MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17a21c03cda1d7443ca4bef3a410bc88b544b55e28088a3ae550aebc517bea35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17a21c03cda1d7443ca4bef3a410bc88b544b55e28088a3ae550aebc517bea35
SHA3-384 hash: c20020d743620b0d5e158a1309e839ebb15277795fc05f76933b149f8022305fb45fbe811807c3053fd4b7e55f3dfe6e
SHA1 hash: 64f1be04f1dec3b777e6293def1447b703dec3c0
MD5 hash: 929e4ee3271ae117b80fce986c7ec20b
humanhash: golf-golf-mike-gee
File name:17a21c03cda1d7443ca4bef3a410bc88b544b55e28088a3ae550aebc517bea35
Download: download sample
Signature Stop
Create hunting rule
File size:811'008 bytes
First seen:2022-03-25 08:50:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f8aedd2ed2c23ee27040330b035e00c (2 x Stop, 1 x Smoke Loader)
ssdeep 12288:+Zaij2Ng3pCC1gvH8wvYxCnRfAmtRyxwwRrrWKWiYzK5fa+aqRx/f:Ar9H/xCnRfrqgXiYmdPzv
Threatray 934 similar samples on MalwareBazaar
TLSH T17205121137B0C076E1752130A969D2D36E2EBB7199B1E8577789866C3C313C26E7BF0A
File icon (PE):PE icon
dhash icon 38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257596/
Detection(s):
Win.Dropper.Tofsee-9941447-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11313/overview
Behaviour
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/623d8291a19c6494128c8ef7/reports/46fae2fd-a0d5-4573-9cbc-5b2c11d1bd13/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee91f6bc-9287-4234-b758-3cc019984d25
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964476
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596957 Sample: SNTdsM6HTE Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 10 other signatures 2->91 12 SNTdsM6HTE.exe 2->12         started        15 SNTdsM6HTE.exe 2->15         started        17 SNTdsM6HTE.exe 2->17         started        process3 signatures4 109 Contains functionality to inject code into remote processes 12->109 111 Writes many files with high entropy 12->111 113 Injects a PE file into a foreign processes 12->113 19 SNTdsM6HTE.exe 1 16 12->19         started        23 SNTdsM6HTE.exe 12 15->23         started        25 SNTdsM6HTE.exe 12 17->25         started        process5 dnsIp6 79 api.2ip.ua 162.0.218.244, 443, 49763, 49776 ACPCA Canada 19->79 61 C:\Users\...\SNTdsM6HTE.exe:Zone.Identifier, ASCII 19->61 dropped 63 C:\Users\user\AppData\...\SNTdsM6HTE.exe, MS-DOS 19->63 dropped 27 SNTdsM6HTE.exe 19->27         started        30 icacls.exe 19->30         started        file7 process8 signatures9 107 Injects a PE file into a foreign processes 27->107 32 SNTdsM6HTE.exe 1 22 27->32         started        process10 dnsIp11 73 fuyt.org 37.75.37.31, 49777, 49783, 80 VFM-ASVodafoneMaltaLtdASMT Malta 32->73 75 zerit.top 222.236.49.123, 49778, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 32->75 77 api.2ip.ua 32->77 53 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 32->53 dropped 55 C:\_readme.txt, ASCII 32->55 dropped 57 C:\Users\user\...\SNTdsM6HTE.exe.vyia (copy), MS-DOS 32->57 dropped 59 24 other files (21 malicious) 32->59 dropped 93 Modifies existing user documents (likely ransomware behavior) 32->93 37 build2.exe 32->37         started        file12 signatures13 process14 signatures15 95 Writes many files with high entropy 37->95 97 Injects a PE file into a foreign processes 37->97 40 build2.exe 37->40         started        process16 dnsIp17 81 78.47.227.68, 49791, 80 HETZNER-ASDE Germany 40->81 83 stereodon.social 185.105.3.28, 443, 49788 GCOREAT Luxembourg 40->83 65 d06ed635-68f6-4e9a...57b9a7660804183.zip, Zip 40->65 dropped 67 C:\Users\user\AppData\...\softokn3[1].dll, PE32 40->67 dropped 69 C:\Users\user\AppData\...\mozglue[1].dll, PE32 40->69 dropped 71 10 other files (none is malicious) 40->71 dropped 99 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->99 101 Tries to steal Mail credentials (via file / registry access) 40->101 103 Tries to harvest and steal browser information (history, passwords, etc) 40->103 105 Tries to steal Crypto Currency Wallets 40->105 45 cmd.exe 40->45         started        file18 signatures19 process20 process21 47 conhost.exe 45->47         started        49 taskkill.exe 45->49         started        51 timeout.exe 45->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17a21c03cda1d7443ca4bef3a410bc88b544b55e28088a3ae550aebc517bea35/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 11:05:04 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
37 of 42 (88.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6rbya6nuhluipfex3z2ief4rc2ujnk6faeiuoxfkcxlyul35i2q._file
Verdict:
malicious
Similar samples:
2a06da1f6bb8f01f932093ed9ae5f1ca2ff7b53b89dfd46a0102200cf3ebaead
Stop
30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6
Stop
37c73441b4721b0231c8794d6d4fde63de828dbf59c18f64a52c7fc2e456fa80
Stop
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
Stop
962793c4decea8dd718bd96ccc4209ce744414a62e4afb93c79db64df4b792e2
Stop
fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
Stop
+ 924 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu ransomware
Link:
https://tria.ge/reports/220325-kr78raaahl/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/fhsgtsspen6/get.php
Unpacked files
SH256 hash:
1d3d862a7d90043608aa8585cdc74d57ff9586cf9165b787543a3a13ea8d9b98
MD5 hash:
ea1f80714e926c1a9549bb8aca036a69
SHA1 hash:
c12094b5f50edfeb3f18154a3d8dfe1ca073ddc3
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/a94d5615-b4a0-47d8-8f9a-e876b28197d1/
Parent samples :
17a21c03cda1d7443ca4bef3a410bc88b544b55e28088a3ae550aebc517bea35
b3c88f1eb3f1aaa88b244a3fc1d7a58d061d141e8d6708148ba2db99b274490c
df4cf6f6be06bfd7eaf23bffc9c16639573228bc72fd6262352a242b5bdf2080
01f5a1f72f3f59e7b23627dff52e6dc3d9f166b864d639d2cbe40fd8c7327ddd
SH256 hash:
17a21c03cda1d7443ca4bef3a410bc88b544b55e28088a3ae550aebc517bea35
MD5 hash:
929e4ee3271ae117b80fce986c7ec20b
SHA1 hash:
64f1be04f1dec3b777e6293def1447b703dec3c0
Link:
https://www.unpac.me/results/a94d5615-b4a0-47d8-8f9a-e876b28197d1/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/17a21c03cda1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17a21c03cda1d7443ca4bef3a410bc88b544b55e28088a3ae550aebc517bea35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/257596/

Comments