MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2
SHA3-384 hash: 65ddefa62f33cde951c5fd5c3f2e4eb5bbb781fc067defebe30190339e5f4dc42bd10a58477b4abf1dc8856ad9840351
SHA1 hash: 19c4a3e641c8fff8cb15b2468c01cb1cec2eafbc
MD5 hash: 4bf68315a0694544cfc078002c44d8fe
humanhash: venus-paris-harry-single
File name:BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe
Download: download sample
Signature Stop
Create hunting rule
File size:812'544 bytes
First seen:2024-07-24 20:49:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 031ab1edcbaeae0599475583a40befa9 (3 x Stop)
ssdeep 12288:ILN0eHFcbKfY/cFQJSaxlY4jFwmkMTq52qRwUrWcCSX8mXtOuQmFJ29:9eFq+nGJZxlY4jqTMngnWcCSM8lQmq9
Threatray 1'611 similar samples on MalwareBazaar
TLSH T16C050210B781D035F97712F5497A83ADB93E7AA04B3855CF62D46AEE12346E0EC3235B
TrID 29.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
21.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.7% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon bedacabecee6baa6 (7 x RedLineStealer, 4 x Stop, 3 x ArkeiStealer)
Reporter Anonymous
Tags:exe Stop


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
CN CN
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2.exe
Verdict:
Malicious activity
Analysis date:
2024-07-25 15:05:33 UTC
Tags:
bdaejec evasion loader vodkagats
Link:
https://app.any.run/tasks/c6fe3ad4-cf4e-486d-bf81-9f6b324a290b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Dropper.Generickdz-9939781-0
Create hunting rule

Win.Trojan.Generickdz-9950759-0
Create hunting rule

Win.Trojan.Generickdz-9951389-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a168fdae21d7902eafc869
Tags:
Execution Generic Infostealer Network Ransomware Static Stealth Stop
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending an HTTP GET request to an infection source
Sending a TCP request to an infection source
Modifying an executable file
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a168fbdfa8b2fced4e269c/reports/b128b61f-ebc1-4603-86cf-05d0ac609bb8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2341bea9-acaa-47bf-bfe5-8f2a10af3e6f
Result
Threat name:
Babuk, Bdaejec, Djvu, Zorab
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480759
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
PE file contains section with special chars
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Bdaejec
Yara detected Djvu Ransomware
Yara detected Zorab Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480759 Sample: BA53F24D6448DFC4B1A4A9B73D7... Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 76 zerit.top 2->76 78 fuyt.org 2->78 80 2 other IPs or domains 2->80 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus detection for URL or domain 2->96 98 14 other signatures 2->98 9 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 1 2->9         started        13 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 2->13         started        15 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 2->15         started        17 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 2->17         started        signatures3 process4 file5 74 C:\Users\user\AppData\Local\TempEDJzv.exe, PE32 9->74 dropped 106 Detected unpacking (changes PE section rights) 9->106 108 Detected unpacking (overwrites its own PE header) 9->108 110 Found stalling execution ending in API Sleep call 9->110 118 3 other signatures 9->118 19 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 1 16 9->19         started        23 EEDJzv.exe 16 9->23         started        112 Antivirus detection for dropped file 13->112 114 Machine Learning detection for dropped file 13->114 116 Injects a PE file into a foreign processes 13->116 26 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 13->26         started        28 EEDJzv.exe 15->28         started        30 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 15->30         started        32 EEDJzv.exe 17->32         started        34 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 17->34         started        signatures6 process7 dnsIp8 82 api.2ip.ua 188.114.96.3, 443, 49707, 49708 CLOUDFLARENETUS European Union 19->82 64 BA53F24D6448DFC4B1...A5ADA4312F319D1.exe, PE32 19->64 dropped 66 BA53F24D6448DFC4B1...exe:Zone.Identifier, ASCII 19->66 dropped 36 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 19->36         started        39 icacls.exe 19->39         started        84 ddos.dnsnb8.net 44.221.84.105, 49706, 49709, 49720 AMAZON-AESUS United States 23->84 68 C:\Program Files\7-Zip\Uninstall.exe, PE32 23->68 dropped 70 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 23->70 dropped 72 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 23->72 dropped 102 Detected unpacking (changes PE section rights) 23->102 104 Infects executable files (exe, dll, sys, html) 23->104 41 WerFault.exe 23->41         started        43 cmd.exe 28->43         started        45 cmd.exe 32->45         started        file9 signatures10 process11 signatures12 100 Injects a PE file into a foreign processes 36->100 47 BA53F24D6448DFC4B1A4A9B73D7D24ECC31A05A4E26EE051BA5ADA4312F319D1.exe 1 19 36->47         started        52 conhost.exe 43->52         started        54 conhost.exe 45->54         started        process13 dnsIp14 86 zerit.top 92.246.89.93, 49710, 49711, 49714 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 47->86 56 C:\_readme.txt, ASCII 47->56 dropped 58 C:\Users\user\_readme.txt, ASCII 47->58 dropped 60 PreSignInSettingsC...1].json.mmuz (copy), data 47->60 dropped 62 113 other malicious files 47->62 dropped 88 Tries to harvest and steal browser information (history, passwords, etc) 47->88 90 Modifies existing user documents (likely ransomware behavior) 47->90 file15 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 20:50:06 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7t52o4wrik6ildhu4uktukdkm6wnlyavoiahfqqq3emf3rwodza._file
Verdict:
malicious
Similar samples:
786bb21f95e657b07a7bfb151e4e0d0f27fe443ac855e467e9b7d3fa643c62ab
Stop
7e55984b301bf836995807293d281046d0d14f26e113727e2cc8e993f0de45a8
Stop
7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
Stop
bf771de1c2a064ca7acf4cecbeeb6a4f23895befc680a76747f8a7c7c7c3d80c
Stop
df4cf6f6be06bfd7eaf23bffc9c16639573228bc72fd6262352a242b5bdf2080
Stop
+ 1'601 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu aspackv2 discovery persistence ransomware
Link:
https://tria.ge/reports/240724-zmkn8awejr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/fhsgtsspen6/get.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e288e4af-9937-4030-9d78-82d4a483a047
Unpacked files
SH256 hash:
0b6d28bc808b98429e7fc549e5a15a236ddb6cbb5a227f7334207b438a95267d
MD5 hash:
06ee09dec2db456a2e92a4b0f696678e
SHA1 hash:
d9eb1e744ac1294637ae72672e0f7edb0b14fc4e
Detections:
djvu_ransomware
Create hunting rule
win_stop_auto
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/5b757611-5deb-400a-a882-373f63e83ef0/
Parent samples :
9c703d32fa73fde2328022f3e1fad58bb2fd1cc739dd6f68dbe3d88fdcee2664
5ead4e743b06cfa32958083798960a587b108ee0170d3f475bb744cdb006761f
21ef7ee8609a2e98dec200eb22771a3ba86a18b7150211fc3aa6506e06b74c10
b70c7c27f9b8cebc5da0c75f5469c36ddd4a969ad29ec702a27571fa2ff27832
e531191d35e9d5543ae81a0915f9b02651ea54a6b3fe5ca61855a301ea53146a
5a1fb27924ab99541f08d3a46321b88fa4ce52a2346ebd92dc8da423c907cde3
ba53f24d6448dfc4b1a4a9b73d7d24ecc31a05a4e26ee051ba5ada4312f319d1
c1e3dbf11b5b3d434c8026bb344d5e9fd6daba717622ccfc4e07cadf051cba72
63d7b37217bad05463192bd2f5e39a4ac23ff21c52cd27bf541780d29cf77c7f
f2e3fa89c1a2c72ea78c4d32446221c08b30c7c3363f8248f04aa9eee2e15c70
44112b6d303c7df1528b55525872fef0f08de8c2a467f8e4d3b820f634f1f2c2
4f91cc5fef6093b6ccae6c91e02484dc33174df7d0e439fefe5f9b9171e388e3
6a803d7627d4fe8412c329487c9a95b34f3521ff2504fd077477cec1a9184ff9
54f94f7d533214086d2d2400b3b9b4d95e44d785334b5e47bf85ee0db24fd49b
98aeeffa753fd000731a7fc8bef2b3151cef2d9cc79ff03620cfba524e729ddd
11cbf8967f0dfb881a4a38c7abf2c26c61bfc68dc61a56a354c400a35f9a75eb
909204a217771a3830a59178d9bdcabec2c4b58eeb96aab7e10f34c2daee4392
0a04531f67450f23732ef2d41e6ac507ea10cdc39d513f1a379e9b3e0508e4f9
2db1bb25566f90ea473b56bcdc4670b9e6f730986a9c6f9d4b59a9ca6f542f54
9da0bdb7d44fe5cef1d36d302f47e941b72c848f9e2adaf106ca16ca1905faaa
703596cf1362533b7beb36bd72b994457ea1109cd3d6860bfe2cfc4b0b32a21a
c0bef9ba844c2d2cf99c9e7e397dcb9be6ba14bc8466603f6f2765e9213137d8
875ef5b3053d4d322471a9a9c0a7ea0b44c75178add2bb43ac4619ec78209cf1
e17ee8ffe9bb9062dcf3caad7e79785ec462faca7eb6e44302a5e0c03ad83a91
9ad258a814d69b7bfb48afaeda5a966308ffedb0cf7454a815c88c42629a745c
07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2
dcee34741b1210576a620d3e22d5945f1aea34f8d9940a0b9d098c7ebe0bd1d0
4f1bcdcbc93f0edf7a5b94c5da7b46ee72d4ba9619862036ed1cb202a07385c2
SH256 hash:
4ca56caf1181dfac57005db2d04e1b0b7ee2e49cd98295b7bea601856cecbe8c
MD5 hash:
abfc5348011a006bc92881a9dd52e096
SHA1 hash:
4d7fb37e59ca4bbfb7e4ca2d349c04c54e3b9180
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/5b757611-5deb-400a-a882-373f63e83ef0/
SH256 hash:
07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2
MD5 hash:
4bf68315a0694544cfc078002c44d8fe
SHA1 hash:
19c4a3e641c8fff8cb15b2468c01cb1cec2eafbc
Link:
https://www.unpac.me/results/5b757611-5deb-400a-a882-373f63e83ef0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Stop

Executable exe 07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::WriteConsoleInputA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileWithProgressW
KERNEL32.dll::MoveFileA

Comments