MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04de22830fa69312a1bdfc67e614c558800dac225482cb20fa844c4c93707eca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	04de22830fa69312a1bdfc67e614c558800dac225482cb20fa844c4c93707eca
SHA3-384 hash:	702b27af877fdfd46f8287e56b9fb70aae854340a4f4b42d2d1e2c21b0c53993c76c844f3bd83f81e880b1fc80ef96b5
SHA1 hash:	f9ba42671e09cb48cd936078ce97f464c02c3337
MD5 hash:	7a4e45f5f1df2b8c8c85c130cc80be35
humanhash:	georgia-uranus-emma-cold
File name:	04de22830fa69312a1bdfc67e614c558800dac225482cb20fa844c4c93707eca
Download:	download sample
Signature	Stop Create hunting rule
File size:	752'128 bytes
First seen:	2023-05-18 13:36:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3547ca43eea0a55e45859d2d3c2d6f0b (2 x Stop, 1 x RedLineStealer)
ssdeep	12288:/d6F3vNpTQ7/UMu6LR3rJwQe6f5vEZ63hHiIlsL1GKV3iZj:uvHXMu6LRloWtQChHiIiL1GKV3
TLSH	T17AF4222376D1D0B2F293167584A0CAB28F36787107A159CF6BD0163E0FB97E1CAB5399
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	101070c4f8704040 (1 x Stop)
Reporter	JaffaCakes118
Tags:	Stop

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

stop

ID:

File name:

04de22830fa69312a1bdfc67e614c558800dac225482cb20fa844c4c93707eca

Verdict:

Malicious activity

Analysis date:

2023-05-18 13:45:45 UTC

Tags:

ransomware stop

Link:

https://app.any.run/tasks/87a7ab03-a282-4bcc-8c92-02e7dfc4af4a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.29323.BadIN.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request

Creating a file

Launching a process

Creating a process with a hidden window

Adding an access-denied ACE

Сreating synchronization primitives

Deleting a recently created file

Sending a custom TCP request

Searching for synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64662a13b84b25b2d4a16bd8/reports/669d9f8c-d1d4-4b0f-9aff-20d9c51df6ae/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/04de22830fa69312a1bdfc67e614c558800dac225482cb20fa844c4c93707eca

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/50c3301c-c6b6-4dbe-ab96-9c3b6cefb506

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1235959

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/04de22830fa69312a1bdfc67e614c558800dac225482cb20fa844c4c93707eca/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-05-18 08:19:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=atpcfaypu2jrfin57rt6mfgflcaa3lbcksbmwih2qrgeze3qp3fa._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar botnet:9dfa7ee730fa2f1efb5ed51dbbec22f5 discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/230518-qwt5kshh6s/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Detected Djvu ransomware

Djvu Ransomware

Vidar

Malware Config

C2 Extraction:

http://zexeq.com/test1/get.php
https://steamcommunity.com/profiles/76561199263069598
https://t.me/cybehost

Unpacked files

SH256 hash:

6336deb1053145f9c3951b56483f16f8f19ef3fa32ec5d1845ace358bc95cb4b

MD5 hash:

b64cc521ca466463da2fb417f611ed0b

SHA1 hash:

d568654c995f8aeb457dffd9db725741434f317e

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/6d777a92-d345-467e-b16a-89157fea25dd/

Parent samples :

b022e493931052692aa1caf59b29ab94236132fab4b0211a6aefb1c5bad6b22c
7131b9458befa961f984fb4f629f9aba8abd130aade0674b6865a3c388997a3a
733d197665d90ebcbe41ed14d872db66604706d8435e694985ad2c459ce59b70
00c86baf7161bc1f0ab0618716f401e17a3e88ce6002d0de3ca8eab7fb8b958d
04de22830fa69312a1bdfc67e614c558800dac225482cb20fa844c4c93707eca
0eb97933b944dda15d90b7dd71fb707b994b5be58549d5663aae174a82238268
19758c0037c39aacc91149b9f66ed45e2ca540cdc94dda9f7c7a908f0227a7b7
4b46bffe86c4d4b89183cddc5f944eec7869b11f5640a4d8c5b81a5b130b6f40
816f271c86ec8e2ef83647097e2fb040d580502e59dec71c1381e7ff24952cf5
971995e7ff0362002a053704ba1a1e9fca3533eada5bfa52fee1831af94c6b77
ef2baff18e38c81563a209be46e0abf3bdc5e05da6c2a8872287edd64901af63
2ee97fca2aaaec7f5232546878134f3ae58ee53997338abf3f119f1b1051eeca
5cd87944f98dd4e2109b9059e40ea08ad8232bf41dc3b8437a1559ee93edd853
c7b100a41efd1967947eb511df59cc1ca3d05ec34c9dea2ca3a6865d69599d3c
1e806984df9f5d8debae45e947e3f472fe4aa1b484ed794b9a2b0dd7204511a4
3dd9e3687e115e7920de3f3a2b9a1c6809f0f7372d0457fe6bd609444d58a98d
d38f23df1643ac8c78451a187b569fdbc70607de0354cf931822b66e5bb23bae
7800794cd25aaf48943d931935a9cd98980a645881fd557a24f0444ffbbdc2e1
64d5c80cea4e5bbbd58b1c0e1b81c95473c928db32def4c1ba094c8d0dafbea2
02a877e82d53354ae9ac4ce96982574103fc93ac2bee9bf3d650631f49ded10f
7d0485e8348a7c45a4124bb3c458f304eb0a573f0adc7b507286348138ae02fc
0b5b173442717540eafb8319b62aaa98aa3c222eaae1ebc49a712f7b6dc9bcaf
117bd105679704680c490279b89e47201550752c17e189f4902fbd93fa93d354
11ac22a2b13bc6271e8b9e916fa5de67902b11a62a4bde404803545f74315773
ff2fd176bf9e9d4265296174c60132ee5238e4217e6b9b32a5e474cfad35ce66

SH256 hash:

04de22830fa69312a1bdfc67e614c558800dac225482cb20fa844c4c93707eca

MD5 hash:

7a4e45f5f1df2b8c8c85c130cc80be35

SHA1 hash:

f9ba42671e09cb48cd936078ce97f464c02c3337

Link:

https://www.unpac.me/results/6d777a92-d345-467e-b16a-89157fea25dd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/04de22830fa69312a1bdfc67e614c558800dac225482cb20fa844c4c93707eca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Windows_Ransomware_Stop_1e8d48ff Create hunting rule
Author:	Elastic Security

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample