MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 15


Intelligence 15 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910
SHA3-384 hash: c1becd9ad2940f4d28656fbf6c439c5ea8d90fa60fe4ee314f59b3fa94c11fdcf2c06544cea01c2a6e21552278879a3b
SHA1 hash: 6c49c874ba692a84f8ebd46c2cdab07aca026ce4
MD5 hash: e478a6638150036e4009beb1530187bb
humanhash: jersey-west-hotel-victor
File name:SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482
Download: download sample
Signature TeamBot
Create hunting rule
File size:296'960 bytes
First seen:2024-04-04 15:46:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ec3abec3d94db3f742ac97930ba3d6d5 (4 x Stealc, 1 x TeamBot)
ssdeep 3072:UftVMmPJYH+9YwY3ltaFyz3fsA23+tqB+tad0xEVKZ6OKKs6vg33qN:U3dRYH+9YqFc3kA23+QwtwyEcNPg33q
Threatray 22 similar samples on MalwareBazaar
TLSH T1B5549E1132A0FA71D47309F079A9C6E119FAB8B15F64879B735A3A5F3A71BC08D35322
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 3370ecd2c4f0335a (10 x Stealc, 1 x Stop, 1 x GCleaner)
Reporter SecuriteInfoCom
Tags:exe TeamBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910.exe
Verdict:
Malicious activity
Analysis date:
2024-04-04 15:54:05 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/e0db1f25-b2c8-406d-b636-a2bde73deeeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Modifying a system executable file
Searching for the window
Creating a window
Changing a file
Launching a service
Changing an executable file
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Infecting executable files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint masquerade
Link:
https://www.filescan.io/uploads/660ecb7beda31927461c9913/reports/a8d2a3de-f59d-4136-a47a-96c711cf093f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3337b6ed-c6c8-4500-9a54-23eb866a484c
Result
Threat name:
LummaC, Babuk, Clipboard Hijacker, Djvu,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1420308
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected LummaC Stealer
Yara detected SmokeLoader
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1420308 Sample: SecuriteInfo.com.W32.Krypti... Startdate: 04/04/2024 Architecture: WINDOWS Score: 100 113 trad-einmyus.com 2->113 115 sdfjhuz.com 2->115 117 9 other IPs or domains 2->117 137 Snort IDS alert for network traffic 2->137 139 Found malware configuration 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 18 other signatures 2->143 15 SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exe 2->15         started        18 1601.exe 2->18         started        20 fcbhtea 2->20         started        22 2 other processes 2->22 signatures3 process4 signatures5 177 Detected unpacking (changes PE section rights) 15->177 179 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->179 181 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->181 183 Creates a thread in another existing process (thread injection) 15->183 24 explorer.exe 23 12 15->24 injected 185 Antivirus detection for dropped file 18->185 187 Detected unpacking (overwrites its own PE header) 18->187 189 Machine Learning detection for dropped file 18->189 191 Writes a notice file (html or txt) to demand a ransom 18->191 29 1601.exe 18->29         started        193 Multi AV Scanner detection for dropped file 20->193 195 Maps a DLL or memory area into another process 20->195 197 Checks if the current machine is a virtual machine (disk enumeration) 20->197 199 Query firmware table information (likely to detect VMs) 22->199 201 2 other signatures 22->201 process6 dnsIp7 121 m2reg.ulm.ac.id 103.23.232.80, 49730, 80 UNLAM-AS-IDUniversitasLambungMangkuratID Indonesia 24->121 123 nessotechbd.com 192.185.16.114, 443, 49751 UNIFIEDLAYER-AS-1US United States 24->123 125 4 other IPs or domains 24->125 83 C:\Users\user\AppData\Roaming\fcbhtea, PE32 24->83 dropped 85 C:\Users\user\AppData\Local\Temp\455F.exe, PE32 24->85 dropped 87 C:\Users\user\AppData\Local\Temp\1601.exe, PE32 24->87 dropped 89 C:\Users\user\...