MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09a9f8170877460fe3e96b5b14680354bad1311070f68845fc5a6e4703ec7a44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09a9f8170877460fe3e96b5b14680354bad1311070f68845fc5a6e4703ec7a44
SHA3-384 hash: 25d8379f20dd45764789be1a7acd74a3fd6f9f9502e6fa75175a02d7a84d90032b60e496d505f50718de658394a02c6d
SHA1 hash: e49200a07954e75a635e2586ff4f96947db8d3d3
MD5 hash: e3bd5e262eef0078499099f69254144a
humanhash: lima-bakerloo-alabama-hot
File name:SecuriteInfo.com.Trojan.GenericKD.36659493.29456.22330
Download: download sample
Signature Stop
Create hunting rule
File size:696'832 bytes
First seen:2021-04-09 09:57:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 17e429f895fbf96bc9fb9d9e208ef029 (1 x Stop)
ssdeep 12288:31ohwg0EWTLiAIRYCZjZQXEF7iDIjG7os30GSOJiztaymPqLbU9GLAIrfpNnaUQ9:FoRLR2yiEE77KGLIxaymiLbUg8IBNU
Threatray 42 similar samples on MalwareBazaar
TLSH 1BE423117290C037E99A68315A74C6E49A3FFEB216608AC77B883E6F9D711E12F31707
Reporter SecuriteInfoCom
Tags:Ransomware Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.36659493.29456.22330
Verdict:
Malicious activity
Analysis date:
2021-04-09 09:58:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/167560ae-c073-4599-872a-d15786222e25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133347/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36659493.29456.22330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Sending a UDP request
Deleting a recently created file
Sending an HTTP GET request
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.spre.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/671190
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384538 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 09/04/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 8 other signatures 2->74 9 SecuriteInfo.com.Trojan.GenericKD.36659493.29456.exe 1 18 2->9         started        14 SecuriteInfo.com.Trojan.GenericKD.36659493.29456.exe 13 2->14         started        16 SecuriteInfo.com.Trojan.GenericKD.36659493.29456.exe 2->16         started        process3 dnsIp4 62 api.2ip.ua 77.123.139.190, 443, 49699, 49704 VOLIA-ASUA Ukraine 9->62 46 SecuriteInfo.com.T...exe:Zone.Identifier, ASCII 9->46 dropped 80 Detected unpacking (changes PE section rights) 9->80 82 Detected unpacking (overwrites its own PE header) 9->82 84 Writes many files with high entropy 9->84 18 SecuriteInfo.com.Trojan.GenericKD.36659493.29456.exe 1 23 9->18         started        23 icacls.exe 9->23         started        file5 signatures6 process7 dnsIp8 56 jfas.top 34.105.199.171, 49705, 49706, 49707 GOOGLEUS United States 18->56 58 192.168.2.1 unknown unknown 18->58 60 api.2ip.ua 18->60 38 C:\Users\user\AppData\...\ISO690Nmerical.XSL, DOS 18->38 dropped 40 C:\...\Install_2019-06-27_102023_125c-c90.log, DOS 18->40 dropped 42 C:\Users\user\AppData\Local\...\5.exe, PE32 18->42 dropped 44 195 other files (184 malicious) 18->44 dropped 76 Infects executable files (exe, dll, sys, html) 18->76 78 Modifies existing user documents (likely ransomware behavior) 18->78 25 5.exe 88 18->25         started        file9 signatures10 process11 dnsIp12 64 cache.krishgarden.com 157.90.153.134, 49715, 80 REDIRISRedIRISAutonomousSystemES United States 25->64 66 api.faceit.com 104.17.62.50, 443, 49714 CLOUDFLARENETUS United States 25->66 48 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 25->48 dropped 50 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 25->50 dropped 52 C:\Users\user\AppData\...\softokn3[1].dll, PE32 25->52 dropped 54 9 other files (none is malicious) 25->54 dropped 86 Detected unpacking (changes PE section rights) 25->86 88 Detected unpacking (overwrites its own PE header) 25->88 90 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->90 92 5 other signatures 25->92 30 cmd.exe 25->30         started        file13 signatures14 process15 process16 32 conhost.exe 30->32         started        34 taskkill.exe 30->34         started        36 timeout.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09a9f8170877460fe3e96b5b14680354bad1311070f68845fc5a6e4703ec7a44/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 16:49:40 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c331b2e8e369b35c3094fa746a4486f4d6f7d3962936a9a389574905b2fdcd1
Stop
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
Stop
20ebe8ff1da6f2023a43b3e3cbe14479961699f9dec0324f72070fa2b275eaae
Stop
2ae59af40109d186eb8999211e8ad933d2fffec609a2bdbd87a8aa4e9654a111
Stop
9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9
Stop
a13289516cc734026e3d839855e43ecee5f5aefe79751bc422f7c1e5b5b25b74
Stop
b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944
Stop
d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683
Stop
e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be
Stop
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
Stop
+ 32 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery persistence spyware stealer
Link:
https://tria.ge/reports/210409-tlqa95xh92/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Vidar
Unpacked files
SH256 hash:
b190f88617544a0969d022b8945315f7f51ea83db42a825ec27fdb155a4742cb
MD5 hash:
2f41c4db08cb783f607480ad47c4c246
SHA1 hash:
8f3b701067634cb4e66524accff5ebacef2bd485
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/24b18438-10f9-45fd-b407-6273b6bec5b4/
Parent samples :
0c331b2e8e369b35c3094fa746a4486f4d6f7d3962936a9a389574905b2fdcd1
b526a2e743700e05396f10f6b2e9f1b1a8a74670a7b6969cf4471bdb25a77802
09a9f8170877460fe3e96b5b14680354bad1311070f68845fc5a6e4703ec7a44
SH256 hash:
09a9f8170877460fe3e96b5b14680354bad1311070f68845fc5a6e4703ec7a44
MD5 hash:
e3bd5e262eef0078499099f69254144a
SHA1 hash:
e49200a07954e75a635e2586ff4f96947db8d3d3
Link:
https://www.unpac.me/results/24b18438-10f9-45fd-b407-6273b6bec5b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09a9f8170877460fe3e96b5b14680354bad1311070f68845fc5a6e4703ec7a44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 09a9f8170877460fe3e96b5b14680354bad1311070f68845fc5a6e4703ec7a44

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1104858/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1104861/
Cape
Cape
https://www.capesandbox.com/analysis/133347/

Comments