Malware Analysis Report

2025-08-05 23:18

Sample ID 250115-2z3rnszpbq
Target d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe
SHA256 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36
Tags
discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36

Threat Level: Shows suspicious behavior

The file d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer upx

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 23:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 23:02

Reported

2025-01-15 23:04

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A
N/A N/A C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe

"C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe"

C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe

"C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe" --qsc --pw ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 ping3.dyngate.com udp
US 8.8.8.8:53 45.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 master11.teamviewer.com udp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
US 8.8.8.8:53 21.32.188.185.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
DE 185.188.32.21:80 master11.teamviewer.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3188-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse8473.tmp\TvGetVersion.dll

MD5 409b195108f014b032eb5dd36ca17a12
SHA1 4544950c7c081fb0aeba7971bcf46f2761430f4e
SHA256 52b487ff38814953eae017f2751f8e2fed7284f6faa250266cbd8d749547695f
SHA512 fe981570f6642933c36bbd7b1fef0d7e469600d44ea9e3b94ad94e1b6bb81c98c74c0d1c8673385443daaa3750de4e7eedc49aaf38ccc56c09e2d141e27068db

C:\Users\Admin\AppData\Local\Temp\nse8473.tmp\System.dll

MD5 cfbae93f361e2b430743e423709a483f
SHA1 9d31546592a9e6817025cc5026fee769e9a6c015
SHA256 0f4aac375087f0a5df393d7463bd462193008922136a2aba8619736223ba7add
SHA512 485bc9c83087a1a6f48a5508ee390384c2db93b9d50c295280337dad78b47f65aaa0caea8d6d23ef25f86b73cd2e724cb88a738f6b53037e47225c6522f912b3

C:\Users\Admin\AppData\Local\Temp\nse8473.tmp\Base64.dll

MD5 9459a28dbb2752d59eaa8fbb5cf8c982
SHA1 4ad7eb230cf6d05df967037225fa19dd385bf7cb
SHA256 4688dcd01db816485a770cb8fc047fef9a408f3dbec5a2c83752fee115ce6963
SHA512 7dff6414f4215aa4c7a168158b4ac5dd422c7dd35c6af58bce658c6bf9bf5a3545a5ee0db5f5d47a17c7ae53cb54551b98b492137e36c73e684b2041d775cd97

memory/3188-46-0x0000000010000000-0x00000000100A0000-memory.dmp

C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe

MD5 e15725a55477504ac78a4760b86c7ea3
SHA1 4ce4ff8d2417c10793c072b1534f4e4a42d10ba6
SHA256 81f725fcf5faace66c3bc3ef72468bd80597b5f4474a4441bce4c665e4dac6d4
SHA512 0ce320063a646e81e9750b92e21f91e6a74ab9b296a2163c2e51dbd432b0aac11859b63904dc22abe29572eafa9eac9c5f574de42f9206f577fc6a22b137013f

memory/3188-63-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.ini

MD5 78a6846fe5b1a88197638158ff477b46
SHA1 72d8fdd39917b2523a250da57b455eac83bc2574
SHA256 5d73a02cce54639cb68303515b551e7203151fb3cb6db7eba6094a4a381a7534
SHA512 1f0817267d3a077bba1e66da2658045f1f65e00ac0a6c8c6179a27dfc615d233c03bf6acc2c3cd87b78d4014e8a9af84bcbe9a2c88cd98ec7ab14909f42d93b3

C:\Users\Admin\temp\TeamViewer\Version4\tv.dll

MD5 5a3ebc8826fb07feb11f48a86a1eaed1
SHA1 de801f5968c29a7078740e45aa340b862ec70c55
SHA256 28f18a801edc53df266168bb47f8d9ff3b98cbb6e2c84fa042c7591213a6f3f1
SHA512 edab11c5740799d58fdd0799d0f86c50e0ad53d32904da5d86fc81a13da32a454085e2d5a05473b771580fd13ba1fb64cd0d6794244f3369a154ff5ed52d669b

memory/1172-77-0x0000000003A50000-0x0000000003A51000-memory.dmp

C:\Users\Admin\temp\TeamViewer\Version4\logo.bmp

MD5 36b0c93bfad92bafa45960e6386b0cec
SHA1 ef6f2e3c3ab2038e16a000bcdb341a9e94e9cdb2
SHA256 01742bf0894f1f86bcd4200d8d26b254248e99f9d656993b93bd3b5c553b0cc0
SHA512 6ac361bc1b556156123d5d8720992a7522600ebf883c6747deb560f9ebfd4746640c6f8d104ffcf71f7c6bf5832145f6921ca38e8ed685d852bee9c10db9ebc6

memory/1172-79-0x0000000003A50000-0x0000000003A51000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 23:02

Reported

2025-01-15 23:04

Platform

win7-20240903-en

Max time kernel

37s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\QS\SAS.exe C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A
File opened for modification C:\Program Files (x86)\QS\SAS.exe C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A
N/A N/A C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe

"C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe"

C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe

"C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe" --qsc --pw ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 ping3.dyngate.com udp
US 8.8.8.8:53 master8.teamviewer.com udp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.22.5.218:80 www.microsoft.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp
DE 185.188.32.8:80 master8.teamviewer.com tcp

