MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b
SHA3-384 hash: 9bd1539a8efde02063585378f6bcaf36bc7ee52b510483ff85dc93c38d2a80bbba13c8c65bcc91da96c6f30fff11ef45
SHA1 hash: 61091ff70842a709c0283253be9b0e473bfa1054
MD5 hash: 20741efb92edd220de77c9e7e59b6c29
humanhash: cola-nineteen-iowa-texas
File name:8E59E609D766B97D507B0BC9947D0A4B45431A3E3A2F3ADE98A14A51CFB96FD0.exe
Download: download sample
Signature Stop
Create hunting rule
File size:854'528 bytes
First seen:2024-07-24 18:51:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fab832f0eb05efca0f6cd66bd4fb20fa (2 x Gozi, 2 x Stop, 1 x Loki)
ssdeep 12288:e8K0AkD/lct8fzQooO2Q8u62R0qP/8WnFJ7VVrEXrS/8rZ5qtLgq0nFcjV7u:tu+OteztV8AdlY7Algq0nFJ
Threatray 1'594 similar samples on MalwareBazaar
TLSH T15D0512E1E641D033C95A397086EBD6E41B7E7871CEA6E1077338461E2F716C0AA3971E
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 327e7c7f767c6e66 (2 x Stop)
Reporter Anonymous
Tags:exe Stop


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
CN CN
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b.exe
Verdict:
Malicious activity
Analysis date:
2024-07-25 17:26:25 UTC
Tags:
bdaejec evasion loader vodkagats
Link:
https://app.any.run/tasks/bf2aa48b-dac5-49cd-b208-c80d21fdd753

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Packed.Generickdz-9946677-0
Create hunting rule

