TeamViewer.exe

  • File Path: C:\program files (x86)\TeamViewer\TeamViewer.exe
  • Description: TeamViewer

Screenshot

TeamViewer.exe TeamViewer.exe

Hashes

Type Hash
MD5 7D14360DF87D0E19DBEFADADE87A0186
SHA1 6DDD60F5AD7F8896DA682921C7B1CB194E0FB303
SHA256 26E19F0840E2D4CD80C234742C4449855A26BAA2423BF5E66E30A2F97B985B24
SHA384 5C40705BC460D8D6F354063B2CAB9F8AB32E88B54EBC741290BCCA0E817378FA9B49684168BDA7FEA375B322B56E4214
SHA512 63A3CE34E26D507664BFE274B0EA7F32EDD238B421FC191938D1B9FBBBB186FD7A0D595431FAF67C5B5AAE6AFC0C49009418D011F1DEA13121DF4572B120F698
SSDEEP 1572864:it3zCtk+zrqGq2haRR63wKOx84wrETJ0amuHJTH41Q7:it3zCtvg3

Runtime Data

Window Title:

TeamViewer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\crypt32.dll.mui File
(R-D) C:\Windows\SysWOW64\en-US\avicap32.dll.mui File
(R-D) C:\Windows\SysWOW64\en-US\msvfw32.dll.mui File
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(RW-) C:\Program Files (x86)\TeamViewer\TeamViewer15_Logfile.log File
(RW-) C:\Users\user\AppData\Local\TeamViewer\Database\tvchatfilecache.db File
(RW-) C:\Users\user\Documents File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_fd031af45b0106f2 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.450_none_4294d6e08a97344a File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\1068HWNDInterface:ca0758 Section
\Sessions\1\BaseNamedObjects\TeamViewerHooks7_SharedMemory Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme4048709601 Section
\Windows\Theme603176458 Section

Loaded Modules:

Path
C:\program files (x86)\TeamViewer\TeamViewer.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 0B446546C36525BF5F084F6BBBBA7097
  • Thumbprint: 05CDF79B0EFFFF361DAC0363ADAA75B066C49DE0
  • Issuer: CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=TeamViewer Germany GmbH, O=TeamViewer Germany GmbH, L=Gppingen, S=Baden-Wrttemberg, C=DE

File Metadata

  • Original Filename: TeamViewer.exe
  • Product Name: TeamViewer
  • Company Name: TeamViewer Germany GmbH
  • File Version: 15.9.4.0
  • Product Version: 15.9.4.0
  • Language: English (United Kingdom)
  • Legal Copyright: TeamViewer Germany GmbH

Possible Misuse

The following table contains possible examples of TeamViewer.exe being misused. While TeamViewer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_ua_apt.yml - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw DRL 1.0
sigma dns_query_win_gotoopener.yml Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) DRL 1.0
sigma dns_query_win_logmein.yml Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) DRL 1.0
sigma dns_query_win_susp_teamviewer.yml title: Suspicious TeamViewer Domain Access DRL 1.0
sigma dns_query_win_susp_teamviewer.yml description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) DRL 1.0
sigma dns_query_win_susp_teamviewer.yml - https://www.teamviewer.com/en-us/ DRL 1.0
sigma dns_query_win_susp_teamviewer.yml - 'taf.teamviewer.com' DRL 1.0
sigma dns_query_win_susp_teamviewer.yml - 'udp.ping.teamviewer.com' DRL 1.0
sigma dns_query_win_susp_teamviewer.yml Image\|contains: 'TeamViewer' DRL 1.0
sigma dns_query_win_susp_teamviewer.yml - Unknown binary names of TeamViewer DRL 1.0
sigma file_event_win_anydesk_artefact.yml Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) DRL 1.0
sigma file_event_win_gotoopener_artefact.yml Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) DRL 1.0
sigma file_event_win_install_teamviewer_desktop.yml title: Installation of TeamViewer Desktop DRL 1.0
sigma file_event_win_install_teamviewer_desktop.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows DRL 1.0
sigma file_event_win_screenconnect_artefact.yml Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) DRL 1.0
sigma file_event_win_susp_teamviewer_remote_session.yml title: TeamViewer Remote Session DRL 1.0
sigma file_event_win_susp_teamviewer_remote_session.yml description: Detects the creation of log files during a TeamViewer remote session DRL 1.0
sigma file_event_win_susp_teamviewer_remote_session.yml - https://www.teamviewer.com/en-us/ DRL 1.0
sigma file_event_win_susp_teamviewer_remote_session.yml - '\TeamViewer\RemotePrinting\tvprint.db' DRL 1.0
sigma file_event_win_susp_teamviewer_remote_session.yml - '\TeamViewer\TVNetwork.log' DRL 1.0
sigma file_event_win_susp_teamviewer_remote_session.yml - '\TeamViewer' DRL 1.0
sigma file_event_win_susp_teamviewer_remote_session.yml - Legitimate uses of TeamViewer in an organisation DRL 1.0
sigma proc_creation_win_anydesk.yml Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) DRL 1.0
sigma proc_creation_win_gotoopener.yml Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) DRL 1.0
sigma proc_creation_win_logmein.yml Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) DRL 1.0
sigma proc_creation_win_screenconnect.yml Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) DRL 1.0
atomic-red-team index.md - Atomic Test #10: Delete TeamViewer Log Files [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #10: Delete TeamViewer Log Files [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team T1070.004.md - Atomic Test #10 - Delete TeamViewer Log Files MIT License. © 2018 Red Canary
atomic-red-team T1070.004.md ## Atomic Test #10 - Delete TeamViewer Log Files MIT License. © 2018 Red Canary
atomic-red-team T1070.004.md Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. MIT License. © 2018 Red Canary
atomic-red-team T1070.004.md This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer MIT License. © 2018 Red Canary
atomic-red-team T1070.004.md | teamviewer_log_file | Teamviewer log file to delete. Run the prereq command to create it if it does not exist. | String | $env:TEMP\TeamViewer_54.log| MIT License. © 2018 Red Canary
atomic-red-team T1219.md <blockquote>An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) MIT License. © 2018 Red Canary
atomic-red-team T1219.md Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1219.md - Atomic Test #1 - TeamViewer Files Detected Test on Windows MIT License. © 2018 Red Canary
atomic-red-team T1219.md ## Atomic Test #1 - TeamViewer Files Detected Test on Windows MIT License. © 2018 Red Canary
atomic-red-team T1219.md An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1219.md Invoke-WebRequest -OutFile C:\Users$env:username\Desktop\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe MIT License. © 2018 Red Canary
atomic-red-team T1219.md Start-Process ‘C:\Program Files (x86)\TeamViewer\TeamViewer.exe’ MIT License. © 2018 Red Canary
atomic-red-team T1219.md $file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md type C:\temp\evil.exe > “C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe” MIT License. © 2018 Red Canary
signature-base generic_anomalies.yar and not filepath contains “teamviewer” CC BY-NC 4.0
signature-base thor_inverse_matches.yar and not filepath contains “teamviewer” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.