MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af
SHA3-384 hash: 70ddef569cea8ad24c7a26a846f24f2aa554bb8d0ef17df126ab0667abeae6900204f42ff1c8a6282f5719d776ab2c1e
SHA1 hash: 6ce4f551ee1ff104505b89fe31e3da33b45b353a
MD5 hash: bc6223ec3cd93fede9035414595d61d9
humanhash: nevada-cardinal-high-kilo
File name:bc6223ec3cd93fede9035414595d61d9.exe
Download: download sample
Signature Stop
Create hunting rule
File size:706'560 bytes
First seen:2022-08-01 21:55:27 UTC
Last seen:2022-08-01 22:45:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 927f18a9d3e2f571a51e8054d3985b4f (1 x Stop, 1 x SystemBC, 1 x RedLineStealer)
ssdeep 12288:GTYCsTXzLbdBFAcsxGreU/iENjdnayqFCKrF3FBbA:GEnXFdsxGrePo8/NzA
TLSH T1B3E4122073E19875DDE356354A7497A1AE6B79222A74888F7B14133CFF606C07A7C32B
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 38b078cccacccc53 (62 x Smoke Loader, 25 x Stop, 21 x RedLineStealer)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://95.217.246.212/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://95.217.246.212/ https://threatfox.abuse.ch/ioc/840933/