Files

memory/1924-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj9BC4.tmp\TvGetVersion.dll

MD5 409b195108f014b032eb5dd36ca17a12
SHA1 4544950c7c081fb0aeba7971bcf46f2761430f4e
SHA256 52b487ff38814953eae017f2751f8e2fed7284f6faa250266cbd8d749547695f
SHA512 fe981570f6642933c36bbd7b1fef0d7e469600d44ea9e3b94ad94e1b6bb81c98c74c0d1c8673385443daaa3750de4e7eedc49aaf38ccc56c09e2d141e27068db

\Users\Admin\AppData\Local\Temp\nsj9BC4.tmp\UAC.dll

MD5 7191bf2f751c79e50386b87c458ed2da
SHA1 30df71f1945f0ece8d396042dba84d92f84dbfb6
SHA256 45de80c4ef75ac01fdfca02a0c05c090311cb65b0f52b61e2307494d643466df
SHA512 121143369c5edd732a513c884fa90d0ffc03f3966c46f8feccad09591295890de61dec7872e6fd6cd03ae132287bd1dad44d74b45fc8e623a0fa4a647510ca91

\Users\Admin\AppData\Local\Temp\nsj9BC4.tmp\System.dll

MD5 cfbae93f361e2b430743e423709a483f
SHA1 9d31546592a9e6817025cc5026fee769e9a6c015
SHA256 0f4aac375087f0a5df393d7463bd462193008922136a2aba8619736223ba7add
SHA512 485bc9c83087a1a6f48a5508ee390384c2db93b9d50c295280337dad78b47f65aaa0caea8d6d23ef25f86b73cd2e724cb88a738f6b53037e47225c6522f912b3

\Users\Admin\AppData\Local\Temp\nsj9BC4.tmp\Base64.dll

MD5 9459a28dbb2752d59eaa8fbb5cf8c982
SHA1 4ad7eb230cf6d05df967037225fa19dd385bf7cb
SHA256 4688dcd01db816485a770cb8fc047fef9a408f3dbec5a2c83752fee115ce6963
SHA512 7dff6414f4215aa4c7a168158b4ac5dd422c7dd35c6af58bce658c6bf9bf5a3545a5ee0db5f5d47a17c7ae53cb54551b98b492137e36c73e684b2041d775cd97

memory/1924-46-0x0000000010000000-0x00000000100A0000-memory.dmp

\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe

MD5 e15725a55477504ac78a4760b86c7ea3
SHA1 4ce4ff8d2417c10793c072b1534f4e4a42d10ba6
SHA256 81f725fcf5faace66c3bc3ef72468bd80597b5f4474a4441bce4c665e4dac6d4
SHA512 0ce320063a646e81e9750b92e21f91e6a74ab9b296a2163c2e51dbd432b0aac11859b63904dc22abe29572eafa9eac9c5f574de42f9206f577fc6a22b137013f

memory/1924-65-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.ini

MD5 78a6846fe5b1a88197638158ff477b46
SHA1 72d8fdd39917b2523a250da57b455eac83bc2574
SHA256 5d73a02cce54639cb68303515b551e7203151fb3cb6db7eba6094a4a381a7534
SHA512 1f0817267d3a077bba1e66da2658045f1f65e00ac0a6c8c6179a27dfc615d233c03bf6acc2c3cd87b78d4014e8a9af84bcbe9a2c88cd98ec7ab14909f42d93b3

C:\Users\Admin\temp\TeamViewer\Version4\tv.dll

MD5 5a3ebc8826fb07feb11f48a86a1eaed1
SHA1 de801f5968c29a7078740e45aa340b862ec70c55
SHA256 28f18a801edc53df266168bb47f8d9ff3b98cbb6e2c84fa042c7591213a6f3f1
SHA512 edab11c5740799d58fdd0799d0f86c50e0ad53d32904da5d86fc81a13da32a454085e2d5a05473b771580fd13ba1fb64cd0d6794244f3369a154ff5ed52d669b

C:\Users\Admin\temp\TeamViewer\Version4\SAS.exe

MD5 bf3bcd752bdabfa1f1e84b7462738103
SHA1 34cb8ea7d47467cace271e03b7869f37b0ecb30a
SHA256 90fe790e189c384f2ab82958057f91fdf40888c2ed3c0471bd7b85d5b36c7810
SHA512 6d5362c4d354319845f4522e0d1132c32a6779efc4c013c8c7bd489fddf39cbb5dfb72b135487b660d156d7774e5be4acc03c3fcecdb6dabcfad12630a3f5955

memory/1144-89-0x0000000002160000-0x0000000002161000-memory.dmp

C:\Users\Admin\temp\TeamViewer\Version4\logo.bmp

MD5 36b0c93bfad92bafa45960e6386b0cec
SHA1 ef6f2e3c3ab2038e16a000bcdb341a9e94e9cdb2
SHA256 01742bf0894f1f86bcd4200d8d26b254248e99f9d656993b93bd3b5c553b0cc0
SHA512 6ac361bc1b556156123d5d8720992a7522600ebf883c6747deb560f9ebfd4746640c6f8d104ffcf71f7c6bf5832145f6921ca38e8ed685d852bee9c10db9ebc6

memory/1144-91-0x0000000002160000-0x0000000002161000-memory.dmp