MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23dc60233f270ba130c16c2a9918166205735e6b5408750523e9542b9e0ea70a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23dc60233f270ba130c16c2a9918166205735e6b5408750523e9542b9e0ea70a
SHA3-384 hash: 286f11e3e2846e3721bfc35e7000a42c896d0a6b12c8f7107ff7158ea143db3f0926a835c11096e3f6d0c96d7a89cf18
SHA1 hash: 2811f08c31fcb6f3dfc75cf80c101c41b4e90a21
MD5 hash: 76a6f7677b7223c5271ff44d85c01c08
humanhash: autumn-fanta-kansas-mexico
File name:23dc60233f270ba130c16c2a9918166205735e6b5408750523e9542b9e0ea70a
Download: download sample
Signature Stop
Create hunting rule
File size:775'552 bytes
First seen:2021-09-03 09:06:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afec05664b511fad431e988e2a228505 (14 x RaccoonStealer, 2 x Amadey, 2 x Stop)
ssdeep 12288:khO83A+DWWDIJbslmj5ps/GOJuWcMyZA7taRkQK7X+kpHEveDv1Hc9c6:WFA+qeIOMns/GOJuGCKDxHEGDvZm
Threatray 476 similar samples on MalwareBazaar
TLSH T1D2F412E9B271C972F8CA52300595C6A1C25B7D25F8A051A71B87738FAE3BE80531D7B3
dhash icon fcfcf4f4d4dcd8c0 (26 x RaccoonStealer, 11 x RedLineStealer, 9 x Stop)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
23dc60233f270ba130c16c2a9918166205735e6b5408750523e9542b9e0ea70a
Verdict:
Suspicious activity
Analysis date:
2021-09-03 09:29:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef2e45a7-fd33-4d7c-a93f-7aa0bc8b9fad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185107/
Detection(s):
Win.Dropper.Fragtor-9889202-0
Create hunting rule

Win.Dropper.Fragtor-9889385-0
Create hunting rule

Win.Malware.Fragtor-9889738-0
Create hunting rule

Win.Packed.Generic-9889930-0
Create hunting rule

Win.Packed.Raccoon-9889498-1
Create hunting rule

Win.Packed.Raccoon-9889576-1
Create hunting rule

Win.Packed.Filerepmalware-9890038-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Sending a UDP request
Deleting a recently created file
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/490d00f0-8261-4357-9df1-9ac7f27d7e27
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844738
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477170 Sample: ry5B6ootM0 Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for submitted file 2->58 60 Found ransom note / readme 2->60 62 Yara detected Djvu Ransomware 2->62 64 Machine Learning detection for sample 2->64 8 ry5B6ootM0.exe 2->8         started        11 ry5B6ootM0.exe 2->11         started        13 ry5B6ootM0.exe 2->13         started        15 ry5B6ootM0.exe 2->15         started        process3 signatures4 68 Multi AV Scanner detection for dropped file 8->68 70 Detected unpacking (changes PE section rights) 8->70 72 Machine Learning detection for dropped file 8->72 17 ry5B6ootM0.exe 1 16 8->17         started        74 Contains functionality to inject code into remote processes 11->74 76 Injects a PE file into a foreign processes 11->76 22 ry5B6ootM0.exe 1 16 11->22         started        24 ry5B6ootM0.exe 12 13->24         started        26 backgroundTaskHost.exe 13->26         started        28 ry5B6ootM0.exe 12 15->28         started        process5 dnsIp6 50 astdg.top 17->50 38 C:\_readme.txt, ASCII 17->38 dropped 40 C:\Users\user\...\ry5B6ootM0.exe.lqqw (copy), data 17->40 dropped 42 C:\Users\user\Desktop\ry5B6ootM0.exe, data 17->42 dropped 48 5 other files (3 malicious) 17->48 dropped 66 Modifies existing user documents (likely ransomware behavior) 17->66 52 api.2ip.ua 77.123.139.190, 443, 49701, 49702 VOLIA-ASUA Ukraine 22->52 54 192.168.2.1 unknown unknown 22->54 44 C:\Users\user\AppData\...\ry5B6ootM0.exe, PE32 22->44 dropped 46 C:\Users\...\ry5B6ootM0.exe:Zone.Identifier, ASCII 22->46 dropped 30 ry5B6ootM0.exe 22->30         started        33 icacls.exe 22->33         started        file7 signatures8 process9 signatures10 78 Injects a PE file into a foreign processes 30->78 35 ry5B6ootM0.exe 12 30->35         started        process11 dnsIp12 56 api.2ip.ua 35->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23dc60233f270ba130c16c2a9918166205735e6b5408750523e9542b9e0ea70a/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 18:50:00 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
33 of 43 (76.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=epogaiz7e4f2cmgbnqvjsgawmicxgxtlkqehkbjd5fkcxhqou4fa._file
Verdict:
malicious
Similar samples:
20ebe8ff1da6f2023a43b3e3cbe14479961699f9dec0324f72070fa2b275eaae
Stop
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
Stop
9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657
Stop
9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9
Stop
b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944
Stop
bfbf6bb9393e511a06e90d432e7538059ae75f9f1525f0f503d1d0bec0d32124
Stop
e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be
Stop
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
Stop
ff9e059a789e94573fb32a918657d5c5c59b5395fab873cbcec7b1543435fe93
Stop
+ 466 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210903-k2rzhscha5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomeware
Djvu Ransomware
Vidar
Malware Config
C2 Extraction:
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
f5e421cdc3a15f524eab328a6dd4c4d92b7f404e1d6f2dc2c4fd53b0be3b6802
MD5 hash:
7374438017992073f1e1b1814383d828
SHA1 hash:
8d44c46208e04d3d46caaad2dac4279cdf0c414b
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/da47e3c0-fc27-4b77-87e1-e1505bde2eae/
Parent samples :
302c818ff4e207e4ecd8e66ae38fb7368c39b99a883f61dca027dff6d2b996da
0d5034e4f4a4c3a189b3f916c98dbfdc69b1318262fde1878042a5cc9e8f7366
051a2902c6a41210cbf84e97a4d24b7f4538414c25433e2e75ad0b6c9f7bf481
af7e8bfb4652f62934fa5f2de47582b39d26c2bed1180e0fbb6f8fef3eb7b97e
b65532de52ea9fdda67e26aa6514e0b819fc7821d2c18c6fbc45cf016baee2ee
23dc60233f270ba130c16c2a9918166205735e6b5408750523e9542b9e0ea70a
d0c4d2a2e6de48c794cb11638fb267a80371833bdb009d31f80440382a2167b7
62e0844c934cb1c112dfd4fb81a2c74831149b1a3c97c289994e7c224afdf88c
f5a2d62a1d09f34f73adc253887b665c96a2fbf7cadc6084569675da186357e1
384ae82c526406e4becbc020c78a494a0dec9c94183aa3509e29cfff9d838a3a
1a63e24da9d07a7049bd05ca2188df900a37d14bdae836aa0b3d288f81e3371d
SH256 hash:
23dc60233f270ba130c16c2a9918166205735e6b5408750523e9542b9e0ea70a
MD5 hash:
76a6f7677b7223c5271ff44d85c01c08
SHA1 hash:
2811f08c31fcb6f3dfc75cf80c101c41b4e90a21
Link:
https://www.unpac.me/results/da47e3c0-fc27-4b77-87e1-e1505bde2eae/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/23dc60233f27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23dc60233f270ba130c16c2a9918166205735e6b5408750523e9542b9e0ea70a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185107/

Comments