MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbb1db25b2b54928d97b0a0caf8726e5d62501ab6cdcf9b4aa2e192f59958aa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TVRat


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbb1db25b2b54928d97b0a0caf8726e5d62501ab6cdcf9b4aa2e192f59958aa6
SHA3-384 hash: 54b37b58ec496010ee17436601329754447c038cd916a4cb5faa36e34f5bfc283f9dd5ec1987e61a9cdfad1c7c4da2f9
SHA1 hash: 3c4e97c8af29220028a2b7e8e33ab3b6a296681e
MD5 hash: 0ccbb13fd1e433e565c6090a0ae0ea54
humanhash: montana-freddie-one-gee
File name:0ccbb13fd1e433e565c6090a0ae0ea54.exe
Download: download sample
Signature TVRat
Create hunting rule
File size:672'736 bytes
First seen:2022-05-16 01:50:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9de116a58a6964e888a644a836e6e83f (15 x RedLineStealer, 1 x Formbook, 1 x TVRat)
ssdeep 12288:lfn6tCcf6do1vq+wFNVePQjYbijQ+b28e3YJcMfneaWsWcD62Xt9i:H+1INVHYbi0mCIJcMPNDNi
Threatray 101 similar samples on MalwareBazaar
TLSH T131E4E5A3D342A61FE2533475C19CAA72A40627712A0F48E7B7059EFDD32C2E14E79B47
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe TVRat


Avatar
abuse_ch
TVRat C2:
178.250.247.147:23307

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.250.247.147:23307 https://threatfox.abuse.ch/ioc/570759/

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0ccbb13fd1e433e565c6090a0ae0ea54.exe
Verdict:
Malicious activity
Analysis date:
2022-05-17 01:40:34 UTC
Tags:
trojan rat redline loader backdoor dcrat evasion stealer
Link:
https://app.any.run/tasks/d6ce5b92-bfd2-4ae3-aead-b1580241d1ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270864/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Query of malicious DNS domain
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Enabling autorun
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17891/overview
Behaviour
MalwareBazaar
CheckScreenResolution
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware overlay packed
Link:
https://www.filescan.io/uploads/6281ae07fd71ca8b2ee27295/reports/5f5b43a8-87c1-4c53-993c-df9302387ef3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08931881-d506-451e-9e0c-208a1266dae2
Result
Threat name:
TVrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994521
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Drops PE files to the startup folder
Found API chain indicative of debugger detection
Found API chain with Download & Execute functionality
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected TVrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 627017 Sample: 5RtqJVIFa3.exe Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 58 id.xn--80akicokc0aablc.xn--p1ai 2->58 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 5 other signatures 2->84 10 5RtqJVIFa3.exe 1 2->10         started        13 7OD4e9lb6wSdHZ.exe 2->13         started        signatures3 process4 signatures5 92 Writes to foreign memory regions 10->92 94 Allocates memory in foreign processes 10->94 96 Injects a PE file into a foreign processes 10->96 15 AppLaunch.exe 18 10->15         started        20 conhost.exe 10->20         started        process6 dnsIp7 60 bikzandy.com 46.8.153.210, 49772, 80 DATACHEAP-LLC-ASRU Russian Federation 15->60 62 192.168.2.1 unknown unknown 15->62 38 C:\Users\user\AppData\...\7OD4e9lb6wSdHZ.exe, PE32 15->38 dropped 40 C:\Users\user\AppData\Local\...\05MqJHu.exe, PE32 15->40 dropped 42 C:\Users\user\AppData\Local\...\clip[1].jpg, PE32 15->42 dropped 44 C:\Users\user\AppData\Local\...\asist[1].jpg, PE32 15->44 dropped 64 Found API chain indicative of debugger detection 15->64 66 Found API chain with Download & Execute functionality 15->66 68 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->68 22 05MqJHu.exe 49 15->22         started        26 7OD4e9lb6wSdHZ.exe 1 15->26         started        file8 signatures9 process10 file11 46 C:\Users\user\AppData\Local\...\quartz.dll, PE32 22->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\opus.dll, PE32 22->48 dropped 50 C:\Users\user\AppData\Local\...\msvcr120.dll, PE32 22->50 dropped 54 14 other files (none is malicious) 22->54 dropped 86 Antivirus detection for dropped file 22->86 88 Multi AV Scanner detection for dropped file 22->88 28 cmd.exe 1 22->28         started        52 C:\Users\user\AppData\...\7OD4e9lb6wSdHZ.exe, PE32 26->52 dropped 90 Drops PE files to the startup folder 26->90 30 7OD4e9lb6wSdHZ.exe 26->30         started        signatures12 process13 process14 32 ast.exe 22 4 28->32         started        36 conhost.exe 28->36         started        dnsIp15 56 127.0.0.1 unknown unknown 32->56 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->70 72 Contains functionality to detect virtual machines (IN, VMware) 32->72 74 Contain functionality to detect virtual machines 32->74 76 2 other signatures 32->76 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbb1db25b2b54928d97b0a0caf8726e5d62501ab6cdcf9b4aa2e192f59958aa6/
Threat name:
Win32.Trojan.SpyStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-13 03:45:00 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xoy5wjnswvesrwl3bigk7bzg4xlckanlntoptnfkfyms6wmvrkta._file
Verdict:
malicious
Similar samples:
36ed7e4e8dfce10773b1b1f1b7302e80d38bfd75d7c35bc5da2abf9a8a0b99e3
TVRat
398cb27e45b7edad5322cbf38a9c39510bb9d8b3267b6d88d9cb1c53c575a6bb
TVRat
41d9459adfc2174e254616e62e78811abee49d1114f044df8ef04eab28ed0514
TVRat
516b7bd1f6bf44033b1c80a7ca6044ad76ade2449d2c429940ff311fb661d5d4
TVRat
5b7b0c5236d7365c0c65ce32845469f0da901f775319b93a47df593925f54205
TVRat
bf31d8b83e50a7af3e2dc746c74b85d64ce28d7c33b95c09cd46b9caa4d53cad
TVRat
+ 91 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:redline botnet:pidronciki infostealer persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/220516-b9tnmsbeeq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
RedLine
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE SpyAgent C&C Activity (Request)
suricata: ET MALWARE Win32.Spy/TVRat Checkin
Malware Config
C2 Extraction:
178.250.247.147:23307
Unpacked files
SH256 hash:
bf9c4930aa56984113443ea150ed106935394fa6e527c98ae92f06c8f71616e3
MD5 hash:
3d9779b3c288bb0ebbcd898d9edab559
SHA1 hash:
268472f5addd29fe3a7b4595ea72189c15bc90c5
Link:
https://www.unpac.me/results/921e6792-0a14-438b-88e5-cc97bcc68482/
SH256 hash:
bbb1db25b2b54928d97b0a0caf8726e5d62501ab6cdcf9b4aa2e192f59958aa6
MD5 hash:
0ccbb13fd1e433e565c6090a0ae0ea54
SHA1 hash:
3c4e97c8af29220028a2b7e8e33ab3b6a296681e
Link:
https://www.unpac.me/results/921e6792-0a14-438b-88e5-cc97bcc68482/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbb1db25b2b54928d97b0a0caf8726e5d62501ab6cdcf9b4aa2e192f59958aa6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270864/

Comments