MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ad2c9a91e0c9382f813d69b55021783b113bd10f1d5881d7d4ca5258eec386e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ad2c9a91e0c9382f813d69b55021783b113bd10f1d5881d7d4ca5258eec386e
SHA3-384 hash: 290a2637db61b8f30e069b64f34345f16c59884e571ef97e4b3c4baf92ed5f4ce0ad03bb9639ff100e91ad624c4e5247
SHA1 hash: 87d96fd44ed7e3210496b2f0dc8a63df01d3cd3a
MD5 hash: e7ca2a55988051f2301395816d92070e
humanhash: robin-ink-sad-maryland
File name:file
Download: download sample
Signature Stop
Create hunting rule
File size:680'960 bytes
First seen:2022-09-20 13:10:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 27c79f0e2394a00bada857b374e6ec74 (2 x RedLineStealer, 1 x Stop, 1 x GCleaner)
ssdeep 12288:T/0k9RggR6ocdn6u3kpys3AOyxWT2CXFJIkol1s9huvwM4GYlcd6TBFdENoEs42:wkgq6hnp3kpys3fQl1srgfYpvEls42
Threatray 1'986 similar samples on MalwareBazaar
TLSH T1D9E4231236C0C433C16265F58486C672A7AAFCD06F3205833F55FF2A5F317966A69B8B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter andretavare5
Tags:exe Stop


Avatar
andretavare5
Sample downloaded from http://rgyui.top/dl/build.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-20 13:16:11 UTC
Tags:
trojan loader ransomware stop
Link:
https://app.any.run/tasks/7a2ca349-663f-406f-be91-bfc9c9646721

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311692/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a process with a hidden window
Creating a file in the system32 subdirectories
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Searching for synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6329bbf1b333b2ec6b39d704/reports/31e0a952-1614-43e1-97fc-b04f165a53fc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13585daa-1d85-4216-852a-f330044dabdf
Result
Threat name:
Babuk, Clipboard Hijacker, Djvu, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1073710
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 706252 Sample: file.exe Startdate: 20/09/2022 Architecture: WINDOWS Score: 100 97 Snort IDS alert for network traffic 2->97 99 Multi AV Scanner detection for domain / URL 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 12 other signatures 2->103 12 file.exe 2->12         started        15 file.exe 2->15         started        17 file.exe 2->17         started        19 2 other processes 2->19 process3 signatures4 115 Contains functionality to inject code into remote processes 12->115 117 Writes many files with high entropy 12->117 119 Injects a PE file into a foreign processes 12->119 21 file.exe 1 16 12->21         started        121 Machine Learning detection for dropped file 15->121 25 file.exe 12 15->25         started        27 file.exe 12 17->27         started        123 Antivirus detection for dropped file 19->123 29 file.exe 19->29         started        31 schtasks.exe 19->31         started        process5 dnsIp6 87 api.2ip.ua 162.0.217.254, 443, 49702, 49703 ACPCA Canada 21->87 69 C:\Users\user\AppData\Local\...\file.exe, PE32 21->69 dropped 71 C:\Users\user\...\file.exe:Zone.Identifier, ASCII 21->71 dropped 33 file.exe 21->33         started        36 icacls.exe 21->36         started        38 conhost.exe 31->38         started        file7 process8 signatures9 95 Injects a PE file into a foreign processes 33->95 40 file.exe 1 25 33->40         started        process10 dnsIp11 89 rgyui.top 222.236.49.123, 49704, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 40->89 91 acacaca.org 222.236.49.124, 49705, 49706, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 40->91 93 api.2ip.ua 40->93 73 C:\Users\user\AppData\Local\...