MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 818879e025de0edf6dc27fc9df7b763bec9ebac29952e6dda015f05307349520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TVRat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 818879e025de0edf6dc27fc9df7b763bec9ebac29952e6dda015f05307349520
SHA3-384 hash: 6594c2eeab7a9648920c7a0f689ea523766fd2833737c60316248285c0a2f12badb701fb8644d0efa1547c2678a20ed5
SHA1 hash: 8a0cb0674c714520a2bfe361dbfb9344c946efd3
MD5 hash: 9601e4538b55b1dc2031ae9ffd05abff
humanhash: robert-virginia-wyoming-mockingbird
File name:SecuriteInfo.com.Trojan.Siggen10.31024.20148.16337
Download: download sample
Signature TVRat
Create hunting rule
File size:5'027'950 bytes
First seen:2020-10-05 14:27:54 UTC
Last seen:2020-10-05 14:31:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 25890460a2b98652bed7ba240be2c1d7 (3 x TVRat, 1 x AsyncRAT, 1 x Socks5Systemz)
ssdeep 98304:S5hUDsUlacXe6kxoIewFLlJIgoRTyIos6VAdVkMnwIYDa6KseyCUMXS:mhUDf0cXrkxoTu5Oos6+n3nJYZPMi
Threatray 6 similar samples on MalwareBazaar
TLSH F23633715A969064E4257BBC08641E657622AF430DC822DA37847F377BB32B3CDEB436
Reporter SecuriteInfoCom
Tags:TVRat

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68260/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Moving a file to the %temp% subdirectory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Modifying a system file
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/481645
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes the view of files in windows explorer (hidden files and folders)
Drops batch files with force delete cmd (self deletion)
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global get message hook
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 293342 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 05/10/2020 Architecture: WINDOWS Score: 84 83 api.ip.sb 2->83 103 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->103 105 Multi AV Scanner detection for domain / URL 2->105 107 Antivirus detection for URL or domain 2->107 109 11 other signatures 2->109 11 SecuriteInfo.com.Trojan.Siggen10.31024.20148.exe 2 2->11         started        14 wmipse.exe 2->14         started        16 wmipse.exe 2->16         started        18 setup.exe 2->18         started        signatures3 process4 file5 81 C:\Users\user\AppData\Local\...81S-9QA2M.tmp, PE32 11->81 dropped 20 NS-9QA2M.tmp 26 11->20         started        process6 file7 59 C:\Users\user\AppData\Local\...59S-BK8GH.tmp, PE32 20->59 dropped 61 C:\Users\user\AppData\Local\...61S-V2FK6.tmp, PE32 20->61 dropped 63 C:\Users\user\AppData\Local\...63S-PIKEE.tmp, PE32 20->63 dropped 65 8 other files (none is malicious) 20->65 dropped 23 cmd.exe 2 20->23         started        process8 process9 25 wmipse.exe 2 10 23->25         started        29 xcopy.exe 14 23->29         started        32 cmd.exe 1 23->32         started        34 2 other processes 23->34 dnsIp10 97 tg.payeermine.com 104.24.108.183, 49753, 80 CLOUDFLARENETUS United States 25->97 99 blockchain-air.com 104.28.7.217, 49756, 80 CLOUDFLARENETUS United States 25->99 101 12 other IPs or domains 25->101 69 C:\Users\user\AppData\Local\Temp\log.exe, PE32 25->69 dropped 71 C:\Users\user\AppData\Local\Temp\cli.exe, PE32 25->71 dropped 36 log.exe 15 3 25->36         started        40 cli.exe 25->40         started        43 TeamViewer_Desktop.exe 25->43         started        49 2 other processes 25->49 73 C:\Users\user\AppData\Roaming\...\tv_x64.exe, PE32+ 29->73 dropped 75 C:\Users\user\AppData\Roaming\...\tv_x64.dll, PE32+ 29->75 dropped 77 C:\Users\user\AppData\Roaming\...\tv_w32.exe, PE32 29->77 dropped 79 7 other files (4 malicious) 29->79 dropped 135 Drops batch files with force delete cmd (self deletion) 29->135 45 WMIC.exe 1 32->45         started        47 findstr.exe 1 32->47         started        file11 signatures12 process13 dnsIp14 91 avantgrajgrup.com.tr 36->91 93 api.stackexchange.com 198.252.206.16, 443, 49764 SE-NETUS United States 36->93 115 Machine Learning detection for dropped file 36->115 117 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->117 119 Injects a PE file into a foreign processes 36->119 51 log.exe 36->51         started        55 log.exe 36->55         started        57 log.exe 36->57         started        67 C:\Users\user\AppData\Roaming\...\setup.exe, PE32 40->67 dropped 121 Antivirus detection for dropped file 40->121 123 Multi AV Scanner detection for dropped file 40->123 125 Drops PE files to the startup folder 40->125 95 127.0.0.1 unknown unknown 43->95 127 Changes the view of files in windows explorer (hidden files and folders) 43->127 129 Installs a global keyboard hook 43->129 131 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 43->131 133 Installs a global get message hook 49->133 file15 signatures16 process17 dnsIp18 85 www.geoplugin.net 51->85 87 api.ip.sb 51->87 89 8 other IPs or domains 51->89 111 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 51->111 113 Tries to harvest and steal browser information (history, passwords, etc) 51->113 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/818879e025de0edf6dc27fc9df7b763bec9ebac29952e6dda015f05307349520/
Threat name:
Win32.Virus.TheRat
Create hunting rule
Status:
Malicious
First seen:
2020-10-01 05:07:09 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qgehtybf3yhn63ocp7e5663whpwj5owctfjonxnacxyfgbzusuqa._file
Verdict:
unknown
Similar samples:
54cc3426c8ad3f2d39543a8157843620af7108ea419589cc6755e77a31b96047
TVRat
6575a80b5fa70f2b72b0c5270e4bf316efbdda166b73267a783ebe8a56f3cd1e
TVRat
65c1d6ac581446d3e242def64455c75697136add0d1780325f2269307478189b
TVRat
d73498e0aabb97375783af491aded66aa6710ba848247de3337f404fa02a35c0
TVRat
e37d69a8b607ea0e1e114223dfa6a7dbe40de485fa482e0370b886708a2992dd
TVRat
fdafb44be84ea918c76a99f4c24c08fbe8de6648a4ad73614f77450aa2b43484
TVRat
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence discovery infostealer family:redline
Link:
https://tria.ge/reports/201005-7c9582e3lj/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
JavaScript code in executable
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
RedLine
Unpacked files
SH256 hash:
818879e025de0edf6dc27fc9df7b763bec9ebac29952e6dda015f05307349520
MD5 hash:
9601e4538b55b1dc2031ae9ffd05abff
SHA1 hash:
8a0cb0674c714520a2bfe361dbfb9344c946efd3
Link:
https://www.unpac.me/results/fff9054e-a962-419e-851b-b6b4e7acbe6c/
SH256 hash:
081d690c25253cb32b4806d1f052449f9b1dc4089dc1c29eda47af63cfb14dd8
MD5 hash:
1ae53109a8ae1595a3fd9935900fe13c
SHA1 hash:
4485609207e5f69eb7f513964912ca246bee7663
Link:
https://www.unpac.me/results/fff9054e-a962-419e-851b-b6b4e7acbe6c/
SH256 hash:
c9858b93578c8aa5c99c2ec50cff707a84e5617489338b18b3f91f782cbed695
MD5 hash:
2c1c2620c58a867d6b207735a41a097f
SHA1 hash:
2e412db22542c545d7babbce8c8637ea7e6bec7a
Link:
https://www.unpac.me/results/fff9054e-a962-419e-851b-b6b4e7acbe6c/
SH256 hash:
c48b76f9de397806b3c904d31e9468cef9c4b307934d208dbc3df196cac5794b
MD5 hash:
ffb4498978a94dd5098d0b082f481d71
SHA1 hash:
5fb255d4612ce60068913ab21c4fe7acc40649c0
Link:
https://www.unpac.me/results/fff9054e-a962-419e-851b-b6b4e7acbe6c/
SH256 hash:
6b820755f65861275b1e12db5c3a57a7cefdbcbcf8c05fb8ab17452b747b61cd
MD5 hash:
23e3e6d4b8822f6654ddfee388977bb3
SHA1 hash:
66887984e91a526f0889343f41d0116ccf430005
Link:
https://www.unpac.me/results/fff9054e-a962-419e-851b-b6b4e7acbe6c/
SH256 hash:
f42aeca29c8e6f3b6d9452627fb4b473568da8f5221af513962c88fda3f5640a
MD5 hash:
34202dc319b60b65b105d4e3fe14d835
SHA1 hash:
c25c83495ca064bc26c986acbf78dad4528f72e5
Link:
https://www.unpac.me/results/fff9054e-a962-419e-851b-b6b4e7acbe6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/818879e025de0edf6dc27fc9df7b763bec9ebac29952e6dda015f05307349520

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TVRat

Executable exe 818879e025de0edf6dc27fc9df7b763bec9ebac29952e6dda015f05307349520

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/68260/
  
URLhaus
https://urlhaus.abuse.ch/url/654713/
  
Delivery method
Distributed via web download

Comments