\fcbhtea:Zone.Identifier, ASCII 24->89 dropped 161 System process connects to network (likely due to code injection or exploit) 24->161 163 Benign windows process drops PE files 24->163 165 Deletes itself after installation 24->165 167 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->167 31 1601.exe 24->31         started        34 455F.exe 24->34         started        37 cmd.exe 1 24->37         started        39 4 other processes 24->39 91 C:\Users\user\_README.txt, ASCII 29->91 dropped file8 signatures9 process10 dnsIp11 203 Antivirus detection for dropped file 31->203 205 Detected unpacking (changes PE section rights) 31->205 207 Detected unpacking (overwrites its own PE header) 31->207 219 3 other signatures 31->219 41 1601.exe 1 15 31->41         started        119 resergvearyinitiani.shop 172.67.217.100, 443, 49741, 49744 CLOUDFLARENETUS United States 34->119 209 Multi AV Scanner detection for dropped file 34->209 211 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->211 213 Query firmware table information (likely to detect VMs) 34->213 221 6 other signatures 34->221 215 Uses cmd line tools excessively to alter registry or file data 37->215 45 conhost.exe 37->45         started        47 reg.exe 1 1 37->47         started        217 Injects a PE file into a foreign processes 39->217 49 conhost.exe 39->49         started        51 reg.exe 39->51         started        53 1601.exe 39->53         started        55 1601.exe 39->55         started        signatures12 process13 dnsIp14 131 api.2ip.ua 104.21.65.24, 443, 49722, 49728 CLOUDFLARENETUS United States 41->131 103 C:\Users\user\AppData\Local\...\1601.exe, PE32 41->103 dropped 57 1601.exe 41->57         started        60 icacls.exe 41->60         started        file15 process16 signatures17 159 Injects a PE file into a foreign processes 57->159 62 1601.exe 1 25 57->62         started        process18 dnsIp19 133 sajdfue.com 189.195.132.134, 49732, 49733, 49734 MegaCableSAdeCVMX Mexico 62->133 105 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 62->105 dropped 107 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 62->107 dropped 109 C:\Users\user\AppData\Local\...\build3.exe, PE32 62->109 dropped 111 7 other malicious files 62->111 dropped 135 Modifies existing user documents (likely ransomware behavior) 62->135 67 build2.exe 62->67         started        70 build3.exe 62->70         started        file20 signatures21 process22 signatures23 145 Antivirus detection for dropped file 67->145 147 Multi AV Scanner detection for dropped file 67->147 149 Detected unpacking (changes PE section rights) 67->149 151 Injects a PE file into a foreign processes 67->151 72 build2.exe 67->72         started        153 Detected unpacking (overwrites its own PE header) 70->153 155 Machine Learning detection for dropped file 70->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 70->157 77 build3.exe 70->77         started        process24 dnsIp25 127 95.216.179.73, 443, 49736, 49740 HETZNER-ASDE Germany 72->127 129 steamcommunity.com 23.47.27.74, 443, 49735 AKAMAI-ASUS United States 72->129 93 C:\Users\user\AppData\Local\...\sqln[1].dll, PE32 72->93 dropped 95 C:\Users\user\AppData\...\softokn3[1].dll, PE32 72->95 dropped 97 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 72->97 dropped 101 10 other files (6 malicious) 72->101 dropped 169 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 72->169 171 Found many strings related to Crypto-Wallets (likely being stolen) 72->171 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 72->173 175 3 other signatures 72->175 99 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 77->99 dropped 79 schtasks.exe 77->79         started        file26 signatures27 process28 process29 81 conhost.exe 79->81         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-04-04 15:29:50 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6fttxumavcw5e5iqe3ptsvo4npjwukjvtyhflgteffsqkj4peia._file
Verdict:
malicious
Similar samples:
083c9a8679034f65137bce38b2f1db98225a8d1f18dc351ee4d5adfc464fa72b
TeamBot
1efbc80ffd55c78287134a11add66b10bf7b2cd724913721a7f305d483050593
TeamBot
430be53678e8616b604b7210d16dd57f1561aa9cebb32ac451247387a53aa919
TeamBot
4f6b05e7e7c2c51a1cf5569a47a8bf31f8d452359f5a37bcecd36ef3f852c858
TeamBot
91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a
TeamBot
968ac4fee13725e122fd677c971dfada4e73d77e367be94cbf59af97872afaeb
TeamBot
b6c6e0ed6e5aa62baec8de42d2d8fee52df072c6a2b33530fbf8bc73d36309a9
TeamBot
f79fad860397942a2d808e1d2b5601f7d3b2af5057195507b782d797be07f301
TeamBot
+ 12 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:djvu family:lumma family:smokeloader family:vidar botnet:pub1 backdoor discovery infostealer persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/240404-s8ab2sbf8w/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Modifies Installed Components in the registry
DcRat
Detect Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Lumma Stealer
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://sajdfue.com/test1/get.php
https://steamcommunity.com/profiles/76561199662282318
https://t.me/t8jmhl
https://resergvearyinitiani.shop/api
Unpacked files
SH256 hash:
5dff847558ac96a1d2f6394aa2efe65440a8b945335b20ccddaeea0a5b1792ba
MD5 hash:
40ea2c256d9186368a97931a1bd13ad9
SHA1 hash:
662fec4182fbc8b871ccb135c00dd2f8b6e8457b
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/6ba31c37-566d-44d1-b6bc-d6ddf555e12c/
Parent samples :
1eeeb5aa7dcd72a9912e8f54c60b07915d4c7fb4180c2e497483357ab9ac8640
d59c4d4d2c2ed517f36a87a29bdb6a9450b3afbfc1b7a07b8af2dca276291d50
531292f4b404a53a700330fa4d622d80b3b72ca2c2f525d7fe0009381fb471c0
233d4d5cdc04c36621a8bc12ea1a5716912ff7576eedfec12bb7aaf03ba57911
c1a94b4836ce341261dafddcdd0b7f2fb0d8974418cfe37bfe4edac452966dcf
6207b75fcdf5bc8bcc175059439eddddb37fe1c2e40b73a680a4374b8a495e9b
6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057
0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03
5dee4356ac787ee4f83cfe7268df01b8b6c77ef42cfcd98ed3773745780fcdd2
75bcc7144c36d2931b31364db4d3b3fc44b1ad803790ea1077f228efc715bb6d
1cf4a4b0f9432f78cd76b30cf8e6070d2d49b70d42ec4e2192da86d09a0a02fa
9317179dc2c7aabc5092f39efeb13614de247aed1a11e9c9530ded9eaf75c6c3
b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a
d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
9587bda655a2dc730e4bdbd7de5ab39bc37de697fe22f449a6b2f851adaedfb8
0f4d1e6a36a2f6fc4e29b9134a49a081b305501bb6394367f2f48a0387b02c68
a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3
84d011e18cec6190e2c79b270e9d2d575bfaa63998f50d13d3f9da147f49b799
9f5447dd37ee7e006c9978bde29ed18d51a29af6fa7cc1fcfc6cfe5f32de6b8b
944e3da5cf2cebf1ae8c127a66def8d245911b3ae51b78120fafecac59499a9c
ea73f95c11dc2dee2df70f6cdf91f2283ed93f02e7d374e1ced51adb1e8aa2c2
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76
212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c
4a954105df7501e0e0bc0d5100ad6a0c1ed82a000aff31b04f149f488b616ed2
386efae477c0c3eee5b7612441bb66a5d064738059a621ff1c711c1c20023534
ad09e6469ff6f776f4dda5c3bfd3ef3bda8d3e66a0f3656c19a003428ee43db7
a578ab8f490d32d4ec916f02ce6ed22ef4572bf21db481dcce5b1b2ccf228d92
cc153440791a534326d7c57871f9443b533b4cbeb4b693df58ce9b6ef137cc62
453ad5e59a308d52a95de63a0932c1b391494a38febde5c88682b146fe6be6a6
6bb852f4b68e8a72cf0096ced722d59bd3a243e41ab052e9955602f38d0a35e8
2aa5a9c9059070191dcf750e2db3860dfd4803b5d50c8d71edc17fe3c3ef2994
bdbd0ee82dc7acfb5fafe10561dddd6b6b11c1d55f2f96bc6a1c8eb5dce167e1
c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649
9054b3a8ccbd32166bd31d65a1998b83a0d3c8f080ac70db2c50cfee3b9f4ae1
a95bc0eeb6c005214eed09c7a26a9b148bea237838cc3544ea2070076b8e893b
1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e
f09dbd237c0b7f9024adefec0d677cd2ddf6fa709021bb7c4efabc2a94fc788c
a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c
fd38ddb6bff146de06ede73faf49301e258cab9b7d189175fd356928901961ae
30845b56fd4b84afa4212a7c5130b4ee2c07924524c357ea21d4b79ef21fd2f5
101da1fc6c2b5289bca646cabead73af514b63c341e7572a071b26cd649e42e1
8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0
50a6f0570275eb30db27eee0f78bcb07a48dcfd2ce9a9399b258114dc23c68a1
6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1
ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de
336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69
cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a
6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d
f584c0dc428d386f37a2101967aa274b9337db982ff65d44e52ddd201933358c
50c5fa2b2078b52d54657e174f05dcc98bd3e409eeef19baf60b65f041bfe5d2
c0db80c802efadad423ac6db9d62d1b6a67c593a177774524658ec91e8f9910e
23e793eb5359e5934565840665798105435c69d7534e547204f5566486d75bfb
7e58fdd635ef291b98c8c9e6c317fc4f6699dfb8580d95159fdb8f39e9ba9ea6
2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b
abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976
20bade08687a1356c343a70a124e7441aa3f2c1824f50b77e552421ee61c3ba3
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c
b0f1d6defb63ca51dce41219e35f97ab8d89ec19c863f5b659fb8b05c1c92248
b1637a25a2959c9a6da241d94d8ddac92f3e542d86dbebdc47c1a06a4f6190a0
6610e3f433a1a54fff1dcb16ca8d08137481d19cd706d1cd73e75030be8ff720
e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e
91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a
968ac4fee13725e122fd677c971dfada4e73d77e367be94cbf59af97872afaeb
6fa97a6a4e30020152022b39c091bc92430a79ed38be3f27bf6df140ec9d61fa
a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910
261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226
8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa
7755538e0afd5973ebc9e8766a817b5b562addfdde5fc3950f4bbffba9790ca9
1d5fe89aae579ea253d121deb90c9a61f94ddab13ff51f58f939a57f0edab73e
843ad82984513d049fcbf1258c0a2cf71fd519ad98a272e54ea95d42422a24bb
0d3928bbe9db17a0bd0ce3454c39362b60f26c1613cc8d488f69f81fbf2868c1
71480fc81a1e0eb85d94e08b31fa257204200371c01fbc3cbf7c45a622e66da3
6f480d8bf96773150f0939254a71eb20e447d30580aab7abf171ecb0e0094698
4f367a58544f96f8d0dd19d323acf0db1437d2cd8ef96324a37ea7be20cabf36
f83f1ebe5606b21f5e67bdd4eac29db81ec8de29d3eebf8f4ae7298361ffe5d9
SH256 hash:
a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910
MD5 hash:
e478a6638150036e4009beb1530187bb
SHA1 hash:
6c49c874ba692a84f8ebd46c2cdab07aca026ce4
Link:
https://www.unpac.me/results/6ba31c37-566d-44d1-b6bc-d6ddf555e12c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a78b39de8c05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Dlls
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Windows_Ransomware_Stop_1e8d48ff
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Generic_2993e5a5
Create hunting rule
Author:Elastic Security
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TeamBot

Executable exe a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2800978/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindFirstVolumeMountPointW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleOutputCP
KERNEL32.dll::SetConsoleTitleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleAliasesLengthW
KERNEL32.dll::GetConsoleAliasExesLengthW
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW

Comments