MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1da3193c52b5ec3a14b36acbc9c92266a2a531399e33c1e3a209e828eda7a0a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Stop
Vendor detections: 11
| SHA256 hash: | 1da3193c52b5ec3a14b36acbc9c92266a2a531399e33c1e3a209e828eda7a0a5 |
|---|---|
| SHA3-384 hash: | 734920b48b82ae10fc2a391c714dbf62885b1df809fd2ed15dee8ba8b0e4e99a4f95dc7dfaa362e57eab4faf6c03d10b |
| SHA1 hash: | c8307acc01c7de73eed6692dae49820d5514dda4 |
| MD5 hash: | 100cbacc61fc7aa967e534bc353c6f39 |
| humanhash: | oxygen-fanta-magnesium-ceiling |
| File name: | 1da3193c52b5ec3a14b36acbc9c92266a2a531399e33c1e3a209e828eda7a0a5 |
| Download: | download sample |
| Signature | Stop |
| File size: | 723'968 bytes |
| First seen: | 2021-05-03 01:14:08 UTC |
| Last seen: | 2021-05-03 02:01:22 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | d7565e12e5db64d47debae818150e3f7 (1 x Stop) |
| ssdeep | 12288:BkxbBvtM5hEg7SJ8dgcEdQKmhzLMPxpdV9Ji2XdpfwCDuCnV7xBvPhgm+3bGEG0b:BGM5hVJtEdTmhYZldX3KCZ5gHnNb |
| Threatray | 50 similar samples on MalwareBazaar |
| TLSH | 41F41202B1C8C573D15062B74835C3A55A69FCE95B239DCF7AC876FCCF292928B15B0A |
| Reporter |  fbgwls245 |
| Tags: | .wrui djvu Ransomware Stop |
Intelligence
File Origin
# of uploads :
2
# of downloads :
1'228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Sending a UDP request
Deleting a recently created file
Sending an HTTP GET request
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Wacatac
Status:
Malicious
First seen:
2021-05-02 00:39:39 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
21 of 29 (72.41%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 40 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:djvu family:vidar discovery evasion persistence ransomware spyware stealer
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Djvu Ransomware
Vidar
Unpacked files
SH256 hash:
b58165bb5a4f9040d187791e870f691c449e59d3f5fa8312ba7655864236328f
MD5 hash:
5fe929b15555feeb7e4ef768211d8caa
SHA1 hash:
49f52ac9a44d3259167dbf20e7328fdaf287ac7f
Detections:
win_stop_auto
Parent samples :
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
1da3193c52b5ec3a14b36acbc9c92266a2a531399e33c1e3a209e828eda7a0a5
7c9bc6a878b6cb355bb2a5c70170aa48b1e8f369dd64ee47df3ac9ea9e213b02
9ded335a6f346de4aafbc4f8c08e90dce1f064820b13d6580f01731c9837d7a8
a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3
c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103
e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913
1da3193c52b5ec3a14b36acbc9c92266a2a531399e33c1e3a209e828eda7a0a5
7c9bc6a878b6cb355bb2a5c70170aa48b1e8f369dd64ee47df3ac9ea9e213b02
9ded335a6f346de4aafbc4f8c08e90dce1f064820b13d6580f01731c9837d7a8
a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3
c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103
e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913
SH256 hash:
1da3193c52b5ec3a14b36acbc9c92266a2a531399e33c1e3a209e828eda7a0a5
MD5 hash:
100cbacc61fc7aa967e534bc353c6f39
SHA1 hash:
c8307acc01c7de73eed6692dae49820d5514dda4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | MALWARE_Win_STOP |
|---|---|
| Author: | ditekSHen |
| Description: | Detects STOP ransomware |
| Rule name: | SUSP_XORed_URL_in_EXE |
|---|---|
| Author: | Florian Roth |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | win_stop_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
2) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
3) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
4) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
5) [C0047] File System Micro-objective::Delete File
6) [C0049] File System Micro-objective::Get File Attributes
7) [C0052] File System Micro-objective::Writes File
8) [C0007] Memory Micro-objective::Allocate Memory
9) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
10) [C0040] Process Micro-objective::Allocate Thread Local Storage
11) [C0042] Process Micro-objective::Create Mutex
12) [C0041] Process Micro-objective::Set Thread Local Storage Value
13) [C0018] Process Micro-objective::Terminate Process
14) [C0039] Process Micro-objective::Terminate Thread