MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90fcf12de33c6bd7e478172cc49da62fc8eb70332bcae5fbba47e2a7c0e5d87c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Backdoor.TeamViewer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90fcf12de33c6bd7e478172cc49da62fc8eb70332bcae5fbba47e2a7c0e5d87c
SHA3-384 hash: 898dece4982a6728a474dbab1874e24a8b3a9a9c8081e34c5cb21578ec8ad13ab0b96b12cd1919096b591e249d0e5c77
SHA1 hash: 17c948f83f3690e8702c2885b417821effe488a9
MD5 hash: 6431a57b920c12657a5e769be9d41db8
humanhash: stairway-lemon-november-echo
File name:file
Download: download sample
Signature Backdoor.TeamViewer
Create hunting rule
File size:264'704 bytes
First seen:2023-10-21 09:21:41 UTC
Last seen:2023-10-21 10:33:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ce12663226524285e6f6ad95f88d0da (1 x Backdoor.TeamViewer)
ssdeep 3072:HZ1BNLUxA5XIgA0/BwzrP56JRrJg+nfseW9Gnj/6LK2R:tVCA54gAkuzrP56J1JHfY0nm2
Threatray 105 similar samples on MalwareBazaar
TLSH T18944CF127691D876E55329351930C6962A3BFCA2AA7541CB37A83F3EED303D09B61F13
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70d0dcd0c4d9d2dd (1 x Backdoor.TeamViewer)
Reporter andretavare5
Tags:Backdoor.TeamViewer exe


Avatar
andretavare5
Sample downloaded from https://lrefjviufewmcd.org/987123.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
320
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://www.amsangroup.com/wp-download/setup.7z
Verdict:
Malicious activity
Analysis date:
2023-10-21 09:18:45 UTC
Tags:
privateloader sinkhole evasion opendir loader stealc stealer redline vodkagats ransomware stop vidar trojan arkei amadey botnet smoke risepro miner teamspy remote
Link:
https://app.any.run/tasks/122f80df-9876-4dab-aa6d-6cf3da3abcd3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Ranumbot.24465.23352.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/90fcf12de33c6bd7e478172cc49da62fc8eb70332bcae5fbba47e2a7c0e5d87c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9bd3d6be-095a-4b20-a15b-d8b621514cf8
Result
Threat name:
Babuk, Clipboard Hijacker, Djvu, Glupteb
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329620
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329620 Sample: file.exe Startdate: 21/10/2023 Architecture: WINDOWS Score: 100 128 zexeq.com 2->128 130 sumagulituyo.org 2->130 132 15 other IPs or domains 2->132 150 Snort IDS alert for network traffic 2->150 152 Multi AV Scanner detection for domain / URL 2->152 154 Found malware configuration 2->154 156 22 other signatures 2->156 13 file.exe 2->13         started        16 rciuvjf 2->16         started        18 ACD1.exe 2->18         started        20 svchost.exe 2->20         started        signatures3 process4 signatures5 188 Detected unpacking (changes PE section rights) 13->188 190 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->190 192 Maps a DLL or memory area into another process 13->192 22 explorer.exe 19 33 13->22 injected 194 Checks if the current machine is a virtual machine (disk enumeration) 16->194 196 Creates a thread in another existing process (thread injection) 16->196 198 Detected unpacking (overwrites its own PE header) 18->198 200 Injects a PE file into a foreign processes 18->200 27 ACD1.exe 18->27         started        29 WerFault.exe 20->29         started        process6 dnsIp7 134 100acresclub.com 103.53.42.238 PUBLIC-DOMAIN-REGISTRYUS India 22->134 136 79.137.192.18, 49752, 80 PSKSET-ASRU Russian Federation 22->136 138 7 other IPs or domains 22->138 102 C:\Users\user\AppData\Roaming\rciuvjf, PE32 22->102 dropped 104 C:\Users\user\AppData\Roaming\hiiuvjf, PE32 22->104 dropped 106 C:\Users\user\AppData\Local\Temp\F026.dll, PE32 22->106 dropped 108 9 other malicious files 22->108 dropped 166 System process connects to network (likely