MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca81501a843554d574be590be9f5ec0c6560679c5b1e5b4e44a879f1c9be7351. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca81501a843554d574be590be9f5ec0c6560679c5b1e5b4e44a879f1c9be7351
SHA3-384 hash: 442008607e46cff460611397396096c89ac40f939e8fee04fa30894551ed28d51cedf9bee75ab342f9e02e90f120dd67
SHA1 hash: 46ef7f2b73c60513a93d237813deb0f210f91377
MD5 hash: 67dbd9b7f0bcd704017f3931fa51c715
humanhash: delaware-indigo-pennsylvania-delaware
File name:67dbd9b7f0bcd704017f3931fa51c715.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:859'136 bytes
First seen:2021-05-24 06:30:02 UTC
Last seen:2021-05-24 07:03:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40bba328aeeb86af0602a23d2610bb0c (3 x RaccoonStealer, 2 x TeamBot, 1 x ArkeiStealer)
ssdeep 12288:8WF+e+BCphvKlObytvmh84JplXTgHod/NITs5fvwMoXxrUa93tF8xIO1gRdYpnzb:2eRvrb6y8KDsgKBrdtCxr1gRdYYXsL
Threatray 117 similar samples on MalwareBazaar
TLSH 9E0501B166B0C03DF4BF16F449B482B865297DA1A72080FF62C53ADA56305E59CF878F
Reporter abuse_ch
Tags:exe TeamBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
67dbd9b7f0bcd704017f3931fa51c715.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-24 06:37:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cc0d4583-f847-43f7-9892-e06a53b22838

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/161248/
Detection(s):
SecuriteInfo.com.Mal.GandCrypt-B.22430.107.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790114
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 422511 Sample: Ls8ucltMrc.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Multi AV Scanner detection for domain / URL 2->98 100 Antivirus detection for URL or domain 2->100 102 5 other signatures 2->102 12 Ls8ucltMrc.exe 2->12         started        15 Ls8ucltMrc.exe 2->15         started        17 Ls8ucltMrc.exe 2->17         started        19 Ls8ucltMrc.exe 2->19         started        process3 signatures4 116 Detected unpacking (changes PE section rights) 12->116 118 Detected unpacking (overwrites its own PE header) 12->118 120 Contains functionality to inject code into remote processes 12->120 122 Writes many files with high entropy 12->122 21 Ls8ucltMrc.exe 1 16 12->21         started        124 Injects a PE file into a foreign processes 15->124 25 Ls8ucltMrc.exe 15->25         started        27 Ls8ucltMrc.exe 12 17->27         started        29 Ls8ucltMrc.exe 19->29         started        process5 dnsIp6 88 api.2ip.ua 77.123.139.190, 443, 49712, 49716 VOLIA-ASUA Ukraine 21->88 70 C:\Users\user\AppData\...\Ls8ucltMrc.exe, PE32 21->70 dropped 72 C:\Users\...\Ls8ucltMrc.exe:Zone.Identifier, ASCII 21->72 dropped 31 Ls8ucltMrc.exe 21->31         started        34 icacls.exe 21->34         started        90 192.168.2.1 unknown unknown 29->90 file7 process8 signatures9 126 Injects a PE file into a foreign processes 31->126 36 Ls8ucltMrc.exe 1 27 31->36         started        process10 dnsIp11 84 asvb.top 35.235.74.220, 49717, 49718, 49719 GOOGLEUS United States 36->84 86 api.2ip.ua 36->86 62 C:\Users\...\Built-In Building Blocks.dotx, DOS 36->62 dropped 64 C:\Users\user\AppData\...\updatewin2.exe, PE32 36->64 dropped 66 C:\Users\user\AppData\...\updatewin1.exe, PE32 36->66 dropped 68 316 other files (308 malicious) 36->68 dropped 104 Modifies existing user documents (likely ransomware behavior) 36->104 41 5.exe 36->41         started        46 updatewin2.exe 36->46         started        48 updatewin1.exe 2 36->48         started        file12 signatures13 process14 dnsIp15 92 tttttt.me 95.216.186.40, 443, 49725 HETZNER-ASDE Germany 41->92 94 genericalphabet.top 35.197.240.92, 443, 49728, 49729 GOOGLEUS United States 41->94 74 C:\Users\user\AppData\...\pY4zE3fX7h.zip, Zip 41->74 dropped 76 C:\Users\user\AppData\...\JIhypgMknwb.zip, Zip 41->76 dropped 78 C:\Users\user\AppData\...\vcruntime140.dll, PE32 41->78 dropped 82 57 other files (none is malicious) 41->82 dropped 106 Tries to steal Mail credentials (via file access) 41->106 108 Writes many files with high entropy 41->108 50 cmd.exe 41->50         started        80 C:\Windows\System32\drivers\etc\hosts, ASCII 46->80 dropped 110 Detected unpacking (overwrites its own PE header) 46->110 112 Mutes Antivirus updates and installments via hosts file black listing 46->112 114 Modifies the hosts file 46->114 52 updatewin1.exe 48->52         started        file16 signatures17 process18 process19 54 conhost.exe 50->54         started        56 timeout.exe 50->56         started        58 powershell.exe 52->58         started        process20 60 conhost.exe 58->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca81501a843554d574be590be9f5ec0c6560679c5b1e5b4e44a879f1c9be7351/
Threat name:
Win32.Trojan.Hynamer
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 06:30:12 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkavaguegvknk5f6lef6t5pmbrswaz44lmpfwtsevb47dsn6oniq._file
Verdict:
malicious
Similar samples:
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
TeamBot
20ebe8ff1da6f2023a43b3e3cbe14479961699f9dec0324f72070fa2b275eaae
TeamBot
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
TeamBot
6cc9956ed6e36fa513a5fb0a2826196a65fb9ca4d9fa4d9e46d5189e143a0702
TeamBot
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
TeamBot
869bd0ca39150a6e0f87609ca7e927211ba9cf636b69c33c3cd09db85922dd94
TeamBot
b48348bce63f1ad4550e28f99b61f3166e30eec746299c4258632a5fae95df7d
TeamBot
e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be
TeamBot
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
TeamBot
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
TeamBot
+ 107 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1d76a465540f6a904ac9f1310fe3a3824b5b4549 discovery evasion persistence stealer
Link:
https://tria.ge/reports/210524-mn6s1v3nra/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Raccoon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca81501a843554d574be590be9f5ec0c6560679c5b1e5b4e44a879f1c9be7351

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TeamBot

Executable exe ca81501a843554d574be590be9f5ec0c6560679c5b1e5b4e44a879f1c9be7351

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/161248/
  
URLhaus
https://urlhaus.abuse.ch/url/1256494/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-24 07:29:16 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0052] File System Micro-objective::Writes File
6) [C0033] Operating System Micro-objective::Console
7) [C0040] Process Micro-objective::Allocate Thread Local Storage
8) [C0043] Process Micro-objective::Check Mutex
9) [C0041] Process Micro-objective::Set Thread Local Storage Value
10) [C0018] Process Micro-objective::Terminate Process
11) [C0039] Process Micro-objective::Terminate Thread