MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af7e8bfb4652f62934fa5f2de47582b39d26c2bed1180e0fbb6f8fef3eb7b97e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af7e8bfb4652f62934fa5f2de47582b39d26c2bed1180e0fbb6f8fef3eb7b97e
SHA3-384 hash: f77791203c72a9185cc71c738fafcd6ba3a5d5267b173123ac8be1105e6b39c134758e1d63bc82ebc1c8e9c6959c4a56
SHA1 hash: 717d6d22dd2ed0b1330a0d48befefad46146515b
MD5 hash: 99f1b11492f7f5b7ed21660f692fb59e
humanhash: jig-burger-avocado-wyoming
File name:99f1b11492f7f5b7ed21660f692fb59e.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:774'656 bytes
First seen:2021-08-30 13:14:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2fb51ab3c5f5a75e2a51c3be9bfc585e (6 x RaccoonStealer, 1 x ArkeiStealer, 1 x TeamBot)
ssdeep 12288:ysMtjnVR/NtlDyzVV9co/UzICwXzucjRCHxGBDOWUqvRYNX9bv1Hc9c:yxLUXczICARCHEkWJZY3bvZ
Threatray 454 similar samples on MalwareBazaar
TLSH T1BDF412E97630C477F4C31670888AD6B21623BD37BEA4416F6A47165EFC21E90922E733
dhash icon fcfcf4d4d4dcd8c8 (6 x RaccoonStealer, 6 x RedLineStealer, 5 x Glupteba)
Reporter abuse_ch
Tags:exe TeamBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
99f1b11492f7f5b7ed21660f692fb59e.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-30 13:42:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0547cdb2-9004-4780-b924-e4c2e9bc98a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183768/
Detection(s):
Win.Dropper.Fragtor-9889202-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c9a7d80-3848-401f-93a5-3a53bbd3295a
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841579
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474012 Sample: D71ctxR1YN.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for submitted file 2->56 58 Found ransom note / readme 2->58 60 Yara detected Djvu Ransomware 2->60 62 2 other signatures 2->62 8 D71ctxR1YN.exe 2->8         started        11 D71ctxR1YN.exe 2->11         started        13 D71ctxR1YN.exe 2->13         started        15 D71ctxR1YN.exe 2->15         started        process3 signatures4 66 Multi AV Scanner detection for dropped file 8->66 68 Detected unpacking (changes PE section rights) 8->68 70 Machine Learning detection for dropped file 8->70 17 D71ctxR1YN.exe 1 18 8->17         started        72 Contains functionality to inject code into remote processes 11->72 74 Injects a PE file into a foreign processes 11->74 22 D71ctxR1YN.exe 1 16 11->22         started        24 D71ctxR1YN.exe 12 13->24         started        26 D71ctxR1YN.exe 12 15->26         started        process5 dnsIp6 50 astdg.top 187.190.48.60, 49705, 80 TOTALPLAYTELECOMUNICACIONESSADECVMX Mexico 17->50 38 C:\_readme.txt, ASCII 17->38 dropped 40 C:\Users\user\Desktop\TQDFJHPUIU.png, data 17->40 dropped 42 C:\Users\user\Desktop\SQSJKEBWDT.docx, data 17->42 dropped 48 7 other files (3 malicious) 17->48 dropped 64 Modifies existing user documents (likely ransomware behavior) 17->64 52 api.2ip.ua 77.123.139.190, 443, 49702, 49703 VOLIA-ASUA Ukraine 22->52 44 C:\Users\user\AppData\...\D71ctxR1YN.exe, PE32 22->44 dropped 46 C:\Users\...\D71ctxR1YN.exe:Zone.Identifier, ASCII 22->46 dropped 28 D71ctxR1YN.exe 22->28         started        31 icacls.exe 22->31         started        file7 signatures8 process9 signatures10 76 Sample uses process hollowing technique 28->76 78 Injects a PE file into a foreign processes 28->78 33 D71ctxR1YN.exe 12 28->33         started        36 svchost.exe 28->36         started        process11 dnsIp12 54 api.2ip.ua 33->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af7e8bfb4652f62934fa5f2de47582b39d26c2bed1180e0fbb6f8fef3eb7b97e/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 11:34:34 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v57ix62gkl3csnh2l4w6i5mcwoosnqv62ema4d53n6h66pvxxf7a._file
Verdict:
malicious
Similar samples:
0c1571e0f22ecc1c3ed2b80ee90df329d820e287ac0be834aa905726ea96887e
TeamBot
5651c726a433d942eb9cdbe74c6631178fa3e243e0953e0a55f54f1752e05682
TeamBot
5d232ce70bfdc3344ad9c117da898e5d72ea5a5ff0704933735abb186714c9f4
TeamBot
9b87dcaaf50d205d4eb5217c857e52d0afa4790716a793f5f6e563a955f632b1
TeamBot
adc2c80f4a9f969a641f2674c94bd576420b34d338b12ba5b4cab09e6c51a466
TeamBot
dc6f024b81983ce22d883ccc346b3888d984e360196b3e472c1cce3f79b70fa0
TeamBot
+ 444 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery persistence spyware stealer suricata
Link:
https://tria.ge/reports/210830-3x6d89jevn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Unpacked files
SH256 hash:
f5e421cdc3a15f524eab328a6dd4c4d92b7f404e1d6f2dc2c4fd53b0be3b6802
MD5 hash:
7374438017992073f1e1b1814383d828
SHA1 hash:
8d44c46208e04d3d46caaad2dac4279cdf0c414b
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/c3580195-6aec-4414-981d-3605e542d89a/
Parent samples :
302c818ff4e207e4ecd8e66ae38fb7368c39b99a883f61dca027dff6d2b996da
0d5034e4f4a4c3a189b3f916c98dbfdc69b1318262fde1878042a5cc9e8f7366
051a2902c6a41210cbf84e97a4d24b7f4538414c25433e2e75ad0b6c9f7bf481
af7e8bfb4652f62934fa5f2de47582b39d26c2bed1180e0fbb6f8fef3eb7b97e
b65532de52ea9fdda67e26aa6514e0b819fc7821d2c18c6fbc45cf016baee2ee
23dc60233f270ba130c16c2a9918166205735e6b5408750523e9542b9e0ea70a
d0c4d2a2e6de48c794cb11638fb267a80371833bdb009d31f80440382a2167b7
62e0844c934cb1c112dfd4fb81a2c74831149b1a3c97c289994e7c224afdf88c
f5a2d62a1d09f34f73adc253887b665c96a2fbf7cadc6084569675da186357e1
384ae82c526406e4becbc020c78a494a0dec9c94183aa3509e29cfff9d838a3a
1a63e24da9d07a7049bd05ca2188df900a37d14bdae836aa0b3d288f81e3371d
SH256 hash:
af7e8bfb4652f62934fa5f2de47582b39d26c2bed1180e0fbb6f8fef3eb7b97e
MD5 hash:
99f1b11492f7f5b7ed21660f692fb59e
SHA1 hash:
717d6d22dd2ed0b1330a0d48befefad46146515b
Link:
https://www.unpac.me/results/c3580195-6aec-4414-981d-3605e542d89a/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/af7e8bfb4652/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af7e8bfb4652f62934fa5f2de47582b39d26c2bed1180e0fbb6f8fef3eb7b97e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TeamBot

Executable exe af7e8bfb4652f62934fa5f2de47582b39d26c2bed1180e0fbb6f8fef3eb7b97e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1463721/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183768/

Comments