MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
SHA3-384 hash: a829089791c6c328db83d656a0524d6f4e88bc0eb5c252b91c7182428f44e95e548865eac15a7c072ea98428f987de69
SHA1 hash: 809c4cc4ae51fcf3eca24e7d7fa5c1b6b5db52ce
MD5 hash: e71e3b995477081569ed357e4d403666
humanhash: illinois-two-eighteen-hot
File name:94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713.bin
Download: download sample
File size:1'828'192 bytes
First seen:2021-09-15 11:23:50 UTC
Last seen:2021-09-15 12:07:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5bd07784f328e868356a895d4ab1a505
ssdeep 49152:OBGHLrZP7auvm8sJEkbxH0ulBuw8ZtTUZEoH+hE:vrdTauvkERulBaUZEoH+h
Threatray 1'229 similar samples on MalwareBazaar
TLSH T1EC8533212EA6E8C7EE15823762475F75247FB80105824859E38B8F14B7C6B5B3E3F278
dhash icon c881b39c98b381c8 (5 x GuLoader, 3 x Formbook, 3 x ValleyRAT)
Reporter JAMESWT_WT
Tags:exe Hartex LLC signed soldewornek

Code Signing Certificate

Organisation:Hartex LLC
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-06-04T00:00:00Z
Valid to:2022-06-04T23:59:59Z
Serial number: 9b576882ccdb891fd6e4a66671f3ac71
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ac50a5d91a71ba8447ee795ff966e625aec004e49eb24adaa366b988686b65a5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713.bin
Verdict:
Malicious activity
Analysis date:
2021-09-15 11:24:13 UTC
Tags:
installer teamviewer
Link:
https://app.any.run/tasks/a9308ec3-0e11-4b43-8631-45679cc5ad1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188175/
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt
Creating a window
DNS request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61751a12a9d585e6d5370fc0/reports/b88d4265-5c25-492f-bb56-4c0c0dec597a/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/402eae14-5fdb-44c6-8cb6-a5617471d603
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/851364
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to detect sleep reduction / modifications
Creates processes via WMI
DLL side loading technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483795 Sample: 77Etc0bR2v.bin Startdate: 15/09/2021 Architecture: WINDOWS Score: 80 39 Multi AV Scanner detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 7 77Etc0bR2v.exe 14 2->7         started        10 TeamViewer.exe 11 14 2->10         started        14 svchost.exe 2->14         started        16 14 other processes 2->16 process3 dnsIp4 25 C:\Users\user\AppData\...\TeamViewer.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Roaming\...\TV.dll, PE32 7->27 dropped 29 C:\Users\user\...\Teamviewer_Resource_ja.dll, PE32 7->29 dropped 18 TeamViewer.exe 7->18         started        31 master15.teamviewer.com 185.188.32.25, 49746, 49747, 49748 TEAMVIEWER-ASDE Germany 10->31 33 outnegorave.info 172.67.205.33, 443, 49752, 49755 CLOUDFLARENETUS United States 10->33 37 2 other IPs or domains 10->37 51 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->51 53 Changes security center settings (notifications, updates, antivirus, firewall) 14->53 21 MpCmdRun.exe 14->21         started        35 127.0.0.1 unknown unknown 16->35 55 DLL side loading technique detected 16->55 file5 signatures6 process7 signatures8 43 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->43 45 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->45 47 Creates processes via WMI 18->47 49 Contains functionality to detect sleep reduction / modifications 18->49 23 conhost.exe 21->23         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713/
Threat name:
Win32.Trojan.Teamspy
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 12:40:53 UTC
File Type:
PE (Exe)
Extracted files:
129
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
10b52b26be692aea2c0365965a300d479698bdd72910592b55ea42dcb5a29e1b
14bb337bfab1686103f252a2d7079863980237f1679164c3b519caadd3cca27a
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
50575798954fd5dff1f376d1597a3d0ff52f51789c5ae98b48957590b540bcce
a43aeebdf142d982d97157178d0b190e386b39d532c8782a7767f84f2a88e97b
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
e8b020b127ad6e962e62fb0e896f7bdad3449249b07a67815dde796ce2577912
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
+ 1'219 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210915-nhqh5aaeg7/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Sets DLL path for service in the registry
Unpacked files
SH256 hash:
d0f1bd94e8e09330e33e1ce43518f14494b0e79d7f72eaf884eda9686fe7dddd
MD5 hash:
85ff3ba9a5521ea0d5b046560c5ada37
SHA1 hash:
8714499783d24b1d275b1d04b3077350522fe1e3
Link:
https://www.unpac.me/results/48e0216c-04f3-4190-bb10-113de7fcfd5c/
SH256 hash:
86818b22958e919660374c52cb4321a9572531f9df1c6073a6fb0764afa661c4
MD5 hash:
25101099837ef2df4434e7b11ffc6ba4
SHA1 hash:
7b7302d6a9a3bbd7fcc882fb43cc8746e47e21da
Link:
https://www.unpac.me/results/48e0216c-04f3-4190-bb10-113de7fcfd5c/
SH256 hash:
94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
MD5 hash:
e71e3b995477081569ed357e4d403666
SHA1 hash:
809c4cc4ae51fcf3eca24e7d7fa5c1b6b5db52ce
Link:
https://www.unpac.me/results/48e0216c-04f3-4190-bb10-113de7fcfd5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188175/

Comments