MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2056a6361358c8d5affd79a8129c75a87dca0940eea93a92db13f572c3c6501c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2056a6361358c8d5affd79a8129c75a87dca0940eea93a92db13f572c3c6501c
SHA3-384 hash: 8a025bd59696e0d2270a0f440ce04aaf5c938e65e1cea91166e221467e489f8bf166e86a720f8ce4d0109cc2b89bb502
SHA1 hash: 722cac0a53d7f82f91ee8d218afa8a5864696791
MD5 hash: 5018af36c454689a7fc7c925f02a5f70
humanhash: pizza-spaghetti-bakerloo-apart
File name:5018af36c454689a7fc7c925f02a5f70.exe
Download: download sample
Signature Stop
Create hunting rule
File size:721'920 bytes
First seen:2021-11-02 06:23:39 UTC
Last seen:2021-11-02 08:16:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0826cf00435bae95cd1b2f0de3562c9c (1 x Stop)
ssdeep 12288:b2US2JYnyXG2WKEJfp8iy1o6GhLDKdDLUV2yfa6YmyATka2517Ei7Oujb78kEQDV:6Wa1KExp8i9hLmdfUV2Sa6pzhYZjbBbJ
TLSH T164E41291B7F2C4B1D0E606744434E7A50A7B7DB2747288CBEBA4336E1EBCEC15A61354
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter abuse_ch
Tags:exe Ransomware Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5018af36c454689a7fc7c925f02a5f70.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-02 06:35:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e88b32e1-52c3-43fa-be05-7e161b259898

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201265/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.33411.20535.2251.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6180d986bf51178dbe47cbec/reports/fb52cfbc-1eca-425b-9624-3673724d7508/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28d4624a-4b2c-4761-8979-abd67a78f6f2
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/880964
Signature
Contains functionality to inject code into remote processes
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 513395 Sample: fDWSVZru8Q.exe Startdate: 02/11/2021 Architecture: WINDOWS Score: 92 56 Multi AV Scanner detection for submitted file 2->56 58 Found ransom note / readme 2->58 60 Yara detected Djvu Ransomware 2->60 62 Machine Learning detection for sample 2->62 8 fDWSVZru8Q.exe 2->8         started        11 fDWSVZru8Q.exe 2->11         started        13 fDWSVZru8Q.exe 2->13         started        15 fDWSVZru8Q.exe 2->15         started        process3 signatures4 66 Injects a PE file into a foreign processes 8->66 17 fDWSVZru8Q.exe 17 8->17         started        68 Contains functionality to inject code into remote processes 11->68 22 fDWSVZru8Q.exe 1 17 11->22         started        70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 24 fDWSVZru8Q.exe 13 13->24         started        26 fDWSVZru8Q.exe 13 15->26         started        process5 dnsIp6 48 rlrz.org 17->48 36 C:\Users\user\_readme.txt, ASCII 17->36 dropped 38 C:\Users\user\...\fDWSVZru8Q.exe.palq (copy), MS-DOS 17->38 dropped 40 C:\Users\user\Desktop\fDWSVZru8Q.exe, MS-DOS 17->40 dropped 46 3 other malicious files 17->46 dropped 64 Modifies existing user documents (likely ransomware behavior) 17->64 50 api.2ip.ua 77.123.139.190, 443, 49748, 49755 VOLIA-ASUA Ukraine 22->50 52 192.168.2.1 unknown unknown 22->52 42 C:\Users\user\AppData\...\fDWSVZru8Q.exe, PE32 22->42 dropped 44 C:\Users\...\fDWSVZru8Q.exe:Zone.Identifier, ASCII 22->44 dropped 28 fDWSVZru8Q.exe 22->28         started        31 icacls.exe 22->31         started        file7 signatures8 process9 signatures10 74 Injects a PE file into a foreign processes 28->74 33 fDWSVZru8Q.exe 13 28->33         started        process11 dnsIp12 54 api.2ip.ua 33->54
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2056a6361358c8d5affd79a8129c75a87dca0940eea93a92db13f572c3c6501c/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 01:21:07 UTC
AV detection:
31 of 45 (68.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eblkmnqtldenll75pgubfhdvvb64ucka52utvew3cp2xfq6gkaoa._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware stealer
Link:
https://tria.ge/reports/211102-g5224sbgg2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
Malware Config
C2 Extraction:
https://mas.to/@lilocc
Unpacked files
SH256 hash:
18b94c9c2fc9675197f1603729987ac1f0c845066114cdbe94e6e06206f800fc
MD5 hash:
bc01883a54b7a1bf0bfe936413446734
SHA1 hash:
ffaac76e75a74118f4e3043ab846c13863842017
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/cc772519-8ecb-4945-ba27-5be6c273eac4/
Parent samples :
e9a93d1ce4efc043eb8468247cc34a142043714f6e7c3b6a42d17e2e78e37869
79cf5abc8cdb8d94194260a529c1817d4fc6185e4c8f8a37265156be92b975fd
2056a6361358c8d5affd79a8129c75a87dca0940eea93a92db13f572c3c6501c
64a938fc41671d20542047b3399593bdb0583bbb581578280225b7fa1b1840ac
SH256 hash:
2056a6361358c8d5affd79a8129c75a87dca0940eea93a92db13f572c3c6501c
MD5 hash:
5018af36c454689a7fc7c925f02a5f70
SHA1 hash:
722cac0a53d7f82f91ee8d218afa8a5864696791
Link:
https://www.unpac.me/results/cc772519-8ecb-4945-ba27-5be6c273eac4/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2056a6361358/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2056a6361358c8d5affd79a8129c75a87dca0940eea93a92db13f572c3c6501c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 2056a6361358c8d5affd79a8129c75a87dca0940eea93a92db13f572c3c6501c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1706197/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201265/

Comments