MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d
SHA3-384 hash: c5230586aec8cb572cce64cf8a878105c9248870297b19c77528fe5047b8f34f635867adc0cd2894486e638d3dc6f752
SHA1 hash: 3ee29a432ab0d44404429e33d4380f5ee940c2a1
MD5 hash: bb3a78f059d635fa48ffc3d7b5ee4a55
humanhash: india-north-mississippi-happy
File name:28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d
Download: download sample
Signature Stop
Create hunting rule
File size:812'032 bytes
First seen:2022-04-05 06:10:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 159a2e4ccc84f2a04642d12fcf53e4a9 (3 x Stop, 1 x Loki)
ssdeep 12288:RM3xe1DtJUb9qNY4U4+em5Dn4MKC3tzmYroG+jhssJUzS0uL0pR6NubkVGgmto1:R0QDTQ0ixeMbtzmYMhN2zkgpR6hGg7
Threatray 1'112 similar samples on MalwareBazaar
TLSH T1DF0512AE37A1D470E0D12230503A9FB3197EACB5585146477778376A7F2038099BAFAF
File icon (PE):PE icon
dhash icon 480c1c4c4f590b14 (113 x Smoke Loader, 92 x RedLineStealer, 83 x Amadey)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260816/
Detection(s):
Win.Dropper.Stop-9938042-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12634/overview
Behaviour
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/624bdd87aa7e43c6a6ba927d/reports/49964376-1697-4a0d-8828-6e698cf780a9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2ed3fa5-6acb-4cab-9f69-ff7d54f09226
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970681
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 603169 Sample: kwMQEqmwF4 Startdate: 05/04/2022 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 3 other signatures 2->60 8 kwMQEqmwF4.exe 2->8         started        11 kwMQEqmwF4.exe 2->11         started        13 kwMQEqmwF4.exe 2->13         started        15 kwMQEqmwF4.exe 2->15         started        process3 signatures4 64 Multi AV Scanner detection for dropped file 8->64 66 Machine Learning detection for dropped file 8->66 68 Injects a PE file into a foreign processes 8->68 17 kwMQEqmwF4.exe 18 8->17         started        70 Contains functionality to inject code into remote processes 11->70 22 kwMQEqmwF4.exe 1 16 11->22         started        24 kwMQEqmwF4.exe 12 13->24         started        26 kwMQEqmwF4.exe 12 15->26         started        process5 dnsIp6 48 fuyt.org 187.212.189.220, 49782, 80 UninetSAdeCVMX Mexico 17->48 36 C:\_readme.txt, ASCII 17->36 dropped 38 C:\Users\user\...\kwMQEqmwF4.exe.udla (copy), MS-DOS 17->38 dropped 40 C:\Users\user\Desktop\kwMQEqmwF4.exe, MS-DOS 17->40 dropped 46 3 other malicious files 17->46 dropped 62 Modifies existing user documents (likely ransomware behavior) 17->62 50 api.2ip.ua 162.0.217.254, 443, 49767, 49768 ACPCA Canada 22->50 42 C:\Users\user\AppData\...\kwMQEqmwF4.exe, PE32 22->42 dropped 44 C:\Users\...\kwMQEqmwF4.exe:Zone.Identifier, ASCII 22->44 dropped 28 kwMQEqmwF4.exe 22->28         started        31 icacls.exe 22->31         started        file7 signatures8 process9 signatures10 72 Injects a PE file into a foreign processes 28->72 33 kwMQEqmwF4.exe 12 28->33         started        process11 dnsIp12 52 api.2ip.ua 33->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 22:17:41 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcvzd2rnbymkbggprutopbvhur32tdllbjw4yhwj43suhfktjnoq._file
Verdict:
malicious
Similar samples:
45af7d799a8e6cd7b9427908e7bdba67693f63402b0b32316982656bf7d17462
Stop
5efb1ae4bb8bb433c72d9a5ffa3e567e9ac235eb666ce25a56035e30fb623abc
Stop
923d2af76cd47509cd42c94e47b6198321b16c2123b09bb39aa26b8c3daf9647
Stop
b35685146d30d976ea7a856d4f6011e2433d8a40244c320be021d40ed33f0ee0
Stop
edbe71fea0f03f364ec2b75c2786ddea29541034496d5005c132d8b402a3c778
Stop
+ 1'102 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu ransomware
Link:
https://tria.ge/reports/220405-gxlp6adhhl/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/test1/get.php
Unpacked files
SH256 hash:
fc90a956316d6efabf262e575d5801e6ec502502dcef75269b2db592d0e5a70a
MD5 hash:
98fd0039533495e6a5756eae5a9ea38b
SHA1 hash:
5c8fdddd87ccc8b5ac13d0adc0178d2d356f0e6d
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/922affe3-0fdb-42e4-8525-0df245ded140/
Parent samples :
9cfe27f65401391f31681939a2044e00e873f2391398656a6066c9e09030f5e1
a7dd575a5d02cf4531309ba335481564cf35383285d84effa519d302962556e7
