MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd5c8ed82f61855b377e3c59bad6edd1844bc5b46c21715969063a3e5befe2f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd5c8ed82f61855b377e3c59bad6edd1844bc5b46c21715969063a3e5befe2f5
SHA3-384 hash: f54a6828b7bbd1ec6d8d751870193e8c24149eeaf8089f2ebb92c6c664d68655e33e5b3260cf6517785380bc98235f7b
SHA1 hash: 0c0d72b7ec10fb1ce48bb50f5fb3678984be7e58
MD5 hash: 7e41a726ac7ee1ac53883122630cc6fa
humanhash: grey-london-tennessee-six
File name:02630999.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:298'496 bytes
First seen:2023-05-27 08:57:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd191f6a78cc98a8bbe61db18ad8e9a2 (5 x Glupteba, 4 x Smoke Loader, 3 x ArkeiStealer)
ssdeep 3072:WWJrcehjYNj/swrIhO/Z5IItOyvtzw6WBSh7DWvdmoNfKX5Aj9OQ5f:FJrcBN4AZyI3vj97aFmoNPj7
Threatray 2'010 similar samples on MalwareBazaar
TLSH T1AE544B1392E1BD94E9264A339E2EC6E8375DF6544F193B6A22189FEF04F11B2D173381
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2408909080848800 (1 x TeamBot)
Reporter Neiki
Tags:TeamBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
02630999.exe
Verdict:
Malicious activity
Analysis date:
2023-05-27 08:58:02 UTC
Tags:
loader smoke trojan stealer vidar ransomware stop
Link:
https://app.any.run/tasks/5aa1b23b-f085-4d63-b347-8f204e083ce0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392451/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Creating a file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed xpack
Link:
https://www.filescan.io/uploads/6471c6190ab38055123bb205/reports/57cf0408-2aa9-4d0b-a0fe-fcc3deb3dc72/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cd5c8ed82f61855b377e3c59bad6edd1844bc5b46c21715969063a3e5befe2f5
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ee8d223d-8e14-4818-8442-fa21f639962a
Result
Threat name:
Amadey, Clipboard Hijacker, Djvu, Fabook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243742
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Fabookie
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876753 Sample: 02630999.exe Startdate: 27/05/2023 Architecture: WINDOWS Score: 100 106 zexeq.com 2->106 108 t.me 2->108 110 5 other IPs or domains 2->110 142 Snort IDS alert for network traffic 2->142 144 Found malware configuration 2->144 146 Malicious sample detected (through community Yara rule) 2->146 148 16 other signatures 2->148 11 02630999.exe 2->11         started        14 ajsfcej 2->14         started        16 1F5D.exe 2->16         started        signatures3 process4 signatures5 188 Detected unpacking (changes PE section rights) 11->188 190 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->190 192 Maps a DLL or memory area into another process 11->192 18 explorer.exe 11 49 11->18 injected 194 Multi AV Scanner detection for dropped file 14->194 196 Checks if the current machine is a virtual machine (disk enumeration) 14->196 198 Creates a thread in another existing process (thread injection) 14->198 200 Detected unpacking (overwrites its own PE header) 16->200 202 Machine Learning detection for dropped file 16->202 204 Sample uses process hollowing technique 16->204 206 Injects a PE file into a foreign processes 16->206 23 Conhost.exe 16->23         started        process6 dnsIp7 112 187.209.146.8 UninetSAdeCVMX Mexico 18->112 114 2.180.10.7 TCIIR Iran (ISLAMIC Republic Of) 18->114 116 13 other IPs or domains 18->116 90 C:\Users\user\AppData\Roaming\hgsfcej, PE32 18->90 dropped 92 C:\Users\user\AppData\Roaming\ajsfcej, PE32 18->92 dropped 94 C:\Users\user\AppData\Local\Temp\FB42.exe, PE32 18->94 dropped 96 19 other malicious files 18->96 dropped 150 System process connects to network (likely due to code injection or exploit) 18->150 152 Benign windows process drops PE files 18->152 154 Deletes itself after installation 18->154 156 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->156 25 5B41.exe 18->25         started        28 6F98.exe 18->28         started        30 C222.exe 18->30         started        33 8 other processes 18->33 file8 signatures9 process10 file11 166 Multi AV Scanner detection for dropped file 25->166 168 Detected unpacking (changes PE section rights) 25->168 170 Detected unpacking (overwrites its own PE header) 25->170 35 5B41.exe 25->35         started        172 Machine Learning detection for dropped file 28->172 174 Writes a notice file (html or txt) to demand a ransom 28->174 176 Injects a PE file into a foreign processes 28->176 38 6F98.exe 13 28->38         started        100 C:\Users\user\AppData\Local\Temp\aafg31.exe, PE32+ 30->100 dropped 102 C:\Users\user\AppData\Local\...\XandETC.exe, PE32+ 30->102 dropped 104 C:\Users\user\AppData\Local\...104ewPlayer.exe, PE32 30->104 dropped 178 Antivirus detection for dropped file 30->178 40 aafg31.exe 30->40         started        180 Writes to foreign memory regions 33->180 182 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->182 184 Maps a DLL or memory area into another process 33->184 186 2 other signatures 33->186 43 4758.exe 33->43         started        45 1F5D.exe 1 15 33->45         started        48 3A02.exe 12 33->48         started        50 2 other processes 33->50 signatures12 process13 dnsIp14 52 5B41.exe 35->52         started        55 6F98.exe 38->55         started        118 jp.imgjeoighw.com 103.100.211.218 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 40->118 120 ss.apjeoighw.com 154.221.31.191 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 40->120 124 6 other IPs or domains 40->124 162 Multi AV Scanner detection for dropped file 40->162 164 Tries to harvest and steal browser information (history, passwords, etc) 40->164 57 4758.exe 43->57         started        98 C:\Users\user\AppData\Local\...\1F5D.exe, PE32 45->98 dropped 59 1F5D.exe 45->59         started        61 icacls.exe 45->61         started        122 api.2ip.ua 162.0.217.254, 443, 49722, 49727 ACPCA Canada 48->122 file15 signatures16 process17 signatures18 158 Injects a PE file into a foreign processes 52->158 63 5B41.exe 52->63         started        68 6F98.exe 55->68         started        70 Conhost.exe 55->70         started        160 Sample uses process hollowing technique 57->160 72 1F5D.exe 59->72         started        process19 dnsIp20 126 211.119.84.111 LGDACOMLGDACOMCorporationKR Korea Republic of 63->126 128 zexeq.com 63->128 138 2 other IPs or domains 63->138 74 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 63->74 dropped 76 C:\Users\user\AppData\Local\...\build2[2].exe, PE32 63->76 dropped 78 C:\Users\user\AppData\Local\...\build3.exe, PE32 63->78 dropped 86 4 other malicious files 63->86 dropped 140 Modifies existing user documents (likely ransomware behavior) 63->140 130 zexeq.com 68->130 132 colisumy.com 68->132 134 api.2ip.ua 68->134 80 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 68->80 dropped 82 C:\Users\user\AppData\Local\...\build3.exe, PE32 68->82 dropped 84 C:\Users\user\AppData\Local\...\build2.exe, PE32 68->84 dropped 88 2 other malicious files 68->88 dropped 136 api.2ip.ua 72->136 file21 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd5c8ed82f61855b377e3c59bad6edd1844bc5b46c21715969063a3e5befe2f5/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-27 08:58:04 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvoi5wbpmgcvwn36hrm3vvxn2gcexrnunqqxcwljay5d4w7p4l2q._file
Verdict:
malicious
Similar samples:
0c26ec308dc78ef090ebec907e1eb15d6dfdc28a85fa27e0a945fc5354a3e5f9
TeamBot
0cc7060ce4d11da31e6de65632d1e78d2f6c9022393f1fa49b0bf845108ca3b1
TeamBot
1171766b3c8e74122333aedfcf8ff32bcd2e059043af434dc57a70b6015b3e63
TeamBot
314b7a6d969a0f4654bb6b3a80a58087dac25c26c5777270b0f53056ec5645c0
TeamBot
3ea8f457387940d5a64458d38284ed785a9e04e245cf28e03bfc38d5e9188599
TeamBot
62d622e4c6581c0dd50e5623a3328cf60ffa7e87dea131c294883a2b610f80f4
TeamBot
6ba6ba1ad5f6525a76e854affad5bb28d1e59c93bd26d88a9cf1da7b84ed3b27
TeamBot
74e17b7264117df362eb097195ec2f45be5b98594953426f81a861299dbc6958
TeamBot
c9fde93529396b5fa4d49f8932ff113dcb813a30462c32312ff1ef259ab1989d
TeamBot
f93b85ca07f0392ab1516a34b157e175936e45b31773d1dce409b7e4872a8946
TeamBot
+ 2'000 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:smokeloader family:vidar botnet:e44c96dfdf315ccf17cdd4b93cfe6e48 botnet:pub1 backdoor discovery persistence ransomware stealer trojan
Link:
https://tria.ge/reports/230527-kw5y7abg2y/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Downloads MZ/PE file
Amadey
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
45.9.74.80/0bjdn2Z/index.php
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
Gathering data
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd5c8ed82f61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd5c8ed82f61855b377e3c59bad6edd1844bc5b46c21715969063a3e5befe2f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/392451/

Comments