MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425
SHA3-384 hash: e38a5ed8f8c2dbd4746cfb8beea6dcc6e62abe4737e65a172ea5dcbc2a9d48921d346e108e1c945c243eb1be28ad0574
SHA1 hash: 74951c167b6622fe27aeb44f0fd446bc972a4b1f
MD5 hash: 5fea0e7730cedf574de8e34d572a18b8
humanhash: sierra-football-south-orange
File name:7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425.bin
Download: download sample
File size:1'860'928 bytes
First seen:2021-09-28 06:58:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'452 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:uvy1Gwdq3x/YUm5CTuZLHR8Gz957rrKZRBPo77SXvq2TdbIC8:KyQ468bZlTM11dbIC8
Threatray 1'553 similar samples on MalwareBazaar
TLSH T14E85331266F21837FB56CBB94EB291048D337623183144F971CEE4CEAFBB9A66404779
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter JAMESWT_WT
Tags:exe soldewornek SUSHI PUFFA DJB OY

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425.bin
Verdict:
Suspicious activity
Analysis date:
2021-09-28 07:04:33 UTC
Tags:
installer teamviewer
Link:
https://app.any.run/tasks/18625012-b477-4c95-a39d-c2ccc2426f49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192415/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.OpenCandy7AF.8482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Creating a process with a hidden window
Creating a file
Moving a recently created file
Creating a file in the %AppData% subdirectories
Connection attempt
DNS request
Sending an HTTP GET request
Malware family:
TeamSpy
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71db84dd-3812-46ab-9a8b-8cd6c381f048
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/859572
Signature
Contains functionality to detect sleep reduction / modifications
Creates processes via WMI
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492003 Sample: RiQTqNh42p.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 36 52 192.168.2.1 unknown unknown 2->52 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Sigma detected: Copying Sensitive Files with Credential Data 2->64 10 RiQTqNh42p.exe 2 2->10         started        13 TeamViewer.exe 12 14 2->13         started        16 TeamViewer.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 42 C:\Users\user\AppData\...\RiQTqNh42p.tmp, PE32 10->42 dropped 20 RiQTqNh42p.tmp 3 7 10->20         started        54 master9.teamviewer.com 185.188.32.9, 49742, 49743, 49744 TEAMVIEWER-ASDE Germany 13->54 56 outnegorave.info 172.67.205.33, 443, 49748, 49846 CLOUDFLARENETUS United States 13->56 58 3 other IPs or domains 13->58 file6 process7 file8 32 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->32 dropped 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->34 dropped 36 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 20->36 dropped 38 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 20->38 dropped 23 RiQTqNh42p.exe 2 20->23         started        process9 file10 40 C:\Users\user\AppData\...\RiQTqNh42p.tmp, PE32 23->40 dropped 26 RiQTqNh42p.tmp 5 12 23->26         started        process11 file12 44 C:\ProgramData\TeamViewer\is-VMRHK.tmp, PE32 26->44 dropped 46 C:\ProgramData\...\TeamViewer.exe (copy), PE32 26->46 dropped 48 C:\ProgramData\TeamViewer\TV.dll (copy), PE32 26->48 dropped 50 7 other files (none is malicious) 26->50 dropped 29 TeamViewer.exe 26->29         started        process13 signatures14 66 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->66 68 Creates processes via WMI 29->68 70 Contains functionality to detect sleep reduction / modifications 29->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425/
Threat name:
Win32.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-24 02:50:00 UTC
AV detection:
4 of 45 (8.89%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
12311f9edcbd6b2df328baaf9dc0fdef1cfbcf4197da24ae41fc61d18802f474
229e27d75b86582a1c728de0898c3a8193f463db7b07176ac6cde7bbc8e9883a
5d843a991e50d5cb0b420c0416b855aea512a3f7296a0964d1ccd224f3ac8718
657aa81665835f9c9ebe28e9a54c583e123498fd1284511ed95568b7d0597a55
877c0c4537bce1b5e8730eaa12cb2ffbb0ad17067e7dcfd2b89c4985f33e4f17
94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
+ 1'543 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210928-hr3l6aahgn/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Sets DLL path for service in the registry
Unpacked files
SH256 hash:
faed74be4312ef2366ecf679922737cf34c6117a65652097207cc5dc00ce8c5c
MD5 hash:
43bc574fd72e389e0ddf11b3d5380a82
SHA1 hash:
9073d4729a6978b16cabc662c68f6db606bdb776
Link:
https://www.unpac.me/results/256e5420-a6b4-45e0-b029-35b634516ec2/
SH256 hash:
6378fd686128f2dac33d284c5afee19be1f2e4639e80cd0b211c2616205bbc32
MD5 hash:
cbb29cac01426a05c21794df5ee6661f
SHA1 hash:
57f1825ef1f096b970e5898fe30b37cf155066af
Link:
https://www.unpac.me/results/256e5420-a6b4-45e0-b029-35b634516ec2/
SH256 hash:
a6b235ba06859c63586c7866f1b41631b041e9d1004233bfa38eb5e8a951bca9
MD5 hash:
b0d26adcb716610735cb34123dca32ae
SHA1 hash:
eb96d4ba7bb31d7749e6ce9761a3e492a2b20d66
Link:
https://www.unpac.me/results/256e5420-a6b4-45e0-b029-35b634516ec2/
SH256 hash:
62d7c943fbfc43627dcccbdd11249126fda8369e02e5622475edfef2cf83156d
MD5 hash:
5647c8f2569de7986cc55b399f99d33b
SHA1 hash:
a98962b2e8566c2e21d4e800d4006e37bb5590f5
Link:
https://www.unpac.me/results/256e5420-a6b4-45e0-b029-35b634516ec2/
SH256 hash:
7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425
MD5 hash:
5fea0e7730cedf574de8e34d572a18b8
SHA1 hash:
74951c167b6622fe27aeb44f0fd446bc972a4b1f
Link:
https://www.unpac.me/results/256e5420-a6b4-45e0-b029-35b634516ec2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192415/

Comments