File name:	Team_Visto.exe
Full analysis:	https://app.any.run/tasks/4fa7afaf-b143-4e66-9d1f-1c948a7e20de
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	October 03, 2024, 14:30:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	teamviewer remote tvrat rat
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	13C9A389773DD8D080FEF5823C87ACA9
SHA1:	41C0C248B251E02506D21C9179852B3DAF82A380
SHA256:	D26E844975957C8A4CFD7B080F81B5AE6936D7BC3B9DE4E1D9C27237EFD5FF7A
SSDEEP:	98304:JmBuE5pvVllh6DcDJzdG+9BAihPGR5RkwHEnYPU9gQTcOanbFHyMYjqER2vulDlz:EY2tf1B4SF6TyiNUa5616g

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:04:03 20:18:56+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	25088
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x33b6
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	12.1.29852.0
ProductVersionNumber:	12.0.29852.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	TeamViewer Remote Control Application
CompanyName:	TeamViewer
LegalCopyright:	TeamViewer
ProductName:	TeamViewer QS
ProductVersion:	12.0.95388.0


(PID) Process:	(3972) TeamViewer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\DefaultSettings
Operation:	write	Name:	Autostart_GUI
Value: 0
(PID) Process:	(3972) TeamViewer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Temp
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3972) TeamViewer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer
Operation:	write	Name:	SRPPasswordMachineIdentifier
Value: A79887F84BB335AA6B834426807D14E8600A5889B8A6FE31C385E255C46F88F5A0F6FE8FB0671043A05095086DEEC47A96E5B1F6F1191A498534AF0040B4ADCF786F75160AE840091ADB86566775B07355C0C146A23148F230EF8E56A125BC991A79DD366266C7CD50EF6DBC36B2D7F592395523A23363BD1E385A8E4E8B513E339E111541E268802F0617977469AB48CDA98BAAB2B2110FEF0F33913E9561301327A577A6FB75C9083577C97BA54D5095055F9E155E7432C0097ABA425ADB8DC349DF91735FF431152C15E3DDD7377A

PID	Process	Filename		Type
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\tvqsfiles.7z		—
		MD5:—	SHA256:—
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\nsp6DAD.tmp\TvGetVersion.dll		executable
		MD5:26D2702FE2B4668100BF0EF20B516FC7	SHA256:48EE428AAE1D6CFA1FA84380E1A9DB93BB6CE4CEA2DEDEBD4290108EDA2C0C4A
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\uninstall.exe		executable
		MD5:3DA7C5F0807355DEC2F04607635D79D7	SHA256:6C9E55F0EFFC73316BE436B35561956B47D58ACAB1B583510F2BCE874B158BDB
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_cs.dll		executable
		MD5:4B099BA97A61AD54625C5BCC0D52B418	SHA256:BB53351237A56A8351742FFAE675CC645C60E49759664BE2EFE7FC293BA66F2B
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_ar.dll		executable
		MD5:C4508DB55C0D38979A13D797A6C00BB2	SHA256:FD562286031EA697C4DF94B9DC9B55239722739089790BA9304A6FA4C68C8FE6
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\tv_w32.exe		executable
		MD5:15333F66246459C04B3798F26B5631F2	SHA256:85BF9094BA438C453A9F950AF36EF7353BA982D9A42A38FC19C4C992BF1016AD
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_de.dll		executable
		MD5:7C05C091B323F3B531BAFE158C1FB4D2	SHA256:532A403040577572A8EBC37EF35464167638953D58C018D4EA98CBB25E7F3F62
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_fr.dll		executable
		MD5:2F36CB5570DAA0C36B5529F8A9501CA7	SHA256:0EBECCE8967F5B4058F0768C0F824A6D8B8B00BB544D69FB39BC0C764626D1C5
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_es.dll		executable
		MD5:3BEBEF4F57DC74373DD3ABB165ABE833	SHA256:910FF04CEA4A2CF1610D480322D25AAA8315F048AE21A5EA73BED034D4E472D3
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_fi.dll		executable
		MD5:504E9900DB5E0669216D46FD08FEF94A	SHA256:114270BB1A9E9BAC6F3E4624E08105AEB304CE4C7AD9F0A93FB8984D13B0E261

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5196	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.97.212.30:443	https://configdl.teamviewer.com/rev/k6ua65s.txt	unknown	text	2 b	unknown
—	—	GET	200	23.97.212.30:443	https://configdl.teamviewer.com/rev/k6ua65s.txt	unknown	text	2 b	unknown
—	—	GET	200	23.97.212.30:443	https://configdl.teamviewer.com/configs/k6ua65s.zip	unknown	compressed	4.81 Kb	unknown
—	—	POST	200	20.189.173.26:443	https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176	unknown	—	—	whitelisted
—	—	GET	200	20.50.2.7:443	https://client.teamviewer.com/taf/index.aspx?language=en&tvModul=3&tvVersion=12.0.95388%20QSC&os=Win&osVersion=Win_10.0.19045_W&accId=0&clientId=486390663&cType=0&license=10000&dps=%5B%201%2C%202%2C%203%2C%207%2C%208%2C%2015%2C%2016%20%5D&jVer=2&oem=&canupdate=1&hadcomcon=0&clientic=0	unknown	binary	99 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
5196	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5196	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3296	TeamViewer.exe	23.97.212.30:443	configdl.teamviewer.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
configdl.teamviewer.com	23.97.212.30	unknown
ping3.teamviewer.com	188.172.192.106 34.141.162.53 188.172.245.140 34.154.114.178 178.255.154.140	shared
master12.teamviewer.com	185.188.32.22	shared
ua-iev-anx-r010.router.teamviewer.com	217.146.2.141	unknown
client.teamviewer.com	20.50.2.7	shared
browser.pipe.aria.microsoft.com	20.189.173.9	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY TeamViewer Dyngate User-Agent
3972	TeamViewer.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] TeamViewer Connection
3972	TeamViewer.exe	Potential Corporate Privacy Violation	REMOTE [ANY.RUN] TeamViewer

General Info

Team_Visto.exe

13C9A389773DD8D080FEF5823C87ACA9

41C0C248B251E02506D21C9179852B3DAF82A380

D26E844975957C8A4CFD7B080F81B5AE6936D7BC3B9DE4E1D9C27237EFD5FF7A

98304:JmBuE5pvVllh6DcDJzdG+9BAihPGR5RkwHEnYPU9gQTcOanbFHyMYjqER2vulDlz:EY2tf1B4SF6TyiNUa5616g

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

TEAMVIEWER has been detected (SURICATA)

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Connects to unusual port

Application launched itself

Potential Corporate Privacy Violation

Checks Windows Trust Settings

Drops 7-zip archiver for unpacking

INFO

Checks supported languages

Reads the computer name

The process uses the downloaded file

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the software policy settings

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings