MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8b60e554ed303e2debe7422bb363dcc33ace171d02388bce2e8ab5ce5364f5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8b60e554ed303e2debe7422bb363dcc33ace171d02388bce2e8ab5ce5364f5d
SHA3-384 hash: de611d78d10a56825fb575d44eadaf6e3fb8324c7585244e70fc9fece2185440f60204ca205e3d6280e1afd9a462b633
SHA1 hash: 8e1500730abd3e46bce284bc098d541c6d8d5088
MD5 hash: 197f5a4cb71e38ea7b56bd1214fbbfc7
humanhash: jersey-florida-six-eighteen
File name:197f5a4cb71e38ea7b56bd1214fbbfc7.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:746'496 bytes
First seen:2021-07-14 15:14:45 UTC
Last seen:2021-07-14 16:11:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad9f6c8b0f38d755f66fb877c364f60e (1 x RedLineStealer, 1 x TeamBot)
ssdeep 12288:b7NDuF2bnFrhVLhsQQ6Tu577Cf65GO5YMaSJqskIovQHE7xkbXgkO+I+4:b7NKFqntiz6K7+i5Gi7wsVooEtkjgkOn
Threatray 356 similar samples on MalwareBazaar
TLSH T123F412216DA1C035D3EF497061B99B6A9D7BBA331E61544F3B9403A99F303C1AEA6313
Reporter abuse_ch
Tags:exe TeamBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
197f5a4cb71e38ea7b56bd1214fbbfc7.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-14 15:49:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd4c5652-ded9-4ca8-b2e3-e684c1e4c9e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171728/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.39941.22923.18648.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12029494-437c-4926-a6dc-12899031cf4d
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/816482
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8b60e554ed303e2debe7422bb363dcc33ace171d02388bce2e8ab5ce5364f5d/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 07:20:38 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7c3a4vko2mb6fxv6oqrlwnr5zqz2zylr2aryrphc5cvvzzjwj5oq._file
Verdict:
malicious
Similar samples:
34ce0db0264cb552d28100353840f27bb546729685684bb80691e05afbfe2b26
TeamBot
4fc4936de4eb693ec57ae17e722c1c68e46afbc0c82f3c45d254c39571008f8b
TeamBot
a08affbf0b72b993cc827615ae916ae9eef32484c1252e3ab403ec091d28f5e0
TeamBot
ca7f21ad4f9b5ca208d0a43b76edc7bbb9c698289cb4fc718c884681c5dcf10f
TeamBot
d0da8d292459d68df7dbbd65379e80e970b79f93307f05aca7b95e967ad86d52
TeamBot
f0cda71528dfdf5b3fbc8af58a61aef5f9d6432c0359ab8d9df62209e6ce6d01
TeamBot
f88fe1b342fccf45f31b05388bbb7398da0f175ba15bf6f1d7ae367ef41aa200
TeamBot
ff9e059a789e94573fb32a918657d5c5c59b5395fab873cbcec7b1543435fe93
TeamBot
+ 346 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:517 discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210714-vbja2c8phj/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://olegf9844.tumblr.com/
Unpacked files
SH256 hash:
f07b36c46b271626c8ac6b579acee4436ff9c8b0a96a0258d11cf677b7715f12
MD5 hash:
0a2b23c07cd6d8451b45ffbb324d4943
SHA1 hash:
efa2289f9880932a90a679ea883e507882b448fe
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/7af4fbe0-03b7-4e7f-b5c2-22cc33bbcd38/
SH256 hash:
f8b60e554ed303e2debe7422bb363dcc33ace171d02388bce2e8ab5ce5364f5d
MD5 hash:
197f5a4cb71e38ea7b56bd1214fbbfc7
SHA1 hash:
8e1500730abd3e46bce284bc098d541c6d8d5088
Link:
https://www.unpac.me/results/7af4fbe0-03b7-4e7f-b5c2-22cc33bbcd38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8b60e554ed303e2debe7422bb363dcc33ace171d02388bce2e8ab5ce5364f5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TeamBot

Executable exe f8b60e554ed303e2debe7422bb363dcc33ace171d02388bce2e8ab5ce5364f5d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/171728/
  
URLhaus
https://urlhaus.abuse.ch/url/1423741/
  
Delivery method
Distributed via web download

Comments