Intelligence

File Origin
# of uploads :
2
# of downloads :
378
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295694/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.29669.30262.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28018/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62e84c6cbcf76fcb6cd9a38b/reports/04b2ace2-4c62-44e1-82da-7313b668711e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf099f90-3589-439b-8d9b-fd37dc6fc065
Result
Threat name:
Djvu, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044496
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676990 Sample: ugsxQWziN4.exe Startdate: 01/08/2022 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic 2->87 89 Multi AV Scanner detection for domain / URL 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 10 other signatures 2->93 13 ugsxQWziN4.exe 2->13         started        16 ugsxQWziN4.exe 2->16         started        18 ugsxQWziN4.exe 2->18         started        20 ugsxQWziN4.exe 2->20         started        process3 signatures4 101 Writes many files with high entropy 13->101 103 Injects a PE file into a foreign processes 13->103 22 ugsxQWziN4.exe 1 17 13->22         started        26 ugsxQWziN4.exe 12 16->26         started        28 ugsxQWziN4.exe 12 18->28         started        30 ugsxQWziN4.exe 20->30         started        process5 dnsIp6 77 api.2ip.ua 162.0.217.254, 443, 49755, 49756 ACPCA Canada 22->77 67 C:\Users\...\ugsxQWziN4.exe:Zone.Identifier, ASCII 22->67 dropped 69 C:\Users\user\AppData\...\ugsxQWziN4.exe, MS-DOS 22->69 dropped 32 ugsxQWziN4.exe 22->32         started        35 icacls.exe 22->35         started        79 192.168.2.1 unknown unknown 28->79 file7 process8 signatures9 85 Injects a PE file into a foreign processes 32->85 37 ugsxQWziN4.exe 1 23 32->37         started        process10 dnsIp11 71 acacaca.org 110.14.121.125, 49757, 49759, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 37->71 73 rgyui.top 210.92.250.133, 49758, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 37->73 75 api.2ip.ua 37->75 59 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 37->59 dropped 61 C:\_readme.txt, ASCII 37->61 dropped 63 C:\Users\...\SmartScreenCache.dat.vveo (copy), data 37->63 dropped 65 43 other files (38 malicious) 37->65 dropped 95 Modifies existing user documents (likely ransomware behavior) 37->95 42 build2.exe 37->42         started        file12 signatures13 process14 signatures15 97 Detected unpacking (creates a PE file in dynamic memory) 42->97 99 Sample uses process hollowing technique 42->99 45 build2.exe 42->45         started        process16 dnsIp17 81 t.me 149.154.167.99, 443, 49766 TELEGRAMRU United Kingdom 45->81 83 95.217.246.212, 49767, 80 HETZNER-ASDE Germany 45->83 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->105 107 Tries to harvest and steal browser information (history, passwords, etc) 45->107 109 Tries to steal Crypto Currency Wallets 45->109 49 cmd.exe 45->49         started        signatures18 process19 process20 51 conhost.exe 49->51         started        53 taskkill.exe 49->53         started        55 timeout.exe 49->55         started        process21 57 conhost.exe 51->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 18:43:40 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aiz4clbv7k4tbwo5fec33hq4g6nmducnbjdl22qhtoujd74wckxq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220801-1tbwbsafdk/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Vidar
Malware Config
C2 Extraction:
http://acacaca.org/fhsgtsspen6/get.php
https://t.me/cheaptrains
https://mastodon.social/@ffolegg94
Unpacked files
SH256 hash:
2d993966223f9e5e54104da1a4432796cb404ec5aa0c80c6f59053a19432909c
MD5 hash:
e039ac840b5dcebc6d241eb5d6fcbf92
SHA1 hash:
d9ca97d692b6df8063dad7b952a0e031fe3899e8
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/4db677bf-7610-40ba-8535-8ff3db014e8c/
Parent samples :
125f585eab3177c154ed5fe243f4417a51e0ca2c3793a17c5c78d96297a3178c
fee2107bea8cccba3a5ee33cc7ab66c0c4494f19211d829483e50713326da4d3
5b65c5510322530f4abfe6446edda29609d8989ad53614c75634bb1c2c9af395
520a51268d301ee757d97b617758c1110a6cc91d1e1387d57abd4c3f7131b336
17ed810d90f3bb088e2522fb72ae260be6c51da60e6181f166e24a10eb796c97
8c2e9284e983ceef11b73b585ec1def479fe4861685ae4ba17c9ce0367796f94
c888e619328ea2038b36269f3e04edf1ddfd8abb5c5354b85ca1efdeb6a09665
abbacb7399152ab2d433b53f1a267c928be0723a72d00e7592d95335f973e6df
a482097fd8842a2c06a53b65671a520c894858ecf98d0a2a28b1a2d6203f40be
e2b3da8d14d014deeb7e5060d84b325949f38d2c97943f948f2c6cc27ea549c3
c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347
4415e5241c3772536b77ba46a6ebd25996929976392353066a0242450a7e1769
835432a2d3e090695bd3c5a33dbad4fea2812574d14b7a35824d2da0c9b1d1e0
68ebbccc69f5a723a9e6b043e0635a9faa2b152869dcf91cb25b3178cc7605a0
af0993f99a960d8ba4b2cbea959c4ab4ca83bc3c13f7d8da3560a118b253f1eb
198c71bdd5274a68b4d0b4a6de12cf3a4e942b7fe6dfca74c8d2231734b11a76
4677ed8abd40be0dfb0a619a941361436cf8fbf3f1720fd3d93624f4cd97d31f
8bc73215171bdb3ebc39873e2a2e085a5ab2dabd6616fcdf79beba118d00e97d
cad1e059313d17cdfa5c63ef4e99f8f7e38e2741aab0947a2075b86f345fef68
8488228e9da15a7468ce9469ad159c41ff2021525b3c0ab47a8f2e5b5bd90670
4def6a06acbd299ccb45aa12992c846c5ca8e352c215065d169db818f44d4557
0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af
bba3f787ad9e52f3964d51190ee889a590ab81bcf341eeabe5f226cf2f3eb3e2
bfacecf810b14187b30c9ee86f066dff0f3675b8b1bcf4c05f13af88ef1fbf51
58b70f07241065a3febcfb419e7b1a3a4c0e63d0d4d978bbd3ba329092d737b5
d8195ca0091f9d86ecb281a497456ef0d084ecad4f8f1a8caef6b570d5abdc14
d06f5d3657996e3b3a342d96e3b859ba3bbaa1dd3e59d6a3f88f385317ab7d45
298595ed376152c56fa4ba8ee453be7f12fac8175f6b64bd0dcd8ef7641d784c
897afcd11e6b3d400943267334bb66a460bf58c2e035f1367fcf57fd60989bd7
f409d0e94acc4c29dac55fc1196d9d9ad4f5a47223e3381003731fac147c651a
80d5c6f6ce20885e243eaa54cc71d0d9890c98f4458e2c4c9a2b69019499076e
6718c35947bf87c571c55debaf8e71aa017162ac6e3b9126f670ac94817f390e
38cbd610f38e27ae9927d723806923926d206f9552f4d5b38891f1c7ea422f37
688af7fad79c9afe7b00646aaaee46d2328a8c5d10a71865d11447b98af905f5
248ee491268455c00f934e8867fbef87e4b756c8a0004a9e580d575c5793f6b3
b065240e43335f44f4d113f0566093bb40f3dcabc37bc52ee6155ee002f76d86
3887028a0090bfa67d9c9ead0a6e30b0fd41a0ab974e2cdf4fb4fffc0f505f3d
36bf00125e0982c8037f04ad0dd3a354b5e8c95fe899c3083344730d0f4c2682
a4f6fc8c12b08c7957bd3c76abbfa82157ab298c89a769c0ed06e14a5b830bcb
ebe9d795ebe7b5b98a4d4eb27bcdfaee9d9567424a563cc74ffb4fd2fa712744
SH256 hash:
0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af
MD5 hash:
bc6223ec3cd93fede9035414595d61d9
SHA1 hash:
6ce4f551ee1ff104505b89fe31e3da33b45b353a
Link:
https://www.unpac.me/results/4db677bf-7610-40ba-8535-8ff3db014e8c/
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0233c12c35fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2261263/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/295694/

Comments