MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95
SHA3-384 hash:	0a4146327de88e0a0bb2c9dcd9efa8a8244e9703191620c5c740dbd1064b94de9f049405945361f5958fb08b65877f5d
SHA1 hash:	1308ac2f0cab69ea97f62f71b815af65eab0b6b6
MD5 hash:	395908ef1c1b873b5e2ef0458b3054c1
humanhash:	kansas-earth-apart-berlin
File name:	1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95
Download:	download sample
Signature	Stop Create hunting rule
File size:	832'000 bytes
First seen:	2022-03-25 08:51:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e3a468e33131e43ff6cb0ed3ba60251f (2 x DanaBot, 2 x Stop, 1 x Gozi)
ssdeep	12288:VjlKZpqVz+tyrG3SxSGJp0hp/IY/qaW/mQSOqlX+dti+J9uVOuoNZlDqc0Y/I+wJ:noIzwYVxz5Y/R4mQS5uDJcVqTNg+
Threatray	901 similar samples on MalwareBazaar
TLSH	T1A005F100B790D039E0B716F8497553B9A62E7DE1AB6560CB22D97BEE57346E0FC3120B
File icon (PE):
dhash icon	25ac1378319b9b91 (29 x Amadey, 24 x Smoke Loader, 14 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe Stop

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/257601/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Сreating synchronization primitives

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11318/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/623d82991f2042394827c49f/reports/6ea3df63-d2b3-426d-b2c2-2a807af22789/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b5fd623-e7c4-4670-9263-46d0f574bfb1

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/964469

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2022-03-25 08:55:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

39 of 42 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dcd5is6zco4b3gkd6s2wg7qbwbl5edlvpmr423vd3irzqj5jzwkq._file

Verdict:

malicious

Stop

2a06da1f6bb8f01f932093ed9ae5f1ca2ff7b53b89dfd46a0102200cf3ebaead

Stop

2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527

Stop

30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6

Stop

486ab4d9e0a524b8f734a9e45821538c31e18c7632af8e0765dc417b9a87c64d

Stop

56a34b76ba7c81e554eeb1dcfe93a6d0f61103536f9a0387fb220768bd2149df

Stop

fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b

Stop

+ 891 additional samples on MalwareBazaar

Result

Malware family:

djvu

Score:

10/10

Tags:

family:djvu ransomware

Link:

https://tria.ge/reports/220325-kr78radeb9/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Detected Djvu ransomware

Djvu Ransomware

Malware Config

C2 Extraction:

http://fuyt.org/test1/get.php

Unpacked files

SH256 hash:

c2bd9d2d4b74119e6326432cff11b66967ad03dd16cf8489872104c6673c4458

MD5 hash:

06718f08b9c144f804038889eb3275db

SHA1 hash:

c47188bd4f0c94a58a2ef2ced234108689ad368b

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/2308bc18-614c-4d9a-af3d-03470f325d3a/

Parent samples :

5a0edc9a74176c2fc135bcc85ff57459c17afee6245380b54e1c1ce6f0a0c0d1
8e59e609d766b97d507b0bc9947d0a4b45431a3e3a2f3ade98a14a51cfb96fd0
1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95
7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b

SH256 hash:

1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95

MD5 hash:

395908ef1c1b873b5e2ef0458b3054c1

SHA1 hash:

1308ac2f0cab69ea97f62f71b815af65eab0b6b6

Link:

https://www.unpac.me/results/2308bc18-614c-4d9a-af3d-03470f325d3a/

Malware family:

Djvu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1887d44bd913/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/257601/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample