MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2ec79dea2c343c76e98d2ff149c7ff39ca97d6bd169619a9db4383e860e3f00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Backdoor.TeamViewer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2ec79dea2c343c76e98d2ff149c7ff39ca97d6bd169619a9db4383e860e3f00
SHA3-384 hash: 79a9ad6b2ee0a343b143e4e00b90328a9592ed3c230af698d8a6e27c93c7d3961bdcd783559a9119a77679bc57e560fb
SHA1 hash: 3acf7f616dd5463a73bafb79379a22a1fac6ccde
MD5 hash: 20eed4441eab2600d935db7d8384a807
humanhash: london-three-hydrogen-neptune
File name:20eed4441eab2600d935db7d8384a807
Download: download sample
Signature Backdoor.TeamViewer
Create hunting rule
File size:4'185'694 bytes
First seen:2023-11-07 09:19:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 80417b621299e3e1de617305557a3c68 (48 x GCleaner, 44 x Backdoor.TeamViewer, 31 x Socks5Systemz)
ssdeep 98304:ldZzBLmJR0be89sNUsyV4G6utggjMUQe7mMlEfy9HUsc3AX6fi7e:PZzkJebJsNbmV6HPe9Ef00n3jfi7e
TLSH T1C7162393AA4029EBD8773971A62AC43B53127CED26B85799B0C07B396FB310F074564F
TrID 80.3% (.EXE) Inno Setup installer (109740/4/30)
10.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ece6c2d2e2a2d2e8 (5 x Pikabot, 2 x Backdoor.TeamViewer, 2 x Gh0stRAT)
Reporter zbetcheckin
Tags:32 Backdoor.TeamViewer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader25.56768.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file
Creating a service
Enabling autorun for a service
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/654a01430adeb0343351151c/reports/f5708db3-2505-4e83-a025-b9d27efa2f38/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/d2ec79dea2c343c76e98d2ff149c7ff39ca97d6bd169619a9db4383e860e3f00
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dc171c79-fa58-46f5-ab51-3f27dcd6e29e
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338123
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d2ec79dea2c343c76e98d2ff149c7ff39ca97d6bd169619a9db4383e860e3f00
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2ec79dea2c343c76e98d2ff149c7ff39ca97d6bd169619a9db4383e860e3f00/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lwhtxvcynb4o3uy2l7rjhd76ooks7ll2fuwdgu5wq4d5bqoh4aa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231107-larecafc99/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
76bb76249057f3db6c1a0eea176ee0e6c6d1b8d4b7eda00331e7b81edb925215
MD5 hash:
223d36ed7f611b53820def73007df1d7
SHA1 hash:
92b7845a9e11b832401feebc8343617794201463
Link:
https://www.unpac.me/results/18eb9459-68ac-475d-a72e-d53da41a0891/
SH256 hash:
1cd42c797532bd1cb0fa1f9b8f3cde30717f7f3dfae941087fc807c36859fe31
MD5 hash:
7988d634c45575e57f76c78a0c7f9034
SHA1 hash:
6dc59aacc7a8d08b4be90ae79a218aff5ab1d02c
Link:
https://www.unpac.me/results/18eb9459-68ac-475d-a72e-d53da41a0891/
SH256 hash:
c51128e53783d1fee1bd7ad4331fcea6f083fdd434127ac51519171c84b29781
MD5 hash:
b4e0bc707213cb0ccd15d36f771a103b
SHA1 hash:
a9ce2a545e7e90f9f8f0f91119bee759f568921a
Link:
https://www.unpac.me/results/18eb9459-68ac-475d-a72e-d53da41a0891/
SH256 hash:
8f7c13a68eda46fa384eb3e48f7e4f29e4f6c52064255cadd37cb366babdbfd6
MD5 hash:
137bc959a8b358c8ba3e68848e175dd0
SHA1 hash:
3131a3b2467d8c863a33cb4ae82987760e8e8298
Link:
https://www.unpac.me/results/18eb9459-68ac-475d-a72e-d53da41a0891/
SH256 hash:
5f21531d5641ac5f16b799cc734e7c08c0ccbf2546d1cfa09e2a80b96a91f735
MD5 hash:
253046c5efbad0d3e04c30e8ad6380c4
SHA1 hash:
2c05454e40f6d08f0d09e0f8c94c5d710edae696
Link:
https://www.unpac.me/results/18eb9459-68ac-475d-a72e-d53da41a0891/
SH256 hash:
d2ec79dea2c343c76e98d2ff149c7ff39ca97d6bd169619a9db4383e860e3f00
MD5 hash:
20eed4441eab2600d935db7d8384a807
SHA1 hash:
3acf7f616dd5463a73bafb79379a22a1fac6ccde
Link:
https://www.unpac.me/results/18eb9459-68ac-475d-a72e-d53da41a0891/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Backdoor.TeamViewer

Executable exe d2ec79dea2c343c76e98d2ff149c7ff39ca97d6bd169619a9db4383e860e3f00

(this sample)

  
Delivery method
Distributed via web download

Comments


Avatar
zbet commented on 2023-11-07 09:19:33 UTC

url : hxxp://stim.graspalace.com/order/tuc19.exe