\build2.exe, PE32 40->73 dropped 75 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 40->75 dropped 77 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 40->77 dropped 79 90 other files (85 malicious) 40->79 dropped 111 Tries to harvest and steal browser information (history, passwords, etc) 40->111 113 Modifies existing user documents (likely ransomware behavior) 40->113 45 build2.exe 40->45         started        48 build3.exe 40->48         started        file12 signatures13 process14 file15 125 Machine Learning detection for dropped file 45->125 127 Injects a PE file into a foreign processes 45->127 51 build2.exe 45->51         started        67 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 48->67 dropped 129 Uses schtasks.exe or at.exe to add and modify task schedules 48->129 55 schtasks.exe 48->55         started        signatures16 process17 dnsIp18 81 t.me 149.154.167.99, 443, 49708 TELEGRAMRU United Kingdom 51->81 83 116.203.7.175, 49709, 80 HETZNER-ASDE Germany 51->83 85 192.168.2.1 unknown unknown 51->85 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 51->105 107 Tries to harvest and steal browser information (history, passwords, etc) 51->107 109 Tries to steal Crypto Currency Wallets 51->109 57 cmd.exe 51->57         started        59 conhost.exe 55->59         started        signatures19 process20 process21 61 conhost.exe 57->61         started        63 taskkill.exe 57->63         started        65 timeout.exe 57->65         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ad2c9a91e0c9382f813d69b55021783b113bd10f1d5881d7d4ca5258eec386e/
Threat name:
Win32.Ransomware.Djvu
Create hunting rule
Status:
Malicious
First seen:
2022-09-20 13:11:12 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bljmtki6bsjyf6at22nvkaqxqoyrhpiq6hkyqhl5jsssldxmhbxa._file
Verdict:
malicious
Similar samples:
2eead7300ef128f57b8d581d8c77af8306791628c54f0f3d61758f896cb2d9d2
Stop
4d06c8d3c4fdf4deeea0a286fb758e3478de2b4969b7a21da686efe224a8536f
Stop
53273f74d14d08f30b348131249213ed89cb9b9ec260245d2d5e6098a1f425ff
Stop
5718efcc7fbdfdc203bcdc098b56aaeba9131f7fe59fe2f1f78685a899840ac8
Stop
5fd628901f00dc6a963eb149d432194b8ba17c5338a8cb85fc2494afa2538750
Stop
757f224af2011afcf0cf966da9a88fa0c6c465a581832e82c15a96f8c7e06bb9
Stop
87a4e09cd09cdee5b196d6a137868ecd979ae1e69ec188ff39459327b68bd402
Stop
ec93ce8cce6f314e3df3ff7e7bed1e2acbe48e6871584c7ec4ef49a5febd4aa9
Stop
+ 1'976 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220920-qe24vsgefq/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://acacaca.org/test3/get.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fa3eee6e-910f-412e-bdfc-14e5fd995c43
Unpacked files
SH256 hash:
0aba73a2a06e2c6bdab81394881b76ac0e0c96a381db370307ec353fda9c54a3
MD5 hash:
288b26f0920921562f223418a01f250f
SHA1 hash:
3ca9a69806f607e87bd3612dae9513556e72a18d
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/9aaa53f3-a570-42eb-838e-f470b004e16c/
Parent samples :
93d818b012256459ff0f782dd92e6b1898f5db642d266481353696556ee487a2
782fb22496386aeb1f9b182ed5aa0a25b5181e35fbe6e1850edbf7cb7ef1896a
977c701b19d3fbe26f52be5f46b7d77b47f30a953beaac7f08f8d6e3c41a0f84
467e231d1869afbfd1d2b70076338a3d69ffbf5d04b85e74a3b41db2a6014f87
528f4b8565a6941bcd72f1f90af1034fe4b93e401609bde90437fba1a3227e2b
b2e22ae293663c18db89e99b3c03fe06668b87c3b09d101d6f4a6650eebe7176
99c95c563249163c3c9206ebbfc745fac737e47f217e4c177f04e39e0072336c
29237d94c93da76b6c5bd0d4bcd13d10136f1590fabb307db9fd8bbdbcca52d8
2237e16aeb792c9f4d5f4f17ff059474b1d9f8100068a3e0287a2bfbbcc1eb9d
651b658ae3680460305dc22f982cf8cb1f105fd0bad8ea7cbbeec962ef497dad
4a6bf87deddf68d11d3fabe6e73b88d1b69080367ef3d798582958a5c6eebdfd
c3d4eee86b30d1a1454f77d5dc506a4d1c81880a997b35bab8c5fcae2dbb2a3e
ba4a9c4919c13eb9ed00b0afc3eb0b83216517c728d1f9de0798560fa783abd8
ec12bb53d94b1a84e4715f0b671b87eeaff4360217c6336897622c225499b3b9
e3ad0fc5b521683dfefac6709a8313009380072bfd1df8847056507f7f9c1941
d2cad027199e9f2ea725280ee1cbad72fefcb4d51cefabb6efb4847e44478b1e
888249fe054645eb0a669bfb9f7e4be41f753d86e6a4786bc40bb18746985b8b
7df90fdb832e168c563ffa89c8590a61680f6d75e98a9c36de9b6fa32817197e
8eb8b057cce7a0df5651d57a61fd3907d873dda063f6076d75a0b7485d7d40e2
02a87215da30b1e27f605464c85f8098db4f3a811de81ee9984050501c0ab779
dd9a64a470c39aedc3a50899e5ade2369338a03c71ba1f06e2a58bb42383102c
79e5e857263ed2c700be510f2457689da61829e196fc85ec19f9b46f3ee35015
6b1f30c4699f3eaa120cdcbf4cf358407f5ac08560abf0200981f9804d1a214a
2e9fcbdd6718795f322263283b544144d79b0cfd6b855cff8d74658737715548
1bc660c1295624da421b31b1eaf463492681a7ecc3873f7209cd711d43654526
1fb6494bcd0a6ea99dbceb61e14991e1465fe23baf84a1a9f0d238a120d03efd
541b50664fa0c8d7bd2855e1603f5b2f36b4e4ff2f68b2094ad44717a6674889
f6bd9d48fb4212dedc0bac315cdfbaf44eb28bfe32697de833a8bdc3bf4badc5
2cb1f9b55d4bd3fb71a8eddf8f430c28430832f0a7797d49321a7446b4c0d922
2f44136a35b7f695c5cd0038d5756a59d6b8db8647615ab0d6a9614b2233aaa1
b18d8839243f18d050a81ba2f2ce14197bc8c47e7ea5f85298e3d52718987441
2d90da4155ab8b267818fcfcd010a936fab3464e4ac2bf919d6b30fc0afb5ab2
f4e04a7953cad1ae01d94321f841a44fd83815125180383a10da394414812c7c
d3c2fd728d40f941be34f20f1c008231b54c4385b8f9405006a7984684ed6e19
1debced9ee26d7fa5d33c3d9292add160955ef31e65f3160cbdc7fca22dc8ba4
8c1d8eb318f6cc9f2c4a4c8c1c130bf45273a723fc2ad7f86f1aec01bcbb7cd4
249cb4680de5cf06721fa03944054178a62fa79bdfb484ab1bcaea4b0d66a33e
659823ae1fe8e59eb90bbfa5d240f78c834278097e1d167df2d25298afc441e0
acd67a6af207e7556ecccc036103ae96cbc4414002e55a562082a60f7b3dbc59
4c2e6a6a03ea90c0160a4b46c824579162c6cbd867981c4fdd7021eba973a526
ef95ce8788316a417aa86974c8de6e54224f6ab146ec62b691607c4f8488c386
ff28004aacec4cbefc33fb65f48f1cad715a28cffaba2cd118f00c3a9065cea2
82ab5478db7101f4174aff1f1482acaeeafa611d8430090ede28d9f71b1f765d
ad7a3ed7588e17eb3b936d17854eb28d93bf7515f8ef4137cac1ad4f44cf52e7
f46c470877cb393ca6bbf78428aad69cb8fafd7c823f3fbaa891079067e96378
242659cb4c52cce89ca226e370df288dcbe94e5c487fc977f1a5ebcc9b9fe38e
c31c0f32e30ede19c6ca3cd0bd53a204f147c058b2c1e878a9282db8f4d2cefe
09e51b77be7c23aaea7346719be389967ce45b70e50aabe8595a75d6650a8758
15982bfcee4d970b4869f11060c54f978fbd505eb7368adcde4ddf9168b6cae9
0ad2c9a91e0c9382f813d69b55021783b113bd10f1d5881d7d4ca5258eec386e
SH256 hash:
0ad2c9a91e0c9382f813d69b55021783b113bd10f1d5881d7d4ca5258eec386e
MD5 hash:
e7ca2a55988051f2301395816d92070e
SHA1 hash:
87d96fd44ed7e3210496b2f0dc8a63df01d3cd3a
Link:
https://www.unpac.me/results/9aaa53f3-a570-42eb-838e-f470b004e16c/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ad2c9a91e0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ad2c9a91e0c9382f813d69b55021783b113bd10f1d5881d7d4ca5258eec386e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/311692/

Comments