MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103
SHA3-384 hash: 0f2c60ee9ea9cb981b47a8beffc107a01b84763d1a924591bcef75c40751e59c2340d5f3d037a28e4c4404b1165b2b32
SHA1 hash: 370d203085ef0465a81bfb4c82d4019beecefb13
MD5 hash: ae9a4663030ecd41b764cc839cb1e67f
humanhash: emma-arizona-six-leopard
File name:c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103
Download: download sample
Signature TeamBot
Create hunting rule
File size:838'144 bytes
First seen:2021-05-03 01:15:31 UTC
Last seen:2021-05-03 02:01:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a449bb254a5a3d7e78e29b69597a0167 (1 x TeamBot)
ssdeep 12288:fl2fjVNefHfMxT3J6uUA0HdQrXZo3zJA0adehtX24kJwdoXhHNswzAHnFw7w/QnO:Yb8/fJAKkX6jJFa8tXTkJbSrFbEiR
Threatray 49 similar samples on MalwareBazaar
TLSH 1605F130A790C034E9B715F84AA9F37C652DFE711B27D0CF52E526EA16246F9AC30257
Reporter fbgwls245
Tags:.wrui djvu Ransomware Stop TeamBot

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://188.34.193.205/ https://threatfox.abuse.ch/ioc/28011/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148052/
Detection(s):
Win.Malware.Generic-9857167-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Sending an HTTP GET request
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/706809
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402325 Sample: jX16Cu330u Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 97 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->97 99 Antivirus detection for URL or domain 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 5 other signatures 2->103 10 jX16Cu330u.exe 1 18 2->10         started        15 jX16Cu330u.exe 14 2->15         started        17 jX16Cu330u.exe 12 2->17         started        19 jX16Cu330u.exe 2->19         started        process3 dnsIp4 87 api.2ip.ua 77.123.139.190, 443, 49734, 49741 VOLIA-ASUA Ukraine 10->87 67 C:\Users\user\AppData\...\jX16Cu330u.exe, PE32 10->67 dropped 69 C:\Users\...\jX16Cu330u.exe:Zone.Identifier, ASCII 10->69 dropped 109 Detected unpacking (changes PE section rights) 10->109 111 Detected unpacking (overwrites its own PE header) 10->111 113 Writes many files with high entropy 10->113 21 jX16Cu330u.exe 1 27 10->21         started        26 icacls.exe 10->26         started        89 jfes.top 15->89 91 192.168.2.1 unknown unknown 15->91 71 C:\Users\user\Desktop\jX16Cu330u.exe, data 15->71 dropped file5 signatures6 process7 dnsIp8 83 jfes.top 31.40.251.99, 49742, 49743, 49745 ITLDC-NLUA Russian Federation 21->83 85 api.2ip.ua 21->85 57 {18B821CD-B905-4D3...0000000000000001.db, PDP-11 21->57 dropped 59 Uninstall_2020-07-...32433_1a6c-1898.log, COM 21->59 dropped 61 Uninstall-PerUser_..._093049_a50-c28.log, DOS 21->61 dropped 63 199 other files (185 malicious) 21->63 dropped 105 Modifies existing user documents (likely ransomware behavior) 21->105 28 5.exe 21->28         started        33 updatewin1.exe 21->33         started        35 updatewin2.exe 21->35         started        file9 signatures10 process11 dnsIp12 93 188.34.193.205, 49752, 80 HETZNER-ASDE Germany 28->93 95 api.faceit.com 104.17.63.50, 443, 49751 CLOUDFLARENETUS United States 28->95 73 C:\Users\user\AppData\...\softokn3[1].dll, PE32 28->73 dropped 75 C:\Users\user\AppData\...