MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3423c85e9bc7eddc8b4525fc565665a992231e8d01c8159b03f5dc5c303ad4db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	3423c85e9bc7eddc8b4525fc565665a992231e8d01c8159b03f5dc5c303ad4db
SHA3-384 hash:	71341e49ed6d4b2fc075341b0c05d23d03918d23e57e2b4c0e46ac63533f22eb29cb3b0ef5d3823cb589767cf73cb353
SHA1 hash:	034ddbf9e9df8e8174cec646ffe10e58ddfdabef
MD5 hash:	d4e24cd73b58bf36ac07c05294c3b67c
humanhash:	vermont-tennessee-ink-kitten
File name:	3423c85e9bc7eddc8b4525fc565665a992231e8d01c8159b03f5dc5c303ad4db
Download:	download sample
Signature	Stop Create hunting rule
File size:	796'160 bytes
First seen:	2022-03-31 14:45:26 UTC
Last seen:	2022-03-31 15:56:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	58b5b612d2da1ed4f1d880f59853b70d (4 x Stop, 1 x RedLineStealer)
ssdeep	12288:I/F+iwGjX6TEfZnUkpAcz4TSuJDBYzFgwDfNjlQ0JsnkeHBBPcnzBiLDvRPwxxcC:IkuGE9UaAcz/UOxgwZjO0neHBBkNi5l
Threatray	1'082 similar samples on MalwareBazaar
TLSH	T111050114B790C435E5B716F088A9D3A8B93EBEB1872455CB63D166EE1634BE4EC3031B
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	JAMESWT_WT
Tags:	exe Stop

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/260166/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.48156.11933.10759.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Сreating synchronization primitives

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12239/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6245bebaa19c649412b36d63/reports/bb00cddb-1c87-4598-9dbc-d4649761c9ab/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aed034e7-f005-44ef-af00-9fc7e91f0003

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/968467

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3423c85e9bc7eddc8b4525fc565665a992231e8d01c8159b03f5dc5c303ad4db/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-03-31 00:21:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gqr4qxu3y7w5zc2fex6fmvtfvgjcghunaheblgyd6xofymb22tnq._file

Verdict:

malicious

Stop

8435fa985a445994ae3b8134721302ecd6dbfa29d1052eb8471721649ab1b522

Stop

a6b1dc8ea546b26e5a6f2d13de10e4c20d6ce9774348e5bd75388e91de689ac1

Stop

ba53f24d6448dfc4b1a4a9b73d7d24ecc31a05a4e26ee051ba5ada4312f319d1

Stop

d3ca0ef14e8dc45497faba304acf842bb2f2913ca2108600ee2771f9e9a24f9c

Stop

de1bec11380a046d35656cb592a399445a6deb5934a2892dcd5dac3d0f61c55e

Stop

f2e3fa89c1a2c72ea78c4d32446221c08b30c7c3363f8248f04aa9eee2e15c70

Stop

+ 1'072 additional samples on MalwareBazaar

Result

Malware family:

djvu

Score:

10/10

Tags:

family:djvu ransomware

Link:

https://tria.ge/reports/220331-r5amzaddh6/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Detected Djvu ransomware

Djvu Ransomware

Malware Config

C2 Extraction:

http://fuyt.org/lancer/get.php

Unpacked files

SH256 hash:

14412d70202c15f5da2041354d2def54417298a682dd89326ca03d8a0bd8552b

MD5 hash:

745712ead4a703cd05e3faa1cba9e4cc

SHA1 hash:

9e963558ab90de3c95ab743e15a1d1618fb43858

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/ccb33f22-258e-47bc-a737-4091dead9aef/

Parent samples :

8f9ed33c79f36b350c493bb1fef27bf458110de1870092d1babee3ac6053735b
3423c85e9bc7eddc8b4525fc565665a992231e8d01c8159b03f5dc5c303ad4db
98dc8c7a341d23a417b681dcef70c286b55b7548de153ce7e43041e3129513b1
72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d
f4105f470480c034963d8b4ffcd671a7b1db1edc478c9e216477dff24099e0b3

SH256 hash:

3423c85e9bc7eddc8b4525fc565665a992231e8d01c8159b03f5dc5c303ad4db

MD5 hash:

d4e24cd73b58bf36ac07c05294c3b67c

SHA1 hash:

034ddbf9e9df8e8174cec646ffe10e58ddfdabef

Link:

https://www.unpac.me/results/ccb33f22-258e-47bc-a737-4091dead9aef/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3423c85e9bc7eddc8b4525fc565665a992231e8d01c8159b03f5dc5c303ad4db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260166/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample