MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b
SHA3-384 hash: 83642b5f6b076cad12200bbb49efac601ec3506bd29585cc901fe3d1b39a6c1743e59fce3132d1452ad8952234b93741
SHA1 hash: c774109e88b1c71a1f3c92f1dbb04a3151b45966
MD5 hash: de8d1752bf8dd628a5065c19f83af296
humanhash: golf-beryllium-william-jersey
File name:1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b
Download: download sample
Signature Stop
Create hunting rule
File size:692'736 bytes
First seen:2024-01-11 13:41:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 99190d8cd877eac8f1ec8c4c753e3a41 (2 x Amadey, 1 x Smoke Loader, 1 x Stop)
ssdeep 12288:c7YRBR3jnqYEmQog6aXk6mG/6/BybShRgxMYtsGStU9WJ/8CSjdw+mlkF9Xrnd:1BJ+rfuGSpcS5JvU9WJ8CMd
Threatray 2'196 similar samples on MalwareBazaar
TLSH T1D2E4123178B18077E2F74236E47141649A7BB9122BB589CF77A8832E0F622D04E7D35B
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 020404051c383000 (1 x Stop)
Reporter adrian__luca
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
kelihos
Create hunting rule
ID:
1
File name:
time.exe
Verdict:
Malicious activity
Analysis date:
2023-12-27 16:57:45 UTC
Tags:
opendir hausbomber stealer stealc loader metasploit risepro kelihos trojan evasion payload lumma nanocore agenttesla vodkagats ransomware stop purplefox backdoor vidar redline nitol socks5systemz proxy raccoonclipper
Link:
https://app.any.run/tasks/57f0872c-bfbd-4078-b5c9-803acc026ee5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/470386/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Win.Malware.Filerepmalware-10017599-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Sending a custom TCP request
Deleting a recently created file
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
azorult packed redline
Link:
https://www.filescan.io/uploads/659ff02f94d1aebfb299dfc4/reports/0a2f673d-34d7-4793-87d7-c3b2cf7238df/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ee741ec-0aea-473e-8aca-06e9963ec03f
Result
Threat name:
Babuk, Djvu, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1373085
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1373085 Sample: UpS8Qm873s.exe Startdate: 11/01/2024 Architecture: WINDOWS Score: 100 69 zexeq.com 2->69 71 brusuax.com 2->71 73 2 other IPs or domains 2->73 85 Snort IDS alert for network traffic 2->85 87 Multi AV Scanner detection for domain / URL 2->87 89 Found malware configuration 2->89 91 12 other signatures 2->91 11 UpS8Qm873s.exe 2->11         started        14 UpS8Qm873s.exe 2->14         started        16 UpS8Qm873s.exe 2->16         started        18 UpS8Qm873s.exe 2->18         started        signatures3 process4 signatures5 107 Detected unpacking (changes PE section rights) 11->107 109 Detected unpacking (overwrites its own PE header) 11->109 111 Found stalling execution ending in API Sleep call 11->111 121 3 other signatures 11->121 20 UpS8Qm873s.exe 1 16 11->20         started        113 Antivirus detection for dropped file 14->113 115 Multi AV Scanner detection for dropped file 14->115 117 Machine Learning detection for dropped file 14->117 24 UpS8Qm873s.exe 14 14->24         started        119 Injects a PE file into a foreign processes 16->119 27 UpS8Qm873s.exe 16->27         started        29 UpS8Qm873s.exe 18->29         started        process6 dnsIp7 75 api.2ip.ua 172.67.139.220, 443, 49707, 49708 CLOUDFLARENETUS United States 20->75 49 C:\Users\user\AppData\...\UpS8Qm873s.exe, PE32 20->49 dropped 31 UpS8Qm873s.exe 20->31         started        34 icacls.exe 20->34         started        51 C:\Users\user\_readme.txt, ASCII 24->51 dropped 53 C:\Users\user\Desktop\PSAMNLJHZW.docx, PSA 24->53 dropped 55 C:\Users\user\AppData\Local\...\_readme.txt, ASCII 24->55 dropped 97 Modifies existing user documents (likely ransomware behavior) 24->97 file8 signatures9 process10 signatures11 127 Injects a PE file into a foreign processes 31->127 36 UpS8Qm873s.exe 1 21 31->36         started        process12 dnsIp13 77 brusuax.com 201.119.101.98, 49712, 80 UninetSAdeCVMX Mexico 36->77 79 zexeq.com 175.120.254.9, 49710, 49711, 49713 SKB-ASSKBroadbandCoLtdKR Korea Republic of 36->79 57 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 36->57 dropped 59 C:\Users\user\AppData\Local\...\build2.exe, PE32 36->59 dropped 61 C:\Users\user\...\acroNGLLog.txt.cdqw (copy), data 36->61 dropped 63 125 other malicious files 36->63 dropped 93 Infects executable files (exe, dll, sys, html) 36->93 95 Modifies existing user documents (likely ransomware behavior) 36->95 41 build2.exe 36->41         started        file14 signatures15 process16 signatures17 99 Multi AV Scanner detection for dropped file 41->99 101 Detected unpacking (changes PE section rights) 41->101 103 Detected unpacking (overwrites its own PE header) 41->103 105 3 other signatures 41->105 44 build2.exe 41->44         started        process18 dnsIp19 81 t.me 149.154.167.99, 443, 49716 TELEGRAMRU United Kingdom 44->81 83 49.12.114.15, 10220, 49719, 49722 HETZNER-ASDE Germany 44->83 65 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 44->65 dropped 67 C:\Users\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 44->67 dropped 123 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->123 125 Tries to harvest and steal browser information (history, passwords, etc) 44->125 file20 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2023-12-27 19:57:11 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqo3kdrio2rrf7a3rt3pgi2ncv7xvtgbicyuwrzrrrzv3f3jh45q._file
Verdict:
malicious
Similar samples:
2831300675369e6ac5d928446186f83bedc4027fe6db617039e5b224258ed0b6
Stop
35ba91ddf0d41590d0de137bc1d6e5524d8a84ecfabdae793e6b3a499f2c67d4
Stop
6a455892dc6b808ff4f012010f20ad4bbf16b881b9c235d98c85565591289012
Stop
83c4c80adbeb1d8411e49c1d14a886af6a26c9fb9827d8852d4e45e4a5f09b17
Stop
a0038a7651f4408728f4a8c7a2abe43b237fc9dc6645fa34e5c4d9c212658878
Stop
b299675e7e4654beadcaa2c38a96bf8324bbde96904ede17fdd88ebb7fdf2748
Stop
d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d
Stop
+ 2'186 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar discovery persistence ransomware stealer
Link:
https://tria.ge/reports/240111-qznf7sghfm/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Downloads MZ/PE file
Detect Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
Malware Config
C2 Extraction:
http://zexeq.com/test1/get.php
Unpacked files
SH256 hash:
4ad7b8d228fe32d82b0373ce886f224f47c2e06a59d394c634160c70083b5f32
MD5 hash:
3eeb7b2030517f91fdf0f4c5278d8e76
SHA1 hash:
c4c3a4650d278f2f8b9bf871c2ae91508ffae165
Detections:
djvu_ransomware
Create hunting rule
win_stop_auto
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
MALWARE_Win_STOP
Create hunting rule
Link:
https://www.unpac.me/results/9cfa1684-6c77-4b3c-9b7c-56ce124b7ca6/
Parent samples :
123ff21851f3b1e11f928142fc0b48c00acab2971d7e7c0e77d936de1916922c
26bd4a40d12d5483b5cf8a0a2db0dddb151b0b3206079dcf2782834482a2c3b7
daa8db2383e3d9fe6cc680385e04fd9aeecee60bc13a4d7c75e55d8d40258d58
9a880d7572486dd985ed6ffbf55eee8875077d9614befc12d5fbdaafd45e86d5
9dfb6b41c90732c9206ef6f65a941b1061126ead69e3715d79519196dad5899c
1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b
4ad7b8d228fe32d82b0373ce886f224f47c2e06a59d394c634160c70083b5f32
SH256 hash:
1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b
MD5 hash:
de8d1752bf8dd628a5065c19f83af296
SHA1 hash:
c774109e88b1c71a1f3c92f1dbb04a3151b45966
Link:
https://www.unpac.me/results/9cfa1684-6c77-4b3c-9b7c-56ce124b7ca6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 1c1db50e2876a312fc1b8cf6f3234d157f7accc140b14b47318c735d97693f3b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2742270/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/470386/

Comments