MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc6bf95599f494952d61b3731d900d222191aae6dcc17d1edd4135882ed87775. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc6bf95599f494952d61b3731d900d222191aae6dcc17d1edd4135882ed87775
SHA3-384 hash: faf07eac59019a87ddbccfd5e225374dac97568edeb5d3f70fe25a5553b51edeb24d483039f6e73f5eeba33b52606fb9
SHA1 hash: 60af96e15202f52a6b112fd6a174c5372da663f1
MD5 hash: fa7e882ac7b0b47c1a4a3b5aa735d214
humanhash: blossom-cup-mango-stream
File name:fa7e882ac7b0b47c1a4a3b5aa735d214.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:260'608 bytes
First seen:2021-11-19 08:37:02 UTC
Last seen:2021-11-19 10:35:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d70bc49b69ed161a14a94b46f9abf02 (1 x RedLineStealer, 1 x TeamBot, 1 x ArkeiStealer)
ssdeep 6144:HAfuQ9KCntx8fHbwnyFLTfO3n+lHbyCHpFCM:gfX9KuyFHfO3SyCHz
Threatray 5'476 similar samples on MalwareBazaar
TLSH T146448D14B7A0C035F5B706B849BA93B8B93FB9B1AB7590CF52C516EA46346E0EC30357
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe TeamBot


Avatar
abuse_ch
TeamBot C2:
176.9.10.140:50422

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.9.10.140:50422 https://threatfox.abuse.ch/ioc/250976/

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fa7e882ac7b0b47c1a4a3b5aa735d214.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-19 08:42:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dfbb100a-d8a4-4c67-993a-6c43530829e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.45734.13996.2316.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/619762352695a62af9f3adfa/reports/52d181fd-314d-46ac-a01c-d854b06a9108/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30e90139-5ba7-41ca-973d-e937e5c09d3f
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892549
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525019 Sample: GALxGtqYjH.exe Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 55 srtuiyhuali.at 2->55 57 cdn.discordapp.com 2->57 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Antivirus detection for URL or domain 2->77 79 10 other signatures 2->79 10 GALxGtqYjH.exe 2->10         started        12 sshdeeu 2->12         started        signatures3 process4 signatures5 15 GALxGtqYjH.exe 10->15         started        123 Multi AV Scanner detection for dropped file 12->123 125 Machine Learning detection for dropped file 12->125 18 sshdeeu 12->18         started        process6 signatures7 127 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->127 129 Maps a DLL or memory area into another process 15->129 131 Checks if the current machine is a virtual machine (disk enumeration) 15->131 133 Creates a thread in another existing process (thread injection) 15->133 20 explorer.exe 10 15->20 injected process8 dnsIp9 59 216.128.137.31, 443, 49777, 49778 AS-CHOOPAUS United States 20->59 61 file-file-host4.com 47.254.33.79, 49770, 49771, 49774 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 20->61 63 7 other IPs or domains 20->63 47 C:\Users\user\AppData\Roaming\sshdeeu, PE32 20->47 dropped 49 C:\Users\user\AppData\Local\Temp9AA.exe, PE32 20->49 dropped 51 C:\Users\user\AppData\Local\Temp\DEF5.exe, PE32 20->51 dropped 53 6 other malicious files 20->53 dropped 89 System process connects to network (likely due to code injection or exploit) 20->89 91 Benign windows process drops PE files 20->91 93 Deletes itself after installation 20->93 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->95 25 A778.exe 2 20->25         started        29 D1EF.exe 20->29         started        31 125B.exe 20->31         started        33 4 other processes 20->33 file10 signatures11 process12 dnsIp13 65 45.9.20.149, 10844, 49877 DEDIPATH-LLCUS Russian Federation 25->65 97 Multi AV Scanner detection for dropped file 25->97 99 Detected unpacking (changes PE section rights) 25->99 101 Query firmware table information (likely to detect VMs) 25->101 121 3 other signatures 25->121 103 Machine Learning detection for dropped file 29->103 105 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 29->105 36 D1EF.exe 29->36         started        107 Maps a DLL or memory area into another process 31->107 109 Checks if the current machine is a virtual machine (disk enumeration) 31->109 111 Creates a thread in another existing process (thread injection) 31->111 67 93.115.20.139, 28978, 49869 MVPShttpswwwmvpsnetEU Romania 33->67 69 162.159.135.233, 443, 49850, 49889 CLOUDFLARENETUS United States 33->69 71 6 other IPs or domains 33->71 43 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 33->43 dropped 45 C:\ProgramData\sqlite3.dll, PE32 33->45 dropped 113 Antivirus detection for dropped file 33->113 115 Detected unpacking (overwrites its own PE header) 33->115 117 Tries to harvest and steal browser information (history, passwords, etc) 33->117 119 Injects a PE file into a foreign processes 33->119 39 C68A.exe 2 33->39         started        41 conhost.exe 33->41         started        file14 signatures15 process16 signatures17 81 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->81 83 Maps a DLL or memory area into another process 36->83 85 Checks if the current machine is a virtual machine (disk enumeration) 36->85 87 Creates a thread in another existing process (thread injection) 36->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc6bf95599f494952d61b3731d900d222191aae6dcc17d1edd4135882ed87775/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 05:33:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xrv7svmz6skjkllbwnzr3eaneiqzdkxg3tax2hw5ie2yqlwyo52q._file
Verdict:
malicious
Similar samples:
33e40835a9c6e471ece9819aa162eab8327e17967d5952468e33ecdebad7c3b0
TeamBot
364e6eb302ea9226c69d3efc8485f827e61bab6e2ea34fb85c8a87a604e3ed5c
TeamBot
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
TeamBot
47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b
TeamBot
56b5c8eac3ee5f3d8da478b56ef2262f37f877d6a626596dbb6e1a9aec217cc5
TeamBot
c9f18cc71c7a1fa61d43a32dfb858f9aa247324a188f8182981b853266d3b1c7
TeamBot
d836a03e0b7eeabbc971de7d3e6fcc11bf06e13e633d11118c7429b3abb3c4ed
TeamBot
+ 5'466 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:ddf183af4241e3172885cf1b2c4c1fb4ee03d05a backdoor infostealer stealer suricata trojan
Link:
https://tria.ge/reports/211119-kh522ahgdk/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Raccoon
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
185.159.80.90:38637
Unpacked files
SH256 hash:
23554c8f1f1fd1e04a9c7053680f186fdbb61155942430095e76bb88552ad78b
MD5 hash:
5e2aad3c6e39abb50541d91e9591b22b
SHA1 hash:
97bb348f06b2ce6fdc5291420c537358e2259a9c
Link:
https://www.unpac.me/results/b6c3d85a-f41d-4253-a877-15a3c140ddda/
SH256 hash:
bc6bf95599f494952d61b3731d900d222191aae6dcc17d1edd4135882ed87775
MD5 hash:
fa7e882ac7b0b47c1a4a3b5aa735d214
SHA1 hash:
60af96e15202f52a6b112fd6a174c5372da663f1
Link:
https://www.unpac.me/results/b6c3d85a-f41d-4253-a877-15a3c140ddda/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bc6bf95599f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc6bf95599f494952d61b3731d900d222191aae6dcc17d1edd4135882ed87775

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TeamBot

Executable exe bc6bf95599f494952d61b3731d900d222191aae6dcc17d1edd4135882ed87775

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1781418/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207548/

Comments