MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f199a6d6f602e4030ba73dbad67852fa110e12eddf03a5b382d4f0fa78d6f26c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TeamBot

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	f199a6d6f602e4030ba73dbad67852fa110e12eddf03a5b382d4f0fa78d6f26c
SHA3-384 hash:	044222a65329388a75e299a036b9bb8dce6f3881886e06933a20067b20784ecb1ae0f4c38e0fd93877b63a4a0cf8c622
SHA1 hash:	3f59b019616f1be825fe8df684e1ea60bdc6defa
MD5 hash:	3a50e743c489aa22d3f1131e215a758b
humanhash:	asparagus-crazy-colorado-juliet
File name:	3a50e743c489aa22d3f1131e215a758b.exe
Download:	download sample
Signature	TeamBot Create hunting rule
File size:	30'720 bytes
First seen:	2022-09-17 12:05:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	768:S172poBiLfK2Ss/2q2P66B9QeytQZAERS:O2mBibK4/2PB9Qr2S
TLSH	T1C3D2C0571010306CEF9DC2BB96E31B6A5AC7DDCC0186E6CB9575D33279C2CA2C4BB591
TrID	42.6% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 18.9% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1) 0.2% (.VXD) VXD Driver (29/21)
Reporter	abuse_ch
Tags:	exe TeamBot

abuse_ch

TeamBot C2:
http://94.131.106.59/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://94.131.106.59/	https://threatfox.abuse.ch/ioc/850181/

Intelligence

File Origin

# of uploads :

# of downloads :

378

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3a50e743c489aa22d3f1131e215a758b.exe

Verdict:

Suspicious activity

Analysis date:

2022-09-17 12:06:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eb8cca01-78c5-4f11-8cc4-06aa0b848b12

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/310932/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP POST request

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for synchronization primitives

Launching a process

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6325b888ba7b8113dd6fd57b/reports/3ec39b71-89c9-4df6-af88-d4d4b19e2fdd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d1518f54-9d3a-46ae-a6a5-69dd1d204376

Result

Threat name:

Djvu, RedLine, SmokeLoader

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1072233

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Djvu Ransomware

Yara detected RedLine Stealer

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f199a6d6f602e4030ba73dbad67852fa110e12eddf03a5b382d4f0fa78d6f26c/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2022-09-13 19:01:37 UTC

File Type:

PE (Exe)

AV detection:

33 of 40 (82.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6gm2nvxwalsagc5hhw5nm6cs7iiq4exn34b2lm4c2typu6gw6jwa._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:dcrat family:djvu family:raccoon family:smokeloader botnet:7394a7fc5da9794209d8b0503ca4abf4 backdoor collection discovery infostealer persistence ransomware rat spyware stealer trojan

Link:

https://tria.ge/reports/220917-n9q9qshgc5/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

DcRat

Detected Djvu ransomware

Detects Smokeloader packer

Djvu Ransomware

Raccoon

SmokeLoader

Malware Config

C2 Extraction:

http://acacaca.org/lancer/get.php
http://94.131.106.59

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e636f0b6-f78d-405a-b3d9-be8bb7e828d6

Unpacked files

SH256 hash:

f199a6d6f602e4030ba73dbad67852fa110e12eddf03a5b382d4f0fa78d6f26c

MD5 hash:

3a50e743c489aa22d3f1131e215a758b

SHA1 hash:

3f59b019616f1be825fe8df684e1ea60bdc6defa

Detections:

win_smokeloader_a2

SmokeLoaderStage2

Link:

https://www.unpac.me/results/0aae198d-b941-4f82-97c6-9dcdbe391b44/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f199a6d6f602/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.32

Link:

https://yomi.yoroi.company/submissions/f199a6d6f602e4030ba73dbad67852fa110e12eddf03a5b382d4f0fa78d6f26c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/310932/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample