MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94f90d551dfd3fc18c3fc5dd7c4b279b2ebc71bbb2df9619731fc1a796c8173a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Backdoor.TeamViewer


Vendor detections: 12


Intelligence 12 IOCs YARA 47 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94f90d551dfd3fc18c3fc5dd7c4b279b2ebc71bbb2df9619731fc1a796c8173a
SHA3-384 hash: e1c926618b8217f02c1228bcaa91a384397c6379ce883830994d7fe92ad4dc49976e2e0a96a46a458003bb7fe993b138
SHA1 hash: 66979eb91bbdbc1e7b179d53a3e3fc2121ddc0db
MD5 hash: f9e332e9525038879cf6107230c99e8e
humanhash: comet-cardinal-robert-lima
File name:file
Download: download sample
Signature Backdoor.TeamViewer
Create hunting rule
File size:21'102'080 bytes
First seen:2023-10-24 09:24:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 393216:DRNiqmEIp0N5JrMft1A+BkpsgrkqKF/YEryW0/1+rNtzDWGjXKUgs3bqmJisJh:DRNiqSunM11A+ipn6Bry5/WNtzDrjb3h
Threatray 5 similar samples on MalwareBazaar
TLSH T18527233DB82D486BE0F5E1B85CA32CE39435A38843A2F555C6FC91C56D215BC7CA2B87
TrID 72.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.3% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:Backdoor.TeamViewer exe