56fdae721975ff81c3ba41c65aa74395ffac22f832d494c1edd3ecc2593e45c0
adb3dfa05eb1eac98d1c860e0e88c6050952b00e854f962e02126b14ab0e8423
58800e8556bb1ecb9d1554a14cd59136cbf41bac263c56d8e0adea85e6fbcc35
ae46809e1f04125ca54e9108794c6426d389617e0bd8133ce91aeee9ce9bb573
a08d308902b9494ee1a0d38e4c7cb5dc91e302efc8e869be3c2ec0394034fe06
2fbd58e933ac02775649129f2d72a4a40c011f1075d4714052141c6c0813b049
1fc49b9f134cd2ce6b203dfea77b85269bba7ed1e29060d11dad4fabcaa66f67
1cf6de69e4116e27fdc7fdd485432566bd2c65598bc9420bc1089fd5f7c3cf4f
2b52418f70ca659187a5d9959802adc348af02b4bb4bdfaa634de930295d8ae3
5efb1ae4bb8bb433c72d9a5ffa3e567e9ac235eb666ce25a56035e30fb623abc
6fcec37ad944a768f9e87a590de03e1df6c5b86cd7ffe3105589ce463cc67615
28de739e5a1ed53773ef2d8747f800a88c631b7fc27466cbc6371bccb9259da9
37ee32817b5a8fe72af37a71d051f1330a2486a88a2735e051f860bf92fdbfdc
82e869f41c09e99a544ce6d50fedf25e1f08b60286a8085299d3196b00083a1b
295ba48b48c596fcf5792578fe2c0678b841984588efbcf77067f51961d374f2
3289a7e157927ea433bcbef1e2f4a14830051bf75824c0769c31efaf1225955c
3d14f23b4729d498460c0831236950c4d854fea2de797c1fe65b1eb6548dc241
9301195c700b39f71484a9302e0ee0f714b8914113394b08f4f4788cd6f5a40e
a512b4b6c99877a9990299da663556a582fc6eb9713b9984d9c2927d73c9c6ff
c10580e06da040aa1e72bb74f872bb45d63f1733e432f15920eff91848d31377
893641698acd5b415c7a079b5512abadd0da0ebcd9e9e440bd0cf33fc5596257
d536de2200a9424de07b26726d16c18a88277745eb87d3e3f31f3ce83207a2b6
e2008f3eb3480e576bd34e3a1079b21a17a03fe3f02d74c98461a1eef4e28275
eacbde48d95aaaa21da6ff9acb0e5e29b4a19d89816351a6616c6e800e686261
c4b422fc75b9e6b9b7bc6d5dc6ceb221aba807ccf9973710b5c62a30fd636bf8
ffbf3c9e0ec433e6ea684b848440bc8d039164fca4174763ba12335ab57d7606
436d45423beaf3553cf83814334614f11d786650981bfd1deec29093761efea3
6672fed2e98c442d1d0f86f03fcdc939f502cb9952061c57af7d4f232ed6d16c
d89e36841e53232e807fe543972ca6a1b4dd425da6ea87d7455043a75c6df957
e094869a8bb09c533b826e173f853cf8d7d1ab31f56fa7cbdf3ea72dabd7ead4
edbe71fea0f03f364ec2b75c2786ddea29541034496d5005c132d8b402a3c778
9dc1ae55fc0b55f3a3268a59a50fb9052d917b53295d1415cbc4045ddc3dbad0
02f7349342a424adae32d57fa13d89be4b7b54e119b068d1046c14e36b7f5bc3
6dceff38ea7aa0c62437cdb32c52bbaff747db2bcd8cf38597dce31a26695c3c
0b6c3923a7d34f3062dab70853887a2a3c8bdb009e9a110d4a554bef892b26fd
3dd2f20a676053db4004a363fe3a838b4eeea2b24447336f80b19de465affa9a
5eba82a7e94705bf27fadd086866acebcd1afe20d9b5ad9ee9f224ab21f46ad9
8a2d0bf67b76ca5e61e73cb91957a5cc4281ebf9ff3a2cc83d5c0262c64d7abe
8c5a7318f7201df35cfd4c7902108e287a1932454a8120c47da88114cd845138
9d86a0b05fe7895b350e225e4585dc999008ce6df6bb54cfb1141613f1e97df1
22a282ef1bcc703568825a99c13a5f409718291d9817d11a2ab4ca0ef9272865
28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d
44eed310cb747cc6e34b10937c0f7f8011d20b7559ab8846bf981def59275f5a
99eaee03c735e58c791b29c4d8b0911a0b42b70bd55ac3e5f33cf0729accfe0f
23a56459c8c96187dccb00c4f206678c901ac4b20f25a92babd1197213f16b01
83f32b4c80b69df7ac87e097e57990f759d71433010558083e0260238fe3a795
726e184388fa817075ff40803a1c921e9907d426888cf8e265f14d88d606b2bb
bbc0573a3c27403f6191fd3820ee001dc8d248f4af20200ebbac79cb63ef1023
556a1f630405c06e4ebceadee1c8dc291f1fcaba0955adcdb8946cae5765a939
05369a22c30ed4a64f2559bb9e8acbaf0838eac9f4ad2c06e9c5f06bd3d8b01f
b76029c0f387e9c39ca61093bab92354550a28281b8de0ed56e6be3cc59873c4
db31b33ef9ba03ebc8ad2ff4fe5ab3fb5934d92a26c2b512e784bfc34c3effc2
910fe03c505bbae3cb251f6fa48c837347a4505f7e74ba658a06c41667bf03b3
db796fc968041267daff136126768ff072bd3e4e271d1c81120b0eaf6056bf60
fc6ccdf10a489163e43fbd96ed5c48d0b2948e2a21a29a793083cd15b64b5739
6120caded2eeed1982670216779cbfd5a1b6917b339c96106bc23051ea6a2670
8166fa2f97612f886d127e68c511bc2d8edae19cf9eba76ead300beb41b5aa69
e93dfe97cdd0a9bcd8cc42063fb14cef4e4e0d588871614c3cea18e4c4ba77d7
SH256 hash:
28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d
MD5 hash:
bb3a78f059d635fa48ffc3d7b5ee4a55
SHA1 hash:
3ee29a432ab0d44404429e33d4380f5ee940c2a1
Link:
https://www.unpac.me/results/922affe3-0fdb-42e4-8525-0df245ded140/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/28ab91ea2d0e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2084511/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/260816/

Comments