due to code injection or exploit) 22->166 168 Benign windows process drops PE files 22->168 170 Injects code into the Windows Explorer (explorer.exe) 22->170 172 3 other signatures 22->172 31 ACD1.exe 22->31         started        34 40C8.exe 22->34         started        37 D0D5.exe 22->37         started        39 4 other processes 22->39 file8 signatures9 process10 file11 236 Antivirus detection for dropped file 31->236 238 Detected unpacking (changes PE section rights) 31->238 240 Detected unpacking (overwrites its own PE header) 31->240 256 2 other signatures 31->256 41 ACD1.exe 1 15 31->41         started        86 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 34->86 dropped 88 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 34->88 dropped 90 C:\Users\user\AppData\Local\Temp\kos2.exe, PE32 34->90 dropped 92 C:\...\d21cbe21e38b385a41a68c5e6dd32f4c.exe, PE32 34->92 dropped 242 Multi AV Scanner detection for dropped file 34->242 244 Machine Learning detection for dropped file 34->244 246 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->246 45 toolspub2.exe 34->45         started        48 d21cbe21e38b385a41a68c5e6dd32f4c.exe 34->48         started        50 kos2.exe 34->50         started        52 latestX.exe 34->52         started        248 Query firmware table information (likely to detect VMs) 37->248 250 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->250 252 Found many strings related to Crypto-Wallets (likely being stolen) 37->252 258 3 other signatures 37->258 54 AppLaunch.exe 37->54         started        254 Writes to foreign memory regions 39->254 260 2 other signatures 39->260 56 AppLaunch.exe 39->56         started        58 regsvr32.exe 39->58         started        60 3 other processes 39->60 signatures12 process13 dnsIp14 144 api.2ip.ua 172.67.139.220, 443, 49744, 49745 CLOUDFLARENETUS United States 41->144 118 C:\Users\user\AppData\Local\...\ACD1.exe, PE32 41->118 dropped 62 ACD1.exe 41->62         started        65 icacls.exe 41->65         started        202 Multi AV Scanner detection for dropped file 45->202 204 Detected unpacking (changes PE section rights) 45->204 206 Injects a PE file into a foreign processes 45->206 67 toolspub2.exe 45->67         started        208 Detected unpacking (overwrites its own PE header) 48->208 210 Found Tor onion address 48->210 212 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 48->212 120 C:\Users\user\AppData\Local\Temp\set16.exe, PE32 50->120 dropped 122 C:\Users\user\AppData\Local\Temp\K.exe, PE32 50->122 dropped 69 set16.exe 50->69         started        146 85.209.11.85, 41140, 49749 SYNGB Russian Federation 54->146 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->214 216 Found many strings related to Crypto-Wallets (likely being stolen) 54->216 218 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 54->218 148 171.22.28.236 CMCSUS Germany 56->148 220 Tries to harvest and steal browser information (history, passwords, etc) 56->220 222 Tries to steal Crypto Currency Wallets 56->222 224 Tries to detect sandboxes / dynamic malware analysis system (file name check) 58->224 file15 signatures16 process17 signatures18 226 Injects a PE file into a foreign processes 62->226 71 ACD1.exe 1 26 62->71         started        228 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 67->228 230 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 67->230 232 Maps a DLL or memory area into another process 67->232 234 2 other signatures 67->234 process19 dnsIp20 140 zexeq.com 175.119.10.231, 49750, 49751, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 71->140 142 colisumy.com 84.224.231.39, 49748, 80 PGSM-HUTorokbalintHungaryHU Hungary 71->142 110 C:\Users\user\AppData\Local\...\build3.exe, PE32 71->110 dropped 112 C:\Users\user\AppData\Local\...