MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4
SHA3-384 hash: d41c7ae066ce5a90d3359ae5349ae82f0a5466632ddc8ef4b1c33f1a5a715502760ebf04746cc5943cc4137e18c8714c
SHA1 hash: dd5b3e94bec631d9a72f43af2ec01cf12232c548
MD5 hash: b71c6ec1ffe67a613e7ba6dc9d440165
humanhash: romeo-queen-vermont-stream
File name:b71c6ec1ffe67a613e7ba6dc9d440165.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:11'361'792 bytes
First seen:2023-05-24 05:50:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f9644890a52aa13e3e994733d15fcb99 (1 x RecordBreaker, 1 x TrickBot, 1 x Smoke Loader)
ssdeep 98304:OUuKtfJjoWdSgeD6KF7t3H26JyQ6IeoMnq6Kw7KpE3OtMeV+xDMAyYL64Z:wKDjoZYKv3PR6IfMq6v74EEMeCDzjt
Threatray 35 similar samples on MalwareBazaar
TLSH T17FB6232266DA2048F0F4D83A4BE7FEF976F9BAFA5742553561C836C61624190BB03873
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 8830fadd537fbcf2 (1 x CoinMiner, 1 x TeamBot)
Reporter abuse_ch
Tags:exe TeamBot


Avatar
abuse_ch
TeamBot C2:
83.97.73.122:19062

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b71c6ec1ffe67a613e7ba6dc9d440165.exe
Verdict:
Malicious activity
Analysis date:
2023-05-24 05:52:16 UTC
Tags:
evasion privateloader opendir
Link:
https://app.any.run/tasks/8bed6a86-8d84-4406-a097-62d9ff1559c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390956/
Detection(s):
Win.Dropper.Tinba-9943147-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
DNS request
Replacing files
Sending a custom TCP request
Launching a service
Launching a process
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Sending a UDP request
Forced system process termination
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed privateloader shell32.dll
Link:
https://www.filescan.io/uploads/646da5c60f915ba0dc8af51c/reports/5d6d9bf4-8f1f-4563-b52c-5127faaf4666/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a3c11b4c-eb0c-4dc9-89f4-0fe3ad5f4a6d
Result
Threat name:
Fabookie, Nymaim, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241319
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Fabookie
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 874330 Sample: oZIDuC0SMY.exe Startdate: 24/05/2023 Architecture: WINDOWS Score: 100 150 45.12.253.98 CMCSUS Germany 2->150 194 Found malware configuration 2->194 196 Malicious sample detected (through community Yara rule) 2->196 198 Antivirus detection for URL or domain 2->198 200 18 other signatures 2->200 11 oZIDuC0SMY.exe 10 43 2->11         started        16 PowerControl_Svc.exe 2->16         started        18 svchost.exe 2->18         started        20 5 other processes 2->20 signatures3 process4 dnsIp5 184 188.114.96.7 CLOUDFLARENETUS European Union 11->184 186 87.240.129.133 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 11->186 190 13 other IPs or domains 11->190 138 C:\Users\...\vmZkfK2jOhhiTAKl8Itmwj5V.exe, PE32 11->138 dropped 140 C:\Users\...\ueeIGER76UOWDeQiMr3pZxoC.exe, PE32 11->140 dropped 142 C:\Users\...\_3mG66tWYtaL8tnKc7pZQwWB.exe, PE32 11->142 dropped 148 16 other malicious files 11->148 dropped 248 Creates HTML files with .exe extension (expired dropper behavior) 11->248 250 Disables Windows Defender (deletes autostart) 11->250 252 Modifies Group Policy settings 11->252 256 2 other signatures 11->256 22 TSXL1c1ScvjT_26geR4yVm_f.exe 18 11->22         started        26 LF_tiJeu3EM_UyNXQCxepIT7.exe 17 11->26         started        28 CCMfKsvPl4Y6LXY1gB0AwoM5.exe 11->28         started        33 7 other processes 11->33 144 C:\Users\...\FEFofLTiSRa7SoIEozeosoRe.exe, MS-DOS 16->144 dropped 146 C:\Users\user\AppData\Local\...\WWW14[2].bmp, MS-DOS 16->146 dropped 31 FEFofLTiSRa7SoIEozeosoRe.exe 16->31         started        188 51.104.136.2 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 18->188 254 Query firmware table information (likely to detect VMs) 18->254 file6 signatures7 process8 dnsIp9 172 149.154.167.99 TELEGRAMRU United Kingdom 22->172 174 192.168.2.1 unknown unknown 22->174 110 C:\Users\...\6xbRkbjvI_ZEQw8hwIFq2A0d.exe, MS-DOS 22->110 dropped 112 C:\Users\user\AppData\Local\...\WWW14[2].bmp, MS-DOS 22->112 dropped 114 C:\...\PowerControl_Svc.exe, PE32 22->114 dropped 35 6xbRkbjvI_ZEQw8hwIFq2A0d.exe 22->35         started        40 schtasks.exe 22->40         started        176 94.142.138.113 IHOR-ASRU Russian Federation 26->176 116 C:\Users\...\dHNMmGVBdNPFPd2L8qELLCAM.exe, MS-DOS 26->116 dropped 118 C:\Users\user\AppData\Local\...\WWW14[1].bmp, MS-DOS 26->118 dropped 120 C:\...\PowerControl_Svc.exe, PE32 26->120 dropped 42 dHNMmGVBdNPFPd2L8qELLCAM.exe 26->42         started        52 2 other processes 26->52 228 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 28->228 230 Maps a DLL or memory area into another process 28->230 232 Checks if the current machine is a virtual machine (disk enumeration) 28->232 234 Creates a thread in another existing process (thread injection) 28->234 44 explorer.exe 28->44 injected 236 Multi AV Scanner detection for dropped file 31->236 238 Tries to detect virtualization through RDTSC time measurements 31->238 178 185.81.68.115 KLNOPT-ASFI Finland 33->178 180 103.100.211.218 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 33->180 182 5 other IPs or domains 33->182 122 C:\Users\user\AppData\Local\...\is-6E32N.tmp, PE32 33->122 dropped 124 C:\Users\user\AppData\Local\...\v9689907.exe, PE32 33->124 dropped 126 C:\Users\user\AppData\Local\...\d7568319.exe, PE32 33->126 dropped 240 Writes to foreign memory regions 33->240 242 Allocates memory in foreign processes 33->242 244 Tries to steal Crypto Currency Wallets 33->244 246 Injects a PE file into a foreign processes 33->246 46 v9689907.exe 33->46         started        48 is-6E32N.tmp 33->48         started        50 AppLaunch.exe 33->50         started        54 2 other processes 33->54 file10 signatures11 process12 dnsIp13 160 3 other IPs or domains 35->160 92 C:\Users\...\gp5XFTBeH8GpiwT9RPxUUi7I.exe, PE32+ 35->92 dropped 94 C:\Users\...\dR8TagtSM8IWugg0rfrkZJJE.exe, PE32 35->94 dropped 100 12 other malicious files 35->100 dropped 202 Multi AV Scanner detection for dropped file 35->202 204 Detected unpacking (changes PE section rights) 35->204 206 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->206 224 6 other signatures 35->224 56 conhost.exe 40->56         started        162 6 other IPs or domains 42->162 96 C:\Users\...\xHrI8NEmzrcZKG8gjSut0ZSX.exe, PE32+ 42->96 dropped 98 C:\Users\...\b7csru6LiFNmBoaUKvtfRmqv.exe, PE32 42->98 dropped 102 12 other malicious files 42->102 dropped 208 Query firmware table information (likely to detect VMs) 42->208 210 Creates HTML files with .exe extension (expired dropper behavior) 42->210 212 Disables Windows Defender (deletes autostart) 42->212 152 103.233.24.19 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 44->152 154 79.137.202.224 PSKSET-ASRU Russian Federation 44->154 164 3 other IPs or domains 44->164 104 10 other malicious files 44->104 dropped 214 System process connects to network (likely due to code injection or exploit) 44->214 216 Benign windows process drops PE files 44->216 218 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->218 58 PowerControl_Svc.exe 44->58         started        61 rundll32.exe 44->61         started        63 rundll32.exe 44->63         started        106 2 other malicious files 46->106 dropped 65 v3170358.exe 46->65         started        108 8 other files (7 malicious) 48->108 dropped 67 Rec524.exe 48->67         started        156 157.254.164.98 BEANFIELDCA United States 50->156 220 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->220 226 2 other signatures 50->226 70 conhost.exe 52->70         started        72 conhost.exe 52->72         started        158 89.238.170.250 M247GB United Kingdom 54->158 222 Tries to harvest and steal browser information (history, passwords, etc) 54->222 74 Conhost.exe 54->74         started        file14 signatures15 process16 dnsIp17 128 C:\Users\...\KmnnjYtG809FHBzX3nSpU1f8.exe, MS-DOS 58->128 dropped 130 C:\Users\user\AppData\Local\...\WWW14[1].bmp, MS-DOS 58->130 dropped 132 C:\Users\user\AppData\Local\...\b0395035.exe, PE32 65->132 dropped 134 C:\Users\user\AppData\Local\...\a4071296.exe, PE32 65->134 dropped 76 b0395035.exe 65->76         started        80 a4071296.exe 65->80         started        166 45.12.253.56 CMCSUS Germany 67->166 168 45.12.253.72 CMCSUS Germany 67->168 170 45.12.253.75 CMCSUS Germany 67->170 136 C:\Users\user\AppData\Roaming\...\X9VUx5z.exe, PE32 67->136 dropped 82 X9VUx5z.exe 67->82         started        84 cmd.exe 67->84         started        86 Conhost.exe 70->86         started        file18 process19 dnsIp20 192 83.97.73.122 UNACS-AS-BG8000BurgasBG Germany 76->192 258 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 76->258 260 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 76->260 262 Tries to harvest and steal browser information (history, passwords, etc) 76->262 264 Multi AV Scanner detection for dropped file 80->264 266 Disable Windows Defender notifications (registry) 80->266 88 conhost.exe 84->88         started        90 taskkill.exe 84->90         started        signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 22:34:00 UTC
File Type:
PE (Exe)
Extracted files:
109
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jroi6twsfvc7emtopguxilvsu7jvalip2rh4a6e2xuzrns65g2a._file
Verdict:
malicious
Similar samples:
1a8a82f87a9a7cd4b981fc23f41f5a914d630b6e51f7a535637b87b4334343d9
TeamBot
42430d77c311efbc21ad412f38190ff282b7a65c24801fab3e88f25e1f952b90
TeamBot
5a663240a0115fcd75f41e48212617143d519faf621150ec0d8281053894f426
TeamBot
8e2bc926874b92b005f0b888b096ed4e4a4c7a44b2cc3c02a3dbfb734995d129
TeamBot
aeb8f4b6bb3c7cf7117c6593d6c4e493bdeaec2e8babf2f6676c5166bc8238bf
TeamBot
b17e2998043a66e679e3715f5651854692c9af593b3c656acefead782118ccdf
TeamBot
b92797965358585eadbe928c2b8531c5575caa87cbcef1171a48f1941a10b740
TeamBot
d27e613f196c65e51a932e3a4994aeef5e4ea13003b2d75e86fd0bceeecb7012
TeamBot
eae4b77ea1c206dc0a5fd6c0f34d2eae940b8fd20558aadf67ae4481099db184
TeamBot
ff938a0fd6ce680b7dd06af89b87a4d2b69cfcbf042e783c4f483cbf9dfd653a
TeamBot
+ 25 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader main spyware stealer
Link:
https://tria.ge/reports/230524-gj57msbf4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Malware Config
C2 Extraction:
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.15.156.229
85.208.136.10
94.142.138.131
94.142.138.113
208.67.104.60
Unpacked files
SH256 hash:
131029b6a38945a3f60475b30dd511b9fc63fef9bd265e401b30abf397c16671
MD5 hash:
d22ea0f220f3a60ecfcdb17d813055db
SHA1 hash:
8828e2443178d8aadfd8499bb8b13fcb26b26f50
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/31aae277-00e2-4365-840f-9333e75ecd39/
SH256 hash:
e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4
MD5 hash:
b71c6ec1ffe67a613e7ba6dc9d440165
SHA1 hash:
dd5b3e94bec631d9a72f43af2ec01cf12232c548
Link:
https://www.unpac.me/results/31aae277-00e2-4365-840f-9333e75ecd39/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e262e47a7691/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e262e47a76916a2f919373cd4ba175953e9a81687ea27e03c4d5e998b65ee9b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:RedLine Stealer Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:Win32_Trojan_RedLineStealer
Create hunting rule
Author:Netskope Threat Labs
Description:Identifies RedLine Stealer samples
Reference:deb95cae4ba26dfba536402318154405
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/390956/

Comments