Avatar
andretavare5
Sample downloaded from http://185.172.128.69/newumma.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
US US
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Modifying a system file
Sending an HTTP GET request
Launching a process
Using the Windows Management Instrumentation requests
Creating a service
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun for a service
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/65378d702b74b3f20dd974ab/reports/2780b712-ba2d-44d9-89cc-799f2e114620/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/94f90d551dfd3fc18c3fc5dd7c4b279b2ebc71bbb2df9619731fc1a796c8173a
Result
Verdict:
MALICIOUS
Result
Threat name:
Glupteba, LummaC Stealer, RedLine, Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331159
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331159 Sample: file.exe Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 173 www.testupdate.info 2->173 175 host-host-file8.com 2->175 177 11 other IPs or domains 2->177 207 Snort IDS alert for network traffic 2->207 209 Multi AV Scanner detection for domain / URL 2->209 211 Found malware configuration 2->211 213 26 other signatures 2->213 12 file.exe 8 2->12         started        16 powershell.exe 2->16         started        18 svchost.exe 2->18         started        21 2 other processes 2->21 signatures3 process4 dnsIp5 165 C:\Users\user\...\whateveraddition.exe, PE32+ 12->165 dropped 167 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 12->167 dropped 169 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 12->169 dropped 171 3 other malicious files 12->171 dropped 265 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->265 23 setup.exe 7 12->23         started        27 toolspub2.exe 12->27         started        29 whateveraddition.exe 1 4 12->29         started        37 3 other processes 12->37 31 conhost.exe 16->31         started        179 127.0.0.1 unknown unknown 18->179 33 WerFault.exe 21->33         started        35 conhost.exe 21->35         started        file6 signatures7 process8 file9 125 C:\Users\user\AppData\Local\...\Install.exe, PE32 23->125 dropped 215 Multi AV Scanner detection for dropped file 23->215 39 Install.exe 4 23->39         started        217 Detected unpacking (changes PE section rights) 27->217 219 Contains functionality to inject code into remote processes 27->219 221 Injects a PE file into a foreign processes 27->221 43 toolspub2.exe 27->43         started        45 Conhost.exe 27->45         started        127 C:\Users\user\AppData\...\whiterapidpro1.exe, PE32+ 29->127 dropped 223 Creates multiple autostart registry keys 29->223 47 whiterapidpro1.exe 29->47         started        49 cmd.exe 13 29->49         started        129 C:\Users\user\AppData\Local\Temp\set16.exe, PE32 37->129 dropped 131 C:\Users\user\AppData\Local\Temp\K.exe, PE32 37->131 dropped 133 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 37->133 dropped 135 C:\Windows\System32\drivers\etc\hosts, ASCII 37->135 dropped 225 Detected unpacking (overwrites its own PE header) 37->225 227 Found Tor onion address 37->227 229 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->229 231 2 other signatures 37->231 51 set16.exe 2 37->51         started        53 K.exe 14 4 37->53         started        56 powershell.exe 37->56         started        signatures10 process11 dnsIp12 137 C:\Users\user\AppData\Local\...\Install.exe, PE32 39->137 dropped 233 Multi AV Scanner detection for dropped file 39->233 58 Install.exe 39->58         started        235 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->235 237 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->237 239 Maps a DLL or memory area into another process 43->239 245 2 other signatures 43->245 62 explorer.exe 43->62 injected 139 C:\Users\user\AppData\...\whiterapidpro.exe, PE32+ 47->139 dropped 141 C:\Users\user\AppData\...\2motherproject.exe, PE32 47->141 dropped 241 Machine Learning detection for dropped file 47->241 243 Creates multiple autostart registry keys 47->243 65 whiterapidpro.exe 47->65         started        67 chrome.exe 49->67         started        69 conhost.exe 49->69         started        143 C:\Users\user\AppData\Local\...\is-HGLEP.tmp, PE32 51->143 dropped 71 is-HGLEP.tmp 51->71         started        193 iplogger.com 148.251.234.93, 443, 49712, 49717 HETZNER-ASDE Germany 53->193 73 WerFault.exe 53->73         started        75 conhost.exe 56->75         started        file13 signatures14 process15 dnsIp16 147 C:\Users\user\AppData\Local\...\OYgkMkr.exe, PE32 58->147 dropped 149 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 58->149 dropped 247 Antivirus detection for dropped file 58->247 249 Multi AV Scanner detection for dropped file 58->249 251 Modifies Windows Defender protection settings 58->251 263 2 other signatures 58->263 77 forfiles.exe 58->77         started        80 forfiles.exe 58->80         started        94 4 other processes 58->94 195 colisumy.com 175.120.254.9, 49758, 49791, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 62->195 197 100acresclub.com 103.53.42.238, 443, 49792 PUBLIC-DOMAIN-REGISTRYUS India 62->197 199 host-host-file8.com 95.214.26.34, 49754, 49755, 49767 CMCSUS Germany 62->199 151 C:\Users\user\AppData\Roaming\vahrjhf, PE32 62->151 dropped 159 2 other malicious files 62->159 dropped 253 System process connects to network (likely due to code injection or exploit) 62->253 255 Benign windows process drops PE files 62->255 257 Hides that the sample has been downloaded from the Internet (zone.identifier) 62->257 82 rundll32.exe 62->82         started        161 2 other malicious files 65->161 dropped 259 Creates multiple autostart registry keys 65->259 84 whiterapid.exe 65->84         started        201 192.168.2.6, 14433, 443, 45922 unknown unknown 67->201 203 239.255.255.250 unknown Reserved 67->203 87 chrome.exe 67->87         started        153 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 71->153 dropped 155 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 71->155 dropped 157 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 71->157 dropped 163 5 other files (4 malicious) 71->163 dropped 261 Uses schtasks.exe or at.exe to add and modify task schedules 71->261 89 MyBurn.exe 71->89         started        92 net.exe 71->92         started        96 2 other processes 71->96 file17 signatures18 process19 dnsIp20 267 Modifies Windows Defender protection settings 77->267 269 Adds extensions / path to Windows Defender exclusion list 77->269 98 cmd.exe 77->98         started        101 conhost.exe 77->101         started        103 cmd.exe 80->103         started        105 conhost.exe 80->105         started        181 45.61.160.199, 49721, 80 ASN-QUADRANET-GLOBALUS United States 84->181 271 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 84->271 273 Injects a PE file into a foreign processes 84->273 183 www.google.com 172.253.115.104, 443, 49720, 49722 GOOGLEUS United States 87->183 185 172.253.62.106, 443, 49748 GOOGLEUS United States 87->185 191 3 other IPs or domains 87->191 145 C:\ProgramData\...\ContentDVSvc.exe, PE32 89->145 dropped 107 conhost.exe 92->107         started        109 net1.exe 92->109         started        111 conhost.exe 94->111         started        115 2 other processes 94->115 187 188.165.195.130 OVHFR France 96->187 189 euopfoe.ua 185.141.63.172, 49815, 49821, 80 BELCLOUDBG Bulgaria 96->189 113 conhost.exe 96->113         started        file21 signatures22 process23 signatures24 205 Uses cmd line tools excessively to alter registry or file data 98->205 117 reg.exe 98->117         started        119 reg.exe 98->119         started        121 reg.exe 103->121         started        123 reg.exe 103->123         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/94f90d551dfd3fc18c3fc5dd7c4b279b2ebc71bbb2df9619731fc1a796c8173a
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 09:25:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=st4q2vi57u74ddb7yxoxyszhtmxly4n3wlpzmgltd7a2pfwic45a._file
Verdict:
malicious
Similar samples:
04f59143e6d05f2b94cd081c398b7e4dc6ab486fa83e67194b13582faaa8727a
Backdoor.TeamViewer
20ea338af45c4221e0ac33de59e84a3cf0d0eed2f609fbad4d3227f5131de0e2
Backdoor.TeamViewer
96aa916c2711cc5ed30519c7421ddc6b3bd91af7a19bd8fa644985cdad3275e1
Backdoor.TeamViewer
a94c46db65430f4dfd0f41a6c054733038c26b11b584f8bb622d9553df129d2b
Backdoor.TeamViewer
c5bf13f324052f8e3240024494c7c4bf809e3c423a59fabd0cd067e01a990ee6
Backdoor.TeamViewer
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:glupteba family:smokeloader botnet:up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan
Link:
https://tria.ge/reports/231024-ldmkkadg39/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
DcRat
Glupteba
Glupteba payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94f90d551dfd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:msil_rc4
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Surtr
Create hunting rule
Author:Katie Kleemola
Description:Rule for Surtr Stage One
Rule name:SurtrStrings
Create hunting rule
Author:Katie Kleemola
Description:Strings for Surtr
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2722940/

Comments