\freebl3[1].dll, PE32 28->75 dropped 77 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 28->77 dropped 81 9 other files (none is malicious) 28->81 dropped 115 Detected unpacking (changes PE section rights) 28->115 117 Detected unpacking (overwrites its own PE header) 28->117 119 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->119 133 5 other signatures 28->133 37 cmd.exe 28->37         started        121 Antivirus detection for dropped file 33->121 123 Multi AV Scanner detection for dropped file 33->123 125 Suspicious powershell command line found 33->125 127 Bypasses PowerShell execution policy 33->127 39 updatewin1.exe 33->39         started        79 C:\Windows\System32\drivers\etc\hosts, ASCII 35->79 dropped 129 Mutes Antivirus updates and installments via hosts file black listing 35->129 131 Modifies the hosts file 35->131 file13 signatures14 process15 file16 43 conhost.exe 37->43         started        45 taskkill.exe 37->45         started        47 timeout.exe 37->47         started        65 C:\Users\user\AppData\Local\script.ps1, ASCII 39->65 dropped 107 Suspicious powershell command line found 39->107 49 powershell.exe 39->49         started        51 powershell.exe 39->51         started        signatures17 process18 process19 53 conhost.exe 49->53         started        55 conhost.exe 51->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103/
Threat name:
Win32.Trojan.Caynamer
Create hunting rule
Status:
Malicious
First seen:
2021-05-02 18:57:32 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfeyprgg7qw6fswegnkzmrdf25qrmuxct5uz2zh2ferzt5jgyebq._file
Verdict:
malicious
Similar samples:
02d61f5f80a30ae80912d6ffcaf78e85fe6871b1bba5633a78a41c9f1ad13d1a
TeamBot
0552149181395fb0685b2dfa9b123334cb598173a13fbedf458f8c3613f8ff81
TeamBot
12750a545215e41d452a16e1c451f0e0682a5330078813313b67cd09499ac674
TeamBot
6ed8e078433a7e7938f2084f83a640d707708ac99a246b31736bd22327664668
TeamBot
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2
TeamBot
b526a2e743700e05396f10f6b2e9f1b1a8a74670a7b6969cf4471bdb25a77802
TeamBot
b6b15523787e5db710afc32c541a3844e476192150899926bc15aba8dfd16ff0
TeamBot
e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
TeamBot
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
TeamBot
fdf29de5bc715feaa80709bdddd59b8293aa538d257ba9dd6a287d065ecb68a8
TeamBot
+ 39 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar discovery evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210503-lsx7j1s3sx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Djvu Ransomware
Vidar
Unpacked files
SH256 hash:
b58165bb5a4f9040d187791e870f691c449e59d3f5fa8312ba7655864236328f
MD5 hash:
5fe929b15555feeb7e4ef768211d8caa
SHA1 hash:
49f52ac9a44d3259167dbf20e7328fdaf287ac7f
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/38db850e-7ad0-42e1-abb3-0333116bc6d5/
Parent samples :
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
1da3193c52b5ec3a14b36acbc9c92266a2a531399e33c1e3a209e828eda7a0a5
7c9bc6a878b6cb355bb2a5c70170aa48b1e8f369dd64ee47df3ac9ea9e213b02
9ded335a6f346de4aafbc4f8c08e90dce1f064820b13d6580f01731c9837d7a8
a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3
c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103
e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913
SH256 hash:
c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103
MD5 hash:
ae9a4663030ecd41b764cc839cb1e67f
SHA1 hash:
370d203085ef0465a81bfb4c82d4019beecefb13
Link:
https://www.unpac.me/results/38db850e-7ad0-42e1-abb3-0333116bc6d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148052/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 02:05:56 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [C0007] Memory Micro-objective::Allocate Memory
11) [C0033] Operating System Micro-objective::Console
12) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
13) [C0040] Process Micro-objective::Allocate Thread Local Storage
14) [C0043] Process Micro-objective::Check Mutex
15) [C0042] Process Micro-objective::Create Mutex
16) [C0041] Process Micro-objective::Set Thread Local Storage Value
17) [C0018] Process Micro-objective::Terminate Process