Win.Packed.Strab-9951520-0
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a14d59ae21d7902eafbbe0
Tags:
Execution Generic Infostealer Network Ransomware Static Stealth Stop
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Modifying an executable file
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a14df93ba51bb345a36468/reports/d854ca5e-2510-43f4-ab29-ecdbfa3ce185/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afba46c7-0e86-4fd7-b98e-99c1f0603acc
Result
Threat name:
Babuk, Bdaejec, Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480594
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Bdaejec
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480594 Sample: 8E59E609D766B97D507B0BC9947... Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 70 zerit.top 2->70 72 fuyt.org 2->72 74 2 other IPs or domains 2->74 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 13 other signatures 2->84 9 8E59E609D766B97D507B0BC9947D0A4B45431A3E3A2F3ADE98A14A51CFB96FD0.exe 1 2->9         started        13 8E59E609D766B97D507B0BC9947D0A4B45431A3E3A2F3ADE98A14A51CFB96FD0.exe 2->13         started        15 8E59E609D766B97D507B0BC9947D0A4B45431A3E3A2F3ADE98A14A51CFB96FD0.exe 2->15         started        signatures3 process4 file5 64 C:\Users\user\AppData\Local\Temp\XrmUTb.exe, PE32 9->64 dropped 96 Detected unpacking (changes PE section rights) 9->96 98 Detected unpacking (overwrites its own PE header) 9->98 100 Found stalling execution ending in API Sleep call 9->100 108 3 other signatures 9->108 17 8E59E609D766B97D507B0BC9947D0A4B45431A3E3A2F3ADE98A14A51CFB96FD0.exe 1 16 9->17         started        21 XrmUTb.exe 18 9->21         started        102 Antivirus detection for dropped file 13->102 104 Machine Learning detection for dropped file 13->104 106 Injects a PE file into a foreign processes 13->106 24 8E59E609D766B97D507B0BC9947D0A4B45431A3E3A2F3ADE98A14A51CFB96FD0.exe 12 13->24         started        26 XrmUTb.exe 15->26         started        28 8E59E609D766B97D507B0BC9947D0A4B45431A3E3A2F3ADE98A14A51CFB96FD0.exe 15->28         started        signatures6 process7 dnsIp8 66 api.2ip.ua 188.114.96.3, 443, 49732, 49733 CLOUDFLARENETUS European Union 17->66 46 8E59E609D766B97D50...8A14A51CFB96FD0.exe, PE32 17->46 dropped 48 8E59E609D766B97D50...exe:Zone.Identifier, ASCII 17->48 dropped 30 8E59E609D766B97D507B0BC9947D0A4B45431A3E3A2F3ADE98A14A51CFB96FD0.exe 17->30         started        33 icacls.exe 17->33         started        68 ddos.dnsnb8.net 44.221.84.105, 49731, 49736, 49737 AMAZON-AESUS United States 21->68 50 C:\Program Files\7-Zip\Uninstall.exe, PE32 21->50 dropped 52 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 21->52 dropped 54 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 21->54 dropped 86 Antivirus detection for dropped file 21->86 88 Detected unpacking (changes PE section rights) 21->88 90 Machine Learning detection for dropped file 21->90 92 Infects executable files (exe, dll, sys, html) 21->92 35 WerFault.exe 21->35         started        37 cmd.exe 26->37         started        file9 signatures10 process11 signatures12 110 Injects a PE file into a foreign processes 30->110 39 8E59E609D766B97D507B0BC9947D0A4B45431A3E3A2F3ADE98A14A51CFB96FD0.exe 1 19 30->39         started        44 conhost.exe 37->44         started        process13 dnsIp14 76 zerit.top 92.246.89.93, 49734, 49735, 49739 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 39->76 56 C:\_readme.txt, ASCII 39->56 dropped 58 C:\Users\user\_readme.txt, ASCII 39->58 dropped 60 C:\Users\...\offline.session64.iiof (copy), data 39->60 dropped 62 38 other malicious files 39->62 dropped 94 Modifies existing user documents (likely ransomware behavior) 39->94 file15 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 18:52:14 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=emwslfenwavib4c2oe4cvd62aaapwcg7qj3y6mbsfvmejtt5cz5q._file
Verdict:
malicious
Similar samples:
786bb21f95e657b07a7bfb151e4e0d0f27fe443ac855e467e9b7d3fa643c62ab
Stop
7e55984b301bf836995807293d281046d0d14f26e113727e2cc8e993f0de45a8
Stop
7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
Stop
bf771de1c2a064ca7acf4cecbeeb6a4f23895befc680a76747f8a7c7c7c3d80c
Stop
df4cf6f6be06bfd7eaf23bffc9c16639573228bc72fd6262352a242b5bdf2080
Stop
+ 1'584 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu aspackv2 discovery persistence ransomware
Link:
https://tria.ge/reports/240724-xh3m5avcjg/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/test1/get.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/28b142c2-2884-4436-aa5f-3a4d000b86c1
Unpacked files
SH256 hash:
c2bd9d2d4b74119e6326432cff11b66967ad03dd16cf8489872104c6673c4458
MD5 hash:
06718f08b9c144f804038889eb3275db
SHA1 hash:
c47188bd4f0c94a58a2ef2ced234108689ad368b
Detections:
djvu_ransomware
Create hunting rule
win_stop_auto
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/73c386a2-759f-480e-a61f-440b7c9806da/
Parent samples :
5a0edc9a74176c2fc135bcc85ff57459c17afee6245380b54e1c1ce6f0a0c0d1
8e59e609d766b97d507b0bc9947d0a4b45431a3e3a2f3ade98a14a51cfb96fd0
1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95
7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b
SH256 hash:
82244b87ca1a4eadfc386eba8be1c0bed8e8107fc2315ab10e4c1eafc393a215
MD5 hash:
e1a97ff1706ad02f8ed9b380b96b90ab
SHA1 hash:
d6bb048acbefffd12d8afc1efd5515adc090749a
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/73c386a2-759f-480e-a61f-440b7c9806da/
SH256 hash:
232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b
MD5 hash:
20741efb92edd220de77c9e7e59b6c29
SHA1 hash:
61091ff70842a709c0283253be9b0e473bfa1054
Link:
https://www.unpac.me/results/73c386a2-759f-480e-a61f-440b7c9806da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Stop

Executable exe 232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AddConsoleAliasW
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::SetConsoleTitleW
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::ReplaceFileA
KERNEL32.dll::SetVolumeMountPointA

Comments