MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Backdoor.TeamViewer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673
SHA3-384 hash: 3cf8ce7f31947bb9c380ea05e630aec32659ece9b910185006195d3344c5692b6b44b8a90e4ed597a4f2c581cbb75604
SHA1 hash: 8110a441ca9e7cb0b2bc9897352f6791c9663f25
MD5 hash: e23c1e7f9e64b4f622712d0e0c444672
humanhash: fillet-muppet-potato-william
File name:file
Download: download sample
Signature Backdoor.TeamViewer
Create hunting rule
File size:12'114'944 bytes
First seen:2023-10-09 21:02:05 UTC
Last seen:2023-10-09 21:48:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 196608:WKS3s2WfogGhWeSs+GvPmPvgLqHB78egDQErFUCcIOeN67lfeItPqLK2:v4WV/eS+vPmPvgLqhQtUEJUC167lfeIO
TLSH T1FEC62339BBF6D1DAA0F0ED2B1C4570E3A0E531B5D798508947B44A1C2D43B713BE1BAA
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:Backdoor.TeamViewer exe


Avatar
andretavare5
Sample downloaded from http://45.9.74.80/zinda.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.23267.4680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
Creating a file
Creating a window
Launching the process to interact with network services
Launching a process
Running batch commands
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673
Result
Verdict:
MALICIOUS
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8c5cb56-5610-47d5-ad23-5b11562b1d51
Result
Threat name:
Glupteba, SmokeLoader, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322449
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found stalling execution ending in API Sleep call
Found strings related to Crypto-Mining
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Stop multiple services
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1322449 Sample: file.exe Startdate: 09/10/2023 Architecture: WINDOWS Score: 100 124 gudintas.at 2->124 126 iplogger.com 2->126 128 datasheet.fun 2->128 140 Found malware configuration 2->140 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus detection for URL or domain 2->144 146 22 other signatures 2->146 11 file.exe 6 2->11         started        15 updater.exe 2->15         started        17 cmd.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 file5 112 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 11->112 dropped 114 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 11->114 dropped 116 C:\Users\user\AppData\Local\Temp\kos1.exe, PE32 11->116 dropped 122 2 other malicious files 11->122 dropped 182 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->182 21 kos1.exe 3 11->21         started        25 529b7ffb.exe 11->25         started        27 latestX.exe 1 11->27         started        35 2 other processes 11->35 118 C:\Windows\Temp\whxcdqscjswq.tmp, PE32+ 15->118 dropped 120 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 15->120 dropped 184 Suspicious powershell command line found 15->184 186 Protects its processes via BreakOnTermination flag 15->186 188 Found strings related to Crypto-Mining 15->188 194 6 other signatures 15->194 190 Uses powercfg.exe to modify the power settings 17->190 192 Modifies power options to not sleep / hibernate 17->192 29 conhost.exe 17->29         started        37 5 other processes 17->37 31 conhost.exe 19->31         started        33 WerFault.exe 19->33         started        39 7 other processes 19->39 signatures6 process7 file8 100 C:\Users\user\AppData\Local\Temp\set16.exe, PE32 21->100 dropped 102 C:\Users\user\AppData\Local\Temp\kos.exe, PE32 21->102 dropped 148 Multi AV Scanner detection for dropped file 21->148 150 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->150 41 set16.exe 2 21->41         started        45 kos.exe 14 4 21->45         started        152 Detected unpacking (changes PE section rights) 25->152 154 Machine Learning detection for dropped file 25->154 156 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->156 168 3 other signatures 25->168 48 explorer.exe 25->48 injected 104 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 27->104 dropped 106 C:\Windows\System32\drivers\etc\hosts, ASCII 27->106 dropped 158 Suspicious powershell command line found 27->158 160 Modifies the hosts file 27->160 162 Adds a directory exclusion to Windows Defender 27->162 164 Detected unpacking (overwrites its own PE header) 35->164 166 Found Tor onion address 35->166 50 powershell.exe 35->50         started        signatures9 process10 dnsIp11 108 C:\Users\user\AppData\Local\...\is-C32BE.tmp, PE32 41->108 dropped 172 Multi AV Scanner detection for dropped file 41->172 52 is-C32BE.tmp 41->52         started        136 iplogger.com 148.251.234.93, 443, 49712 HETZNER-ASDE Germany 45->136 55 WerFault.exe 45->55         started        138 gudintas.at 181.170.86.159, 49746, 49749, 49753 TelecomArgentinaSAAR Argentina 48->138 110 C:\Users\user\AppData\Roaming\bsjsdfv, PE32 48->110 dropped 174 System process connects to network (likely due to code injection or exploit) 48->174 176 Benign windows process drops PE files 48->176 178 Suspicious powershell command line found 48->178 180 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->180 57 cmd.exe 48->57         started        60 cmd.exe 48->60         started        62 powershell.exe 48->62         started        64 conhost.exe 50->64         started        file12 signatures13 process14 file15 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->92 dropped 94 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 52->94 dropped 96 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 52->96 dropped 98 7 other files (6 malicious) 52->98 dropped 66 previewer.exe 52->66         started        69 net.exe 52->69         started        71 previewer.exe 52->71         started        170 Modifies power options to not sleep / hibernate 57->170 74 conhost.exe 57->74         started        76 powercfg.exe 57->76         started        78 conhost.exe 60->78         started        80 sc.exe 60->80         started        82 sc.exe 60->82         started        84 3 other processes 60->84 signatures16 process17 dnsIp18 90 C:\ProgramData\...\ContentDVSvc.exe, PE32 66->90 dropped 86 conhost.exe 69->86         started        88 net1.exe 69->88         started        130 195.154.251.21, 1074, 49719, 49739 OnlineSASFR France 71->130 132 datasheet.fun 172.67.166.109, 49717, 80 CLOUDFLARENETUS United States 71->132 134 aqpnghh.ru 185.141.63.172, 49718, 49720, 49721 BELCLOUDBG Bulgaria 71->134 file19 process20
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-10-09 21:03:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hpovk5ecnomsql7bi42bmugbsepseavzxxc3sdet5myadc66zzq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:smokeloader family:xmrig botnet:pub2 botnet:up3 backdoor discovery dropper evasion loader miner persistence rootkit trojan upx
Link:
https://tria.ge/reports/231009-zv1qeaad48/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Windows security modification
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Glupteba
Glupteba payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
74a3fd61993580645b80eb5b70d65fa90af44e15c7c7e3d29f4bc6b523a0cb53
MD5 hash:
371acd66c58e5e275ea843dd3a67215e
SHA1 hash:
ddd71c80fea6d9ab8ec9eaa0952d72ab8654d0b0
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
SH256 hash:
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
MD5 hash:
076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 hash:
7b40783a27a38106e2cc91414f2bc4d8b484c578
Detections:
win_delivery_check_g0
Create hunting rule
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
Parent samples :
d822320e69cb0ddf07bd762ddf9d56bf46bae93a37ed1abc7d37485faf56761a
173cf6b50cfad4fa06f6826452aeceae743a49fb7c2cdc6445961c01dc11da92
a754eb655af6114a85fe5d32bc3a42b0038fec86c2d557fef2d3f2f92d68b942
b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60
98e2336afe9aed01d8859c988cb984a017800bf5a5760a643b9f5579c8936e40
31c5da8614998e7836aaf3c70559f7710edbd4b536b840e0c63babfdc95c5921
0c620ad9e0327c9397c2e869a45e3c24cf234f6da22df60ae7fcd802c63d0e8c
f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673
8d833183ab5dcf4f622de22dd3bb6df752725339804906f7bb374b6df7c3c354
78d20bb0f3344b725617819f4f2c2246a3c1d1cada81d931d63603f67a1b7aa7
96a8fc693eb17083f2fc31beffbbda57741ddec7b3ff38d29554a55bac7909a7
2cf8ca0a1593e5ef380c8d8e9207f4257bbc4ef1ad2a5a5315f321ffecdc70ec
93ec2f65e8dcbd9bf755573667f9bc5d085e3533f1c0a67391fd2feed16899ed
SH256 hash:
86be1957ae3967782a3bf08a9b4965bb42b08aa36604d59c8148c0d2ac17c561
MD5 hash:
cad3606bbbc3e5c557a91f7ecdcef763
SHA1 hash:
1f32187a21e8323018f37b07909ec01928e8b2bc
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
SH256 hash:
998d2214e55d69906d35ca50879fff88e9bf0e224e8395800c7422f437ae1bf1
MD5 hash:
cd1261de6639744c3a586541d26cff78
SHA1 hash:
6d34c6fa4706035c67bf50a593790a33383c91da
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
Parent samples :
2fe8dd9df4b9740d580524591e85cf9f1f40dc4db0157c7ec4ff23a424338779
ea3c57beba44f6c55a756624401781f91ff6ad81d2070e9a1ed7e777f8596902
63051a26214380ad54dde0ce6d6568050a9dda22f2f3f52616c355ee0edf4eda
f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673
73bf87821c4d157431ad75b465ce9f61486b12e8e3e86505c49a19348a3146d5
17ba75bcbbc244b204a9f2d3981df4c3161f53b47f167a1b953eba08e7a4a394
SH256 hash:
ca15057e6a48307194615b3968f03b0047f8ed3b95546b6dfe18682cf452c8b4
MD5 hash:
5b154c37290364bc4b5b51d1e615f8a2
SHA1 hash:
f48acaf7c22a534bf4356898100c3c7a690d8b3b
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
SH256 hash:
15f376532c824097bc8ee106fc895d8a4ad69113a3b0aaaeb0cb211a37532a53
MD5 hash:
3a8dadac13b17c3922a02d06b325df36
SHA1 hash:
83fca759dfa25919940786f3028f8d3241e10adb
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
SH256 hash:
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
MD5 hash:
85b698363e74ba3c08fc16297ddc284e
SHA1 hash:
171cfea4a82a7365b241f16aebdb2aad29f4f7c0
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
SH256 hash:
0236bdd41a9f4817a09664c598f4b2e035e96b37a59cd1a1d974cd5471afe2b0
MD5 hash:
a7bcfca98316af919af92ce90b487bb5
SHA1 hash:
c1b7a3fbf19fe06996a04de604dfeff411ea41e9
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
SH256 hash:
ade0b10a5a460a9fd09792d4d625c0b8793e05eb86eadb1ad90e6525b619d42c
MD5 hash:
d2b3e4e48e18c6d30035f4ca2dc852f9
SHA1 hash:
373d181f17782d2ddce09b84a5a86e5e8b642c12
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
SH256 hash:
35cae7e1a6efcabcd4840e5a0e1eeaf6602a4da1049ea70de6d0833a4a99ed03
MD5 hash:
6dc9bb7f8495fd34cbd14b6cbe40d5c0
SHA1 hash:
19cc51f3eb256275482f05c9a819f735ee3ed9f8
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
SH256 hash:
f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673
MD5 hash:
e23c1e7f9e64b4f622712d0e0c444672
SHA1 hash:
8110a441ca9e7cb0b2bc9897352f6791c9663f25
Link:
https://www.unpac.me/results/fbf6bc42-fb70-427f-ab2e-50d1a92be31e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9deeaaba413/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2717230/

Comments