\build2.exe, PE32 71->112 dropped 114 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 71->114 dropped 116 8 other malicious files 71->116 dropped 174 Modifies existing user documents (likely ransomware behavior) 71->174 76 build2.exe 71->76         started        79 build3.exe 71->79         started        file21 signatures22 process23 signatures24 176 Multi AV Scanner detection for dropped file 76->176 178 Detected unpacking (changes PE section rights) 76->178 180 Detected unpacking (overwrites its own PE header) 76->180 182 Found many strings related to Crypto-Wallets (likely being stolen) 76->182 81 build2.exe 76->81         started        184 Sample uses process hollowing technique 79->184 186 Injects a PE file into a foreign processes 79->186 process25 dnsIp26 124 128.140.96.230 HETZNER-ASDE Germany 81->124 126 t.me 149.154.167.99 TELEGRAMRU United Kingdom 81->126 94 C:\ProgramData\softokn3.dll, PE32 81->94 dropped 96 C:\ProgramData\nss3.dll, PE32 81->96 dropped 98 C:\ProgramData\mozglue.dll, PE32 81->98 dropped 100 3 other files (1 malicious) 81->100 dropped 158 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 81->158 160 Found many strings related to Crypto-Wallets (likely being stolen) 81->160 162 Tries to harvest and steal browser information (history, passwords, etc) 81->162 164 Tries to steal Crypto Currency Wallets 81->164 file27 signatures28
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90fcf12de33c6bd7e478172cc49da62fc8eb70332bcae5fbba47e2a7c0e5d87c
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90fcf12de33c6bd7e478172cc49da62fc8eb70332bcae5fbba47e2a7c0e5d87c/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-10-21 09:22:08 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sd6pclpdhrv5pzdyc4wmjhngf7eow4btfpfol652i7rkpqhf3b6a._file
Verdict:
malicious
Similar samples:
201fb0901529270bdf56cb9d8d432a28040be664d49e041f4a7c88b8ec5150b6
Backdoor.TeamViewer
3b73c4da6f2bda6ebc26552afccbfd8c097a5a3195fd2593840d9ea7712b7120
Backdoor.TeamViewer
46ac0ab158fc001e4dca1d72667b8302470526bb97c0832f7ce2c0814943a667
Backdoor.TeamViewer
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
Backdoor.TeamViewer
7d07d17c2783ceeee097dc94082d7991a7e27755065dc5f73be10321803fe80f
Backdoor.TeamViewer
7d4bdb99d48ddde6edd2a63ec5730aff430b1106b544dc4d0f69e25f601d0a4a
Backdoor.TeamViewer
8208f19a8329dff98ff72b46b91d53ffe15dc8e9346106c07f5912adcb2d9679
Backdoor.TeamViewer
a9a883582cb7a18b20c2bee6c896342ddb37a8241fc670b75e089ab5eb4b1932
Backdoor.TeamViewer
e85172898e1439bc95876cd84f60ac685bd13ee9de2bda81f497807e7f7822b3
Backdoor.TeamViewer
eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
Backdoor.TeamViewer
+ 95 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:glupteba family:redline family:smokeloader family:vidar botnet:13088c19c5a97b42d0d1d9573cc9f1b8 botnet:logsdiller cloud (tg: @logsdillabot) botnet:pub1 botnet:up3 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware stealer themida trojan upx
Link:
https://tria.ge/reports/231021-lbxbzsdg71/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Themida packer
UPX packed file
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detected Djvu ransomware
Djvu Ransomware
Glupteba
Glupteba payload
RedLine
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
http://zexeq.com/raud/get.php
171.22.28.236:38306
https://steamcommunity.com/profiles/76561199563297648
https://t.me/twowheelfun
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90fcf12de33c6bd7e478172cc49da62fc8eb70332bcae5fbba47e2a7c0e5d87c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_no_import_table
Create hunting rule
Author:qux
Description:Detects exe does not have import table
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2721973/

Comments