MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97f59ea0be79455fe75aaf1d457b2bc1857f77e87cd4de32b99dba996e3d6ea8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97f59ea0be79455fe75aaf1d457b2bc1857f77e87cd4de32b99dba996e3d6ea8
SHA3-384 hash: 5a10b8f8b3c7aabf6b7b7098b3fe25d4b22751999c3e2a543b6fbd73cd0198c8168933d57b14242af876ed5209575d6a
SHA1 hash: 8b2c0af34e04019ef0a7f2ae22e7f47926514823
MD5 hash: 1b912539242fc9ce1eb94c368a426b1c
humanhash: maine-tennessee-carolina-montana
File name:1B912539242FC9CE1EB94C368A426B1C
Download: download sample
Signature TeamBot
Create hunting rule
File size:772'608 bytes
First seen:2022-11-30 15:19:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 69351a49496b84d5bbf84d071845ce10 (3 x RedLineStealer, 2 x RecordBreaker, 1 x TeamBot)
ssdeep 12288:5CqcqkJOsEyunohC5iyri5qAlv8XWsi3FnHpCINj7nLf0Dkhld:CqkJREyun4C5iYiPv1HJN/4D8d
Threatray 2'637 similar samples on MalwareBazaar
TLSH T183F4121136F0C961D0A65E31A4B4CBB5127BFD6167604AABFBA43B2E3DB33D041B531A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c01edecea6ac8ccc (78 x RedLineStealer, 43 x Smoke Loader, 13 x Stop)
Reporter VincentGribanov
Tags:exe TeamBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
1B912539242FC9CE1EB94C368A426B1C
Verdict:
Malicious activity
Analysis date:
2022-11-30 23:35:00 UTC
Tags:
ransomware stop
Link:
https://app.any.run/tasks/8c9f2d57-7305-4be6-a781-ece588cb4542

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/340285/
Detection(s):
Win.Malware.Mikey-9957589-0
Create hunting rule

Win.Malware.Pwsx-9957709-0
Create hunting rule

Win.Malware.Generickdz-9957808-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/638774a669830678d7160c08/reports/f7a76527-a226-420a-be71-f997712cb4e4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe745ed0-9f80-4ad7-b488-36f497b85d1e
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1125179
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 757902 Sample: j3noDfuudS.exe Startdate: 01/12/2022 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 4 other signatures 2->36 7 j3noDfuudS.exe 2->7         started        10 j3noDfuudS.exe 2->10         started        12 j3noDfuudS.exe 2->12         started        14 j3noDfuudS.exe 2->14         started        process3 signatures4 38 Antivirus detection for dropped file 7->38 40 Multi AV Scanner detection for dropped file 7->40 42 Machine Learning detection for dropped file 7->42 44 Injects a PE file into a foreign processes 10->44 16 j3noDfuudS.exe 1 18 10->16         started        process5 dnsIp6 28 api.2ip.ua 162.0.217.254, 443, 49699 ACPCA Canada 16->28 24 C:\Users\user\AppData\...\j3noDfuudS.exe, PE32 16->24 dropped 26 C:\Users\...\j3noDfuudS.exe:Zone.Identifier, ASCII 16->26 dropped 20 icacls.exe 16->20         started        22 j3noDfuudS.exe 16->22         started        file7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97f59ea0be79455fe75aaf1d457b2bc1857f77e87cd4de32b99dba996e3d6ea8/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-07-23 12:33:53 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s72z5if6pfcv7z22v4ouk6zlygcx657iptkn4mvztw5js3r5n2ua._file
Verdict:
malicious
Similar samples:
16caa6cee30e3a5de71eeadb718440145027eccddf1bc2dc053435d354d89ac4
TeamBot
1c7f81302bb3396810c11136b17a279d9e193da699d99be89bc98f367d4846b5
TeamBot
1cf923ca8729ef09965b1d808fa93cd9de374cde86c86830f31a05ab39284261
TeamBot
21e4f80b25a605ab9160cc30e4d6936a1b4731760603207097fa151ac7267c0e
TeamBot
547804cc69c7d2f281d1ef57f54319adc186d920ba6fa0fb75e82d76bc9493f2
TeamBot
baa36a93088b6dc0c08ff2c877f92ecd7a84314c5f9515b1108f13bc116ef1ab
TeamBot
ebe9d795ebe7b5b98a4d4eb27bcdfaee9d9567424a563cc74ffb4fd2fa712744
TeamBot
f225dfd553d16fe8a79192bab77ddda192572a0bca4a8d9c0e6144268c8f605c
TeamBot
f5568dbc0f8640a105c3a7c4243e627fbf8218df12c9f331a38cf11e93f58358
TeamBot
fae85f9f8092c35c0a2d2057f231f4e4886163679ecbf0fe43c2d232414efa82
TeamBot
+ 2'627 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu discovery persistence ransomware
Link:
https://tria.ge/reports/221130-sqaj4abf39/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Modifies file permissions
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://acacaca.org/test1/get.php
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/636deef5-2dc1-44e1-b306-bedb9daa4111
Unpacked files
SH256 hash:
6492127621fb07485f37d485568def68b68eb236fad5d9b6ff577cd285c87767
MD5 hash:
503d301712184de31fc04e24e27a8ea7
SHA1 hash:
42d3af77c538d243d620451c225791515447775d
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e144778-d6a9-4b88-bbbd-62f0ae78cfc7/
Parent samples :
7ccc05790e32f8acc50689d8630bfd6ff84a30671b6b41a5dfa3910926698bb8
cea10fefac43bd4b9f094c2391a130adc054aad664892177110e1bd21970c907
276152a3f5ed2564cdb4720fe8345f9b52e214c79fcfaea839b84d0951473bbc
aab01f53c4a158a64c78bccee7534970fc3d142726c0903993a092ca5eaab63a
97f59ea0be79455fe75aaf1d457b2bc1857f77e87cd4de32b99dba996e3d6ea8
5aad6ebccf994b06ae04f81acb19cbf976cea52e91671b5375c9c5d37dbb7098
a5c5875892fcf16b14b95f13bc01d686f6127877cc1562721a8182db00c92912
SH256 hash:
97f59ea0be79455fe75aaf1d457b2bc1857f77e87cd4de32b99dba996e3d6ea8
MD5 hash:
1b912539242fc9ce1eb94c368a426b1c
SHA1 hash:
8b2c0af34e04019ef0a7f2ae22e7f47926514823
Link:
https://www.unpac.me/results/1e144778-d6a9-4b88-bbbd-62f0ae78cfc7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97f59ea0be79455fe75aaf1d457b2bc1857f77e87cd4de32b99dba996e3d6ea8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/340285/

Comments