/e0415f35-ce6b-4642-a137-57cbf61482d9/
SH256 hash:
75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483
MD5 hash:
d5cf6841dd3e1a7e76d77d0a96c34789
SHA1 hash:
b6ec0466faa0ba389da3f04e490e4cf1bbaa06d7
Link:
https://www.unpac.me/results/e0415f35-ce6b-4642-a137-57cbf61482d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/447266/

Comments