File name:	Team_Visto.exe
Full analysis:	https://app.any.run/tasks/4fa7afaf-b143-4e66-9d1f-1c948a7e20de
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	October 03, 2024, 14:30:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	teamviewer remote tvrat rat
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	13C9A389773DD8D080FEF5823C87ACA9
SHA1:	41C0C248B251E02506D21C9179852B3DAF82A380
SHA256:	D26E844975957C8A4CFD7B080F81B5AE6936D7BC3B9DE4E1D9C27237EFD5FF7A
SSDEEP:	98304:JmBuE5pvVllh6DcDJzdG+9BAihPGR5RkwHEnYPU9gQTcOanbFHyMYjqER2vulDlz:EY2tf1B4SF6TyiNUa5616g

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:04:03 20:18:56+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	25088
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x33b6
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	12.1.29852.0
ProductVersionNumber:	12.0.29852.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	TeamViewer Remote Control Application
CompanyName:	TeamViewer
LegalCopyright:	TeamViewer
ProductName:	TeamViewer QS
ProductVersion:	12.0.95388.0


(PID) Process:	(3972) TeamViewer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\DefaultSettings
Operation:	write	Name:	Autostart_GUI
Value: 0
(PID) Process:	(3972) TeamViewer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer\Temp
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3972) TeamViewer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer
Operation:	write	Name:	SRPPasswordMachineIdentifier
Value: A79887F84BB335AA6B834426807D14E8600A5889B8A6FE31C385E255C46F88F5A0F6FE8FB0671043A05095086DEEC47A96E5B1F6F1191A498534AF0040B4ADCF786F75160AE840091ADB86566775B07355C0C146A23148F230EF8E56A125BC991A79DD366266C7CD50EF6DBC36B2D7F592395523A23363BD1E385A8E4E8B513E339E111541E268802F0617977469AB48CDA98BAAB2B2110FEF0F33913E9561301327A577A6FB75C9083577C97BA54D5095055F9E155E7432C0097ABA425ADB8DC349DF91735FF431152C15E3DDD7377A

PID	Process	Filename		Type
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\tvqsfiles.7z		—
		MD5:—	SHA256:—
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe		executable
		MD5:FDD89A559134DACF92D8514608DC9057	SHA256:41DFC0D97681F5516EC0D2E625DD6DE7488DCF8DB5A0CB6C02C29CA5AB33C0C8
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\nsp6DAD.tmp\TvGetVersion.dll		executable
		MD5:26D2702FE2B4668100BF0EF20B516FC7	SHA256:48EE428AAE1D6CFA1FA84380E1A9DB93BB6CE4CEA2DEDEBD4290108EDA2C0C4A
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\nsp6DAD.tmp\nsis7z.dll		executable
		MD5:87853C0F20F065793BDC707ECE66190B	SHA256:66B2F36274DDFEEF35B1D6AE6E5755F834446E5D78A719063347543793987161
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\tv_w32.exe		executable
		MD5:15333F66246459C04B3798F26B5631F2	SHA256:85BF9094BA438C453A9F950AF36EF7353BA982D9A42A38FC19C4C992BF1016AD
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_Service.exe		executable
		MD5:FE4F4800BC104BF20D57AAD168B58C8B	SHA256:3705D40F388FF4B52C1915013C402A7E4D13511719CE06BE87CB25AD49286826
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\TeamViewer_Note.exe		executable
		MD5:DE0E2A97F9F9A55A208A084A0A877BDC	SHA256:2BD01B57C301AAE1AE9101DA12A413320E574BF4E434517CB15CF03D0EFDD054
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\nsp6DAD.tmp\System.dll		executable
		MD5:0FF2D70CFDC8095EA99CA2DABBEC3CD7	SHA256:982C5FB7ADA7D8C9BC3E419D1C35DA6F05BC5DD845940C179AF3A33D00A36A8B
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\tv_x64.exe		executable
		MD5:E777F2E2B9B46D113A0520E44AF109B8	SHA256:15A13185A90E3B537F0EA955587FC3ECAFC38CDBEB8C8F51B6691F4829CB92ED
5556	Team_Visto.exe	C:\Users\admin\AppData\Local\Temp\TeamViewer\uninstall.exe		executable
		MD5:3DA7C5F0807355DEC2F04607635D79D7	SHA256:6C9E55F0EFFC73316BE436B35561956B47D58ACAB1B583510F2BCE874B158BDB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5196	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.97.212.30:443	https://configdl.teamviewer.com/rev/k6ua65s.txt	unknown	text	2 b	unknown
—	—	POST	200	20.189.173.26:443	https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176	unknown	—	—	whitelisted
—	—	GET	200	23.97.212.30:443	https://configdl.teamviewer.com/rev/k6ua65s.txt	unknown	text	2 b	unknown
—	—	GET	200	23.97.212.30:443	https://configdl.teamviewer.com/configs/k6ua65s.zip	unknown	compressed	4.81 Kb	unknown
—	—	GET	200	20.50.2.7:443	https://client.teamviewer.com/taf/index.aspx?language=en&tvModul=3&tvVersion=12.0.95388%20QSC&os=Win&osVersion=Win_10.0.19045_W&accId=0&clientId=486390663&cType=0&license=10000&dps=%5B%201%2C%202%2C%203%2C%207%2C%208%2C%2015%2C%2016%20%5D&jVer=2&oem=&canupdate=1&hadcomcon=0&clientic=0	unknown	binary	99 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
5196	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5196	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3296	TeamViewer.exe	23.97.212.30:443	configdl.teamviewer.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
configdl.teamviewer.com	23.97.212.30	unknown
ping3.teamviewer.com	188.172.192.106 34.141.162.53 188.172.245.140 34.154.114.178 178.255.154.140	shared
master12.teamviewer.com	185.188.32.22	shared
ua-iev-anx-r010.router.teamviewer.com	217.146.2.141	unknown
client.teamviewer.com	20.50.2.7	shared
browser.pipe.aria.microsoft.com	20.189.173.9	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY TeamViewer Dyngate User-Agent
3972	TeamViewer.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] TeamViewer Connection
3972	TeamViewer.exe	Potential Corporate Privacy Violation	REMOTE [ANY.RUN] TeamViewer

General Info

Team_Visto.exe

13C9A389773DD8D080FEF5823C87ACA9

41C0C248B251E02506D21C9179852B3DAF82A380

D26E844975957C8A4CFD7B080F81B5AE6936D7BC3B9DE4E1D9C27237EFD5FF7A

98304:JmBuE5pvVllh6DcDJzdG+9BAihPGR5RkwHEnYPU9gQTcOanbFHyMYjqER2vulDlz:EY2tf1B4SF6TyiNUa5616g

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

TEAMVIEWER has been detected (SURICATA)

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Drops 7-zip archiver for unpacking

Checks Windows Trust Settings

Potential Corporate Privacy Violation

Application launched itself

Connects to unusual port

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

The process uses the downloaded file

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings