MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2078b64d057d683b0ad4aef79ee66f181901bc54331920426b3f724b8c11aa11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	2078b64d057d683b0ad4aef79ee66f181901bc54331920426b3f724b8c11aa11
SHA3-384 hash:	d3790b59898fd7b12ebdfac7bb87e571fb0710d6e47101ce810f9860bb3e8ecc0fd2ca6dd059c137c290b66a8a6e2815
SHA1 hash:	f7a35e88649b3e6fa2fca7574a82e7f634e13510
MD5 hash:	ccb6247d4990ce30d67717282a5945cb
humanhash:	mexico-mexico-red-football
File name:	2078b64d057d683b0ad4aef79ee66f181901bc54331920426b3f724b8c11aa11
Download:	download sample
Signature	Stop Create hunting rule
File size:	727'552 bytes
First seen:	2021-09-23 07:11:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8a8349050dccf77dfddbf10f15c614d4 (1 x RaccoonStealer, 1 x Stop)
ssdeep	12288:a4nEN8Ap/LyeOguD/94RQVHD8BeDkpAg1ErSa7uNntDeUqMrAX0T3k7qi7w:lENHpTiSMHDweiA0ErT7uBrAXw27w
Threatray	700 similar samples on MalwareBazaar
TLSH	T1D2F41211BAC1D473D2E31A30D850CAA417FAFC651A795A8B3B983B7D5E702C1BB78E11
File icon (PE):
dhash icon	b8b078eccacccc01 (9 x RaccoonStealer, 4 x Glupteba, 4 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe Stop

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/190643/

Detection(s):

Win.Packed.Generic-9893288-0

Win.Packed.Generic-9894252-0

Win.Packed.Zusy-9895653-0

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/13b3894d-e78b-4192-a611-a52523f7da6c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2078b64d057d683b0ad4aef79ee66f181901bc54331920426b3f724b8c11aa11/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-09-17 04:17:00 UTC

AV detection:

36 of 44 (81.82%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eb4lmtifpvudwcwuv33z5ztpdamqdpcugmmsaqtlh5zexdarviiq._file

Verdict:

malicious

Stop

496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38

Stop

9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657

Stop

9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9

Stop

b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944

Stop

bfbf6bb9393e511a06e90d432e7538059ae75f9f1525f0f503d1d0bec0d32124

Stop

e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be

Stop

e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9

Stop

ff9e059a789e94573fb32a918657d5c5c59b5395fab873cbcec7b1543435fe93

Stop

+ 690 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/210923-h1jkmsfgc4/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

Unpacked files

SH256 hash:

a63762084ef112b002f0dbcbb324e12aae0cd43b854ff62f6b41e16aae56c4a1

MD5 hash:

529f4a3c06afc6a2ad0de95c69f9f779

SHA1 hash:

e054c663a3cee9b7f136fa1756ff6e294da6f4bb

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/998ddc7d-3d33-483e-b246-5f4be2bd74c1/

Parent samples :

0b997d3d00ae436ba3826875fe1be1677cbdd7d57514a61344c1a36690696a43
0eb5ef5f274b388cb80999b93f192b6842ef0e6efb705c150934c38542baebd6
d7d0b6dfc8cb990d781d5e08eed888ed739c055949a43ba3491e090fc948505b
7937026664caf538e91af9f7fd4a821ec0ed441e1ab0d309274fa3de7649f2d3
13b58ca7069be911b9da14d853d3bb2ae88a0b3a09f9c730588d5e7e97eded53
510c4a055a75958718026d211543fad83f92d5df820e23b160d5a1b3210dac8f
76930f4dc516570491aaf144c1937bb3c35238ed5af78a0d31dd645d4fabb0ff
f3a4459b98919ba055a2c9437d092d18c889d5a1bbaea31a2cbe5ac250bc600a
a5affec055f99fd10e30746c2ec70dc9d99b8e9c740b6f9e14d56972fe5a56e6
03852e30ab9c4e38366f634c4db92874716d98af406827bf08f3840571dda9b3
2165b8ef60238fe77115134616c526ba309d3d7dc3bec76ecfa3385d8a293246
8170e05d46e8e1b261870c11639faeb06c7dfb81388e76f7f8c17aea5d135a5b
b45cbf2e959f4712e3bc2c20409d76af50440da980e16edac9c99d6de8271c6e
c7a0c3037dd774dc0036ff06cf41ffc139271a13438efac4545b777558430532
602b02381887a5bc8683284e03c29226c55406689389c00bdab9a080028ef4f0
0b651db2a463fa6fba6327d2a6d8e90281525ee24c42a59332846c23b805aec3
d7339f167796f39f54ed7c31aa5e31673a63050e52e0491f2b62db569e0af165
5c0fb4c8665f2fd33d83edde4809cf0203ce3fc1f4d53d62db5db8d7b843b01b
c78ce80498caf92b71e9135974e4b7a0b75a91600588e3f865a96e020926d9c4
5918c48c13824de78dd03662d6bce3f3aa8a2bf834c77dad38e81627fbec61a2
85e5e1bc250dd0718e877a04b84b7688f4717363814ac9708b7ea2abcc37b76c
d3de307ed78a6067914803abcc409e87186827d0ecfb2737587e993376b6849c
6d35913d505c88664a82cdebc152ff7946052d4e53a8a3e91822e6471c2dd1ae
a900139492d599c18bc8c54abac1b846aba0d0aa11ec9e1fb70b322089996921
3c998eb7608baa12de1d875b9e37d1ad590d9c541f638a3a5e5c42e172c20bfc
b745b1a05ea601deb736ca97b135132cab7fe3c50670e6b1f7837a0fe79689c8
2078b64d057d683b0ad4aef79ee66f181901bc54331920426b3f724b8c11aa11
b2cfd5cd948b40e9152e4dd8abe0aa346ba030afae6974b1cb598be87bafe2a8
cdb3a68fbec8030f92b0d4da8b1c0bab77a96bb351d71fae4ed69ba17383b96a
015e62c016d4371efd1e5de2a7b2b0b1b1b895eea55430efc43f8bbbae85ed0f
8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa
ccaaa623e3091c4183a5550b58df11c9492b451b0e602c7e4fd3fd49c95645c8

SH256 hash:

2078b64d057d683b0ad4aef79ee66f181901bc54331920426b3f724b8c11aa11

MD5 hash:

ccb6247d4990ce30d67717282a5945cb

SHA1 hash:

f7a35e88649b3e6fa2fca7574a82e7f634e13510

Link:

https://www.unpac.me/results/998ddc7d-3d33-483e-b246-5f4be2bd74c1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2078b64d057d683b0ad4aef79ee66f181901bc54331920426b3f724b8c11aa11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/190643/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample