MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb7aa09ede64e5eafc124a2c52eba9777fa619185dc272a689be91ec926273a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TeamBot

Vendor detections: 17

Intelligence 17 IOCs YARA File information Comments

SHA256 hash:	fb7aa09ede64e5eafc124a2c52eba9777fa619185dc272a689be91ec926273a7
SHA3-384 hash:	700af0e4427f7e8cd3962c9b9d369451fc089aaf0a9a5c4f58e94f941cd496babeeb934e245d386a9804f3508944ad85
SHA1 hash:	eacc949fa8b830f3049bb81461c5b87f7d7769d8
MD5 hash:	8cbef39831b560ce8f5c957f93d1f343
humanhash:	artist-violet-moon-jupiter
File name:	setup.exe
Download:	download sample
Signature	TeamBot Create hunting rule
File size:	821'760 bytes
First seen:	2023-03-29 02:04:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	25babacd02a2b569479e22be1b5bfe7e (6 x Smoke Loader, 3 x Stop, 1 x Amadey)
ssdeep	12288:sfNKsuZQdqiW2xxHXXxebgF7B1DkDwYJM60my977:5suZQMYXXxebgF73DklMRNv
Threatray	2'311 similar samples on MalwareBazaar
TLSH	T12305F1021FE07860E51F56728E1EC7F46B1EBC61CE5ABB5A1638ED3F0AB6171D266301
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0041a15012080110 (1 x TeamBot)
Reporter	Chainskilabs
Tags:	exe TeamBot

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

Vendor Threat Intelligence

Malware family:

stop

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2023-03-29 02:10:01 UTC

Tags:

ransomware stop loader

Link:

https://app.any.run/tasks/d349f26c-0ab0-49fc-a7b0-d75b64f7a243

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/378344/

Detection(s):

Sanesecurity.Malware.29154.BadIN.UNOFFICIAL

Win.Packed.Dropperx-9994664-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request

Creating a file

Launching a process

Creating a process with a hidden window

Adding an access-denied ACE

Сreating synchronization primitives

Deleting a recently created file

Searching for synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult crypter greyware lockbit packed ransomx

Link:

https://www.filescan.io/uploads/64239cce688c0e6397b35067/reports/499b36a4-5107-4230-92c6-2718beded857/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/fb7aa09ede64e5eafc124a2c52eba9777fa619185dc272a689be91ec926273a7

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ab952d08-14e9-4180-ac5c-e752ee3406bc

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1203995

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fb7aa09ede64e5eafc124a2c52eba9777fa619185dc272a689be91ec926273a7/

Threat name:

Win32.Trojan.Rhadamathys

Status:

Malicious

First seen:

2023-03-29 01:51:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7n5kbhw6mts6v7asjiwff25jo572mgiylxbhfjujx2i6zetcootq._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar botnet:5df88deb5dde677ba658b77ad5f60248 discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/230329-cht1rsed37/

Behaviour

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Creates scheduled task(s)

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Detected Djvu ransomware

Djvu Ransomware

Vidar

Malware Config

C2 Extraction:

http://zexeq.com/raud/get.php
https://steamcommunity.com/profiles/76561199489580435
https://t.me/tabootalks

Unpacked files

SH256 hash:

a21de1afb97797236adc5fd6df4ebeb458fbf27e309e95ff9455c5ed852d3016

MD5 hash:

9de306e49c719a6bcfa520b86785bd9d

SHA1 hash:

47054574330c6dd1fa494a02bee3ec205adb6a45

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/bb190260-f2f1-4767-b2e7-ef702b38c8f9/

Parent samples :

e126567c35beb7552d060b99decf67b741751568641f333438b751ea86d41c98
d2dd7ba12e662280a3fc4981c9d1fe8afa58873fc3c4d63f033d2089a5f977bc
3592a149b30cc1e04f719253764330d231b7b6a1108500a172c3faaf0e979c03
a92097460fb6fc1e6fe914c7bd3511d6035c79fe78ba76f991f4c14966cae17c
fb7aa09ede64e5eafc124a2c52eba9777fa619185dc272a689be91ec926273a7
c263e2ca68a69bfa1cb3a474741bc00132b197c737aa8dd172b2719c740f47c2
6bb90befd2e45a6caaa4ccd0b47dfa0453b28f0b89c62f78c628e1936fdcb49a
93bdde6b091f62d424324f740b373fff288c577e8224c2de5357dbd464b17763
3831c1920a78710469666ff58511c7ccfb33706adbd8c8b0ebc92e4e18674dbe

SH256 hash:

fb7aa09ede64e5eafc124a2c52eba9777fa619185dc272a689be91ec926273a7

MD5 hash:

8cbef39831b560ce8f5c957f93d1f343

SHA1 hash:

eacc949fa8b830f3049bb81461c5b87f7d7769d8

Link:

https://www.unpac.me/results/bb190260-f2f1-4767-b2e7-ef702b38c8f9/

Malware family:

STOP

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fb7aa09ede64/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fb7aa09ede64e5eafc124a2c52eba9777fa619185dc272a689be91ec926273a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TeamBot

exe fb7aa09ede64e5eafc124a2c52eba9777fa619185dc272a689be91ec926273a7

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/378344/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample