MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 325df09a1d1478a0be19a6112b0753714fb0e3b6308b263c0bfe8c65a0708c05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	325df09a1d1478a0be19a6112b0753714fb0e3b6308b263c0bfe8c65a0708c05
SHA3-384 hash:	ea6ee0c73785a45201fbfdf2b8d7fe7a21e3837f884bd6ec092ef730360d7031f8e30becbc3f0087d7eadc3b73cca3a0
SHA1 hash:	9b3a721da45c3d6f4c3a4faabb0859aed92a7ff4
MD5 hash:	ece4abade00ec557c59f5daa3f62f90b
humanhash:	steak-california-asparagus-finch
File name:	325df09a1d1478a0be19a6112b0753714fb0e3b6308b263c0bfe8c65a0708c05
Download:	download sample
Signature	Stop Create hunting rule
File size:	807'936 bytes
First seen:	2021-09-22 13:20:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7273bdafbe151bbfd9b7057bf9d812ba (2 x RaccoonStealer, 2 x DanaBot, 1 x CryptBot)
ssdeep	24576:T8uDrGR/A1B54Gb/bEbhjSwpDgEklcjII3FssHn+:iu1BzK9S6Dgil3FsN
Threatray	684 similar samples on MalwareBazaar
TLSH	T109050220A790C235F5B793FA8AB68BB6643D3A715B3491CF62D226ED12347E48C31717
File icon (PE):
dhash icon	9824e7d0c4e7215c (11 x RedLineStealer, 5 x Smoke Loader, 2 x RaccoonStealer)
Reporter	JAMESWT_WT
Tags:	exe Stop

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

325df09a1d1478a0be19a6112b0753714fb0e3b6308b263c0bfe8c65a0708c05

Verdict:

Suspicious activity

Analysis date:

2021-09-22 13:35:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b0ef63ab-abe4-42b0-8bfb-e78c99f0e889

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/190235/

Detection(s):

Win.Malware.Generic-9895402-0

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d40e0f84-125a-444f-869d-a75b5d6c7f12

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/855827

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/325df09a1d1478a0be19a6112b0753714fb0e3b6308b263c0bfe8c65a0708c05/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-09-20 22:38:12 UTC

AV detection:

27 of 28 (96.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gjo7bgq5cr4kbpqzuyiswb2tofh3by5wgcfsmpal72gglidqrqcq._file

Verdict:

malicious

Stop

496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38

Stop

9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657

Stop

9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9

Stop

b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944

Stop

bfbf6bb9393e511a06e90d432e7538059ae75f9f1525f0f503d1d0bec0d32124

Stop

e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be

Stop

e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9

Stop

ff9e059a789e94573fb32a918657d5c5c59b5395fab873cbcec7b1543435fe93

Stop

+ 674 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar botnet:517 discovery persistence ransomware stealer suricata

Link:

https://tria.ge/reports/210922-qk46eafchj/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Loads dropped DLL

Modifies file permissions

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

Malware Config

C2 Extraction:

https://pavlovoler.tumblr.com/

Unpacked files

SH256 hash:

e3a758405e0871107c905ba5cf211ec30bd7fb9345950a9a0b3def7f14c9e87c

MD5 hash:

2590861b15fd552297b400342732e746

SHA1 hash:

0663677bd8ef8ded4f9d97de3038ccab7fccadab

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/2eb28b94-9773-4548-b9cc-58ea8c91448a/

Parent samples :

4cc8bff20f9320c5ad0a543d3a7d97f05b4b6ad83de1dab439e25ec06671efbb
a941e90ff8f1750aadb4763c366b930ae9e6af28036e7ccd790c6c83c7163bff
16ab0466f24ceac741c81e152831d103d97087fe06ad52cdf40c0af437feaf07
a15f72a2d96072229513aa1cf5d8b8747282b5edcb3781a16cba7f1511ddaebb
c83075a8214e1b1631c4090ec9bb3b98e27bedc042c972bd780b054aedbe6c26
2640e5c56cf421eba34ddfd83cf01e243d2cb69a2291863f9f650efecf56318b
325df09a1d1478a0be19a6112b0753714fb0e3b6308b263c0bfe8c65a0708c05
aed0d2debb077e84fb10fce79e0bdd1aa2b1d85163f0bfeb4c7c345a649e61c5
8a7a5384394e62b20745f2a786a8184b26e88afc9cc0e96b2a3d2a6acb13ea7f
8824c8925e085ca11ef0ce41f6cf0d2fed532a0785113f5f34e89164ab4022bd
3c71f2d4d000810aeeaa5378811e1955947b9cdf3e8bc858159199d583a22825
24e01f6ef65d42467608a1db86f06cdbeb114ba6b6da744d5133c7d933adaaad
2f960d8ed44f6c4a4dc31187794e9605fa281f88ed3e2984287cbdd212965ee2
04830b32044eed19c43dce1d544c530532d60114d64970fafb7dcfb0f37f58c9
f8ad6344537c95c3421926b12bfe0de0931676b94c9f624744249343d84bf4de
00da27fd6c2199b83130478b8d22f90c8617a50703ec0dee60672ef2f9462d8a
8bc9f093f57c88b4aaad4f32acf87b89e24b00a28b51eabae5737af7c3567e0d
e5cceee07167bcac472b4d7286bd6afe892ad5241f36e7eec85e70ce16aaeadf
478195a740b83147fea1b6d9fe3b9b98411e99fd369fd34dc6f94a8fe6981ae9
334aaca9cc8d70cd876830bbc3c2a6100161d72f2de771e524bbad31834d7186
4254f97bcd155b5a248f841f4d152bcfd8a0c8bec63186e7f204e449e0e011bd
f0f977ae27df7a111ae322b49b8227ff2fd951461a649ea8fab8c5bec6efb47b
61fc32f8c793924084254b066bc5576480079942866f09ab188763007c40e81a
85fb4ff6108ebf0f167b448775ffa9b03c92f6d075b2da9dea6cb328b8b5aaaf
ca60ed97fc35897fdb89daf1b39d312391137eefc93bfd96fd8f8264ab2b12a1
6386e8a1f4537c6e541be6e04bfbf81ad4d42312f6ad244b415d090d063c25c8

SH256 hash:

325df09a1d1478a0be19a6112b0753714fb0e3b6308b263c0bfe8c65a0708c05

MD5 hash:

ece4abade00ec557c59f5daa3f62f90b

SHA1 hash:

9b3a721da45c3d6f4c3a4faabb0859aed92a7ff4

Link:

https://www.unpac.me/results/2eb28b94-9773-4548-b9cc-58ea8c91448a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/325df09a1d1478a0be19a6112b0753714fb0e3b6308b263c0bfe8c65a0708c05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/190235/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample