MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e
SHA3-384 hash: 4565f0a52b50758733e2b0687aee8ce796b91043c1c370553f238c71ca9f5966fc554d1e7ba03b3e75eff2340e570b50
SHA1 hash: 0a52d28426e056c1369a5432f1c7ab5a752d2525
MD5 hash: 20412e905d572b58bb5e8cc8b30ad9c3
humanhash: east-quiet-maine-nineteen
File name:7D9E22E88F7B5ABF22553DFC438D8F40E17C33E8FC9FB.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:235'520 bytes
First seen:2022-05-18 09:12:28 UTC
Last seen:2022-05-18 09:34:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a09fb7ac37c6846f86e7eae4dcb32d14 (2 x RedLineStealer, 1 x GCleaner, 1 x CoinMiner)
ssdeep 6144:+TxLfvl8PmgNJPuirvFoAhMLn0anOiABjUhga/:+ViPbuirvCAEnTnOiWjkV/
Threatray 159 similar samples on MalwareBazaar
TLSH T1A834BF5535C09072D5A709312470E6B54A3EF9300B668EEB73C41AAE8F316E2BB74F67
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon a0f0f04d4d8e8e8e (4 x RedLineStealer, 2 x CoinMiner, 1 x GCleaner)
Reporter abuse_ch
Tags:exe TeamBot


Avatar
abuse_ch
TeamBot C2:
193.106.191.197:23196

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.106.191.197:23196 https://threatfox.abuse.ch/ioc/592168/

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f1646471951.zip
Verdict:
Malicious activity
Analysis date:
2022-03-05 09:19:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3a523e1f-ae26-46ca-90ea-fa2f411e5d48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272002/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.42952.16367.30864.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Searching for the window
Launching a process
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18672/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet greyware packed
Link:
https://www.filescan.io/uploads/6284b89f22b733139c289d52/reports/1d093329-98b8-4c5e-8cac-3d6ab582a9ed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zapchast
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c179ff9-2d49-4853-b3c7-10b327dfcae5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/996642
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 08:10:36 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
33 of 41 (80.49%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwpcf2eppnnl6isvhx6ehdmpidqxym7i7sp3afa7exvkxkhlzjxa._file
Verdict:
malicious
Similar samples:
1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4
TeamBot
5b92d1d8c1df0cc42591bc05cb62331a28f54e3566c708a8fd13b00cb76881c2
TeamBot
8101c71c2c31df8da09ed7dd55da9bbd949b028f8f54f0e1cbffab82b192ed87
TeamBot
a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e
TeamBot
a5453a830d01639ad537320c94e68565341328c872a8f2d3456221a0bec6f3e9
TeamBot
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
TeamBot
bec113f52e725b1e43720bb9ab1faece1043fc4562f1de3c3d43c1cfc97f2ada
TeamBot
cfbac2647ebe2341242d1c6375d766e4490c9d16fdbf100301e9e8102aeba62c
TeamBot
d66c835ffce7413ed28d1252c814787083aab6fcdc20df38120b5da13991f9c3
TeamBot
e69716b0ea13b412bf6e3ac4f9a0bca987d99788f9d20cedd8fcacee0a7c3f38
TeamBot
+ 149 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:redline family:vidar botnet:937 botnet:@humus228p botnet:sushi discovery evasion infostealer ransomware spyware stealer suricata trojan upx vmprotect
Link:
https://tria.ge/reports/220518-k6ql9aaghj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Checks computer location settings
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Vidar Stealer
Amadey
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
65.108.101.231:14648
185.215.113.38/f8dfksdj3/index.php
185.215.113.24:15994
https://t.me/netflixaccsfree
https://mastodon.social/@ronxik12
http://ugll.org/test3/get.php
Unpacked files
SH256 hash:
7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e
MD5 hash:
20412e905d572b58bb5e8cc8b30ad9c3
SHA1 hash:
0a52d28426e056c1369a5432f1c7ab5a752d2525
Link:
https://www.unpac.me/results/0a31ad82-4120-409d-848b-308324e5bfc4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d9e22e88f7b5abf22553dfc438d8f40e17c33e8fc9fb0141f25eaaba8ebca6e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272002/

Comments