TeamViewer.exe
- File Path:
C:\program files (x86)\TeamViewer\TeamViewer.exe - Description: TeamViewer
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 7D14360DF87D0E19DBEFADADE87A0186 |
| SHA1 | 6DDD60F5AD7F8896DA682921C7B1CB194E0FB303 |
| SHA256 | 26E19F0840E2D4CD80C234742C4449855A26BAA2423BF5E66E30A2F97B985B24 |
| SHA384 | 5C40705BC460D8D6F354063B2CAB9F8AB32E88B54EBC741290BCCA0E817378FA9B49684168BDA7FEA375B322B56E4214 |
| SHA512 | 63A3CE34E26D507664BFE274B0EA7F32EDD238B421FC191938D1B9FBBBB186FD7A0D595431FAF67C5B5AAE6AFC0C49009418D011F1DEA13121DF4572B120F698 |
| SSDEEP | 1572864:it3zCtk+zrqGq2haRR63wKOx84wrETJ0amuHJTH41Q7:it3zCtvg3 |
Runtime Data
Window Title:
TeamViewer
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\crypt32.dll.mui | File |
| (R-D) C:\Windows\SysWOW64\en-US\avicap32.dll.mui | File |
| (R-D) C:\Windows\SysWOW64\en-US\msvfw32.dll.mui | File |
| (R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui | File |
| (RW-) C:\Program Files (x86)\TeamViewer\TeamViewer15_Logfile.log | File |
| (RW-) C:\Users\user\AppData\Local\TeamViewer\Database\tvchatfilecache.db | File |
| (RW-) C:\Users\user\Documents | File |
| (RW-) C:\Windows | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_fd031af45b0106f2 | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.450_none_4294d6e08a97344a | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\BaseNamedObjects\1068HWNDInterface:ca0758 | Section |
| \Sessions\1\BaseNamedObjects\TeamViewerHooks7_SharedMemory | Section |
| \Sessions\1\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\Windows\Theme4048709601 | Section |
| \Windows\Theme603176458 | Section |
Loaded Modules:
| Path |
|---|
| C:\program files (x86)\TeamViewer\TeamViewer.exe |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
Signature
- Status: Signature verified.
- Serial:
0B446546C36525BF5F084F6BBBBA7097 - Thumbprint:
05CDF79B0EFFFF361DAC0363ADAA75B066C49DE0 - Issuer: CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
- Subject: CN=TeamViewer Germany GmbH, O=TeamViewer Germany GmbH, L=Gppingen, S=Baden-Wrttemberg, C=DE
File Metadata
- Original Filename: TeamViewer.exe
- Product Name: TeamViewer
- Company Name: TeamViewer Germany GmbH
- File Version: 15.9.4.0
- Product Version: 15.9.4.0
- Language: English (United Kingdom)
- Legal Copyright: TeamViewer Germany GmbH
Possible Misuse
The following table contains possible examples of TeamViewer.exe being misused. While TeamViewer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proxy_ua_apt.yml | - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw |
DRL 1.0 |
| sigma | proxy_ua_apt.yml | - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw |
DRL 1.0 |
| sigma | dns_query_win_gotoopener.yml | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) |
DRL 1.0 |
| sigma | dns_query_win_logmein.yml | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) |
DRL 1.0 |
| sigma | dns_query_win_susp_teamviewer.yml | title: Suspicious TeamViewer Domain Access |
DRL 1.0 |
| sigma | dns_query_win_susp_teamviewer.yml | description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) |
DRL 1.0 |
| sigma | dns_query_win_susp_teamviewer.yml | - https://www.teamviewer.com/en-us/ |
DRL 1.0 |
| sigma | dns_query_win_susp_teamviewer.yml | - 'taf.teamviewer.com' |
DRL 1.0 |
| sigma | dns_query_win_susp_teamviewer.yml | - 'udp.ping.teamviewer.com' |
DRL 1.0 |
| sigma | dns_query_win_susp_teamviewer.yml | Image\|contains: 'TeamViewer' |
DRL 1.0 |
| sigma | dns_query_win_susp_teamviewer.yml | - Unknown binary names of TeamViewer |
DRL 1.0 |
| sigma | file_event_win_anydesk_artefact.yml | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) |
DRL 1.0 |
| sigma | file_event_win_gotoopener_artefact.yml | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) |
DRL 1.0 |
| sigma | file_event_win_install_teamviewer_desktop.yml | title: Installation of TeamViewer Desktop |
DRL 1.0 |
| sigma | file_event_win_install_teamviewer_desktop.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows |
DRL 1.0 |
| sigma | file_event_win_screenconnect_artefact.yml | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) |
DRL 1.0 |
| sigma | file_event_win_susp_teamviewer_remote_session.yml | title: TeamViewer Remote Session |
DRL 1.0 |
| sigma | file_event_win_susp_teamviewer_remote_session.yml | description: Detects the creation of log files during a TeamViewer remote session |
DRL 1.0 |
| sigma | file_event_win_susp_teamviewer_remote_session.yml | - https://www.teamviewer.com/en-us/ |
DRL 1.0 |
| sigma | file_event_win_susp_teamviewer_remote_session.yml | - '\TeamViewer\RemotePrinting\tvprint.db' |
DRL 1.0 |
| sigma | file_event_win_susp_teamviewer_remote_session.yml | - '\TeamViewer\TVNetwork.log' |
DRL 1.0 |
| sigma | file_event_win_susp_teamviewer_remote_session.yml | - '\TeamViewer' |
DRL 1.0 |
| sigma | file_event_win_susp_teamviewer_remote_session.yml | - Legitimate uses of TeamViewer in an organisation |
DRL 1.0 |
| sigma | proc_creation_win_anydesk.yml | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) |
DRL 1.0 |
| sigma | proc_creation_win_gotoopener.yml | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) |
DRL 1.0 |
| sigma | proc_creation_win_logmein.yml | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) |
DRL 1.0 |
| sigma | proc_creation_win_screenconnect.yml | Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) |
DRL 1.0 |
| atomic-red-team | index.md | - Atomic Test #10: Delete TeamViewer Log Files [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #10: Delete TeamViewer Log Files [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.004.md | - Atomic Test #10 - Delete TeamViewer Log Files | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.004.md | ## Atomic Test #10 - Delete TeamViewer Log Files | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.004.md | Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.004.md | This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.004.md | | teamviewer_log_file | Teamviewer log file to delete. Run the prereq command to create it if it does not exist. | String | $env:TEMP\TeamViewer_54.log| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | <blockquote>An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)</blockquote> | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | - Atomic Test #1 - TeamViewer Files Detected Test on Windows | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | ## Atomic Test #1 - TeamViewer Files Detected Test on Windows | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | Invoke-WebRequest -OutFile C:\Users$env:username\Desktop\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | Start-Process ‘C:\Program Files (x86)\TeamViewer\TeamViewer.exe’ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | $file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.004.md | type C:\temp\evil.exe > “C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe” | MIT License. © 2018 Red Canary |
| signature-base | generic_anomalies.yar | and not filepath contains “teamviewer” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | and not filepath contains “teamviewer” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.