MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c331b2e8e369b35c3094fa746a4486f4d6f7d3962936a9a389574905b2fdcd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c331b2e8e369b35c3094fa746a4486f4d6f7d3962936a9a389574905b2fdcd1
SHA3-384 hash: ccbaa4d5d91e86ffbbaea89b9be730784c82fda17513ca5cb6589afb9f45afe3ff65ec9b4ee4523868e9c17e80ff3283
SHA1 hash: 0fa78e391d73ed0298fc7f005553512ae1fbffb0
MD5 hash: 713b717f0b083f8858cf2f590a52edbf
humanhash: burger-uniform-island-december
File name:713b717f0b083f8858cf2f590a52edbf.exe
Download: download sample
Signature Stop
Create hunting rule
File size:677'888 bytes
First seen:2021-04-07 17:05:23 UTC
Last seen:2021-04-07 17:50:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash add7594dd05ba3809b7c17482161f90d (1 x Stop)
ssdeep 12288:ez5Y4Q/lTwH7JvMuh5lcarc5WKN5afHikQhgjh0EvJ2gOI1gg/H:eV5QB23h5Zrcv62hmJ2gP
Threatray 40 similar samples on MalwareBazaar
TLSH C9E42312B0D5D572C5B234F09C27CBEE083FAC53AB3AC15A778D1B567E12AC44A3A359
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://cache.krishgarden.com/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cache.krishgarden.com/ https://threatfox.abuse.ch/ioc/6764/

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
713b717f0b083f8858cf2f590a52edbf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 17:08:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39b03879-880b-45d4-acb3-faf6b7690ef1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132903/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36644181.3809.26104.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Sending a UDP request
Deleting a recently created file
Sending an HTTP GET request
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669005
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383431 Sample: 57fvgYpwnN.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Antivirus detection for URL or domain 2->72 74 7 other signatures 2->74 9 57fvgYpwnN.exe 1 18 2->9         started        14 57fvgYpwnN.exe 13 2->14         started        16 57fvgYpwnN.exe 13 2->16         started        18 57fvgYpwnN.exe 2->18         started        process3 dnsIp4 62 api.2ip.ua 77.123.139.190, 443, 49731, 49736 VOLIA-ASUA Ukraine 9->62 48 C:\Users\...\57fvgYpwnN.exe:Zone.Identifier, ASCII 9->48 dropped 78 Detected unpacking (changes PE section rights) 9->78 80 Detected unpacking (overwrites its own PE header) 9->80 82 Writes many files with high entropy 9->82 20 57fvgYpwnN.exe 1 23 9->20         started        25 icacls.exe 9->25         started        file5 signatures6 process7 dnsIp8 58 jfas.top 34.105.199.171, 49738, 49739, 49740 GOOGLEUS United States 20->58 60 api.2ip.ua 20->60 40 C__Windows_SystemA...e_Desktop_18[1].txt, DOS 20->40 dropped 42 C__Windows_SystemA...e_Desktop_10[1].txt, DOS 20->42 dropped 44 C:\Users\user\AppData\Local\...\settings.dat, DOS 20->44 dropped 46 206 other files (191 malicious) 20->46 dropped 76 Modifies existing user documents (likely ransomware behavior) 20->76 27 5.exe 87 20->27         started        file9 signatures10 process11 dnsIp12 64 cache.krishgarden.com 157.90.153.134, 49750, 80 REDIRISRedIRISAutonomousSystemES United States 27->64 66 api.faceit.com 104.17.63.50, 443, 49748 CLOUDFLARENETUS United States 27->66 50 d06ed635-68f6-4e9a...57b9a5333065525.zip, Zip 27->50 dropped 52 C:\Users\user\AppData\...\softokn3[1].dll, PE32 27->52 dropped 54 C:\Users\user\AppData\...\freebl3[1].dll, PE32 27->54 dropped 56 10 other files (none is malicious) 27->56 dropped 84 Detected unpacking (changes PE section rights) 27->84 86 Detected unpacking (overwrites its own PE header) 27->86 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->88 90 6 other signatures 27->90 32 cmd.exe 27->32         started        file13 signatures14 process15 process16 34 conhost.exe 32->34         started        36 taskkill.exe 32->36         started        38 timeout.exe 32->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c331b2e8e369b35c3094fa746a4486f4d6f7d3962936a9a389574905b2fdcd1/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 12:47:19 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqzrwluog2ntlqyjj6tunjcin5gw67jzmkjwvgrysv2jawzp3tiq._file
Verdict:
malicious
Similar samples:
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
Stop
20ebe8ff1da6f2023a43b3e3cbe14479961699f9dec0324f72070fa2b275eaae
Stop
2ae59af40109d186eb8999211e8ad933d2fffec609a2bdbd87a8aa4e9654a111
Stop
5fba5879d38cea0fd0f956b583c7b5ecd0105928d26315935d4f7a8f9797d885
Stop
9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9
Stop
a13289516cc734026e3d839855e43ecee5f5aefe79751bc422f7c1e5b5b25b74
Stop
b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944
Stop
d466ef9698569363af4f08b64235817c7838c726c1faee300582aab3d90f5683
Stop
e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be
Stop
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
Stop
+ 30 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery persistence spyware stealer
Link:
https://tria.ge/reports/210407-12nn92kv22/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Vidar
Unpacked files
SH256 hash:
b190f88617544a0969d022b8945315f7f51ea83db42a825ec27fdb155a4742cb
MD5 hash:
2f41c4db08cb783f607480ad47c4c246
SHA1 hash:
8f3b701067634cb4e66524accff5ebacef2bd485
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/779eec66-97cf-4d10-b10b-e8d56ef59a7f/
Parent samples :
0c331b2e8e369b35c3094fa746a4486f4d6f7d3962936a9a389574905b2fdcd1
b526a2e743700e05396f10f6b2e9f1b1a8a74670a7b6969cf4471bdb25a77802
09a9f8170877460fe3e96b5b14680354bad1311070f68845fc5a6e4703ec7a44
SH256 hash:
0c331b2e8e369b35c3094fa746a4486f4d6f7d3962936a9a389574905b2fdcd1
MD5 hash:
713b717f0b083f8858cf2f590a52edbf
SHA1 hash:
0fa78e391d73ed0298fc7f005553512ae1fbffb0
Link:
https://www.unpac.me/results/779eec66-97cf-4d10-b10b-e8d56ef59a7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c331b2e8e369b35c3094fa746a4486f4d6f7d3962936a9a389574905b2fdcd1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132903/

Comments