MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3575aeec9e4e351ba9c03ceff4ace3a4e2bb44c5f8148b680f00d195d8eb97f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3575aeec9e4e351ba9c03ceff4ace3a4e2bb44c5f8148b680f00d195d8eb97f9
SHA3-384 hash: 403cbca1a14c327b14d75d20e26a2ffd73c14be0f37097d46e31611424c25e4ce6987ba24831b384856941f88ea9d8ec
SHA1 hash: f025ef2214c430f673fcc558f3c6ea75ad39756d
MD5 hash: 9a363169fe46bc5220ac931826851029
humanhash: yankee-orange-sweet-black
File name:9a363169fe46bc5220ac931826851029.exe
Download: download sample
Signature Stop
Create hunting rule
File size:744'960 bytes
First seen:2022-09-08 10:00:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b7e16e45d5ca01868887e26a9f95ed7b (3 x Smoke Loader, 2 x Stop, 1 x RedLineStealer)
ssdeep 12288:GLZYEDnD0AqBpxPeF3x6cQQagLq66oWGWud5KnucVbepRrtGJgMYJcwsPe:G2WDpybeF3igB/Vjvrt/MYGwsPe
Threatray 1'722 similar samples on MalwareBazaar
TLSH T1BCF41221B483C030D5A641318171D2A0253FB7625B57C60FF7A97BAEAFB01E426FA767
TrID 61.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
15.5% (.EXE) Win64 Executable (generic) (10523/12/4)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c01edecea6ac8ccc (78 x RedLineStealer, 43 x Smoke Loader, 13 x Stop)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://116.202.179.139/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.179.139/1375 https://threatfox.abuse.ch/ioc/848397/

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9a363169fe46bc5220ac931826851029.exe
Verdict:
Malicious activity
Analysis date:
2022-09-08 10:07:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f719096-754b-403c-9a67-d0204c8e42c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/308706/
Detection(s):
Win.Malware.Azorult-9949206-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37046/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6319bde8bdec86ddb45c951e/reports/5fd58a11-eaf9-4f3d-898c-5a26ed4c7f5b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e05183f-4f24-41fa-ad61-62b80efa23ae
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1067044
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3575aeec9e4e351ba9c03ceff4ace3a4e2bb44c5f8148b680f00d195d8eb97f9/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 18:41:51 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gv2253e6jy2rxkoahtx7jlhdutrlwrgf7akiw2apadizlwhls74q._file
Verdict:
malicious
Similar samples:
057c0db0601053a63938b908aa39a8e8d064c7cad1939db90d21964d002e58f9
Stop
2bc17ebe903b49885f30864269e50d998ff8fe60a027dbeda54b0600bca35a95
Stop
69c7a76f9ba360e06d4671f90ce06cfc093e4d43db37264041069709e538dea4
Stop
88b518753b964090695996d260e2a46c68b8ef6d92eb75d98af2cb6193987bf6
Stop
c477ac60575519a3cb7c416b2e03827d6e89add5358ca761cb5815fc72d44e43
Stop
e8594d82875103713cf665fdcf18df65009550110bee6835c3087a83c496b9da
Stop
eb04fd8cc7a8426d235b764cd0c999730dd20a5af66f1bbd6d68dd4ba7c2ff69
Stop
f5568dbc0f8640a105c3a7c4243e627fbf8218df12c9f331a38cf11e93f58358
Stop
f926a9e4990913947994d4c217d753f907fbb29d38908e7b80b2fd24ff6f4830
Stop
+ 1'712 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220908-l18rbabdgl/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://acacaca.org/test1/get.php
Unpacked files
SH256 hash:
4c8455c23b72388ae002b32ef03ed42740c9256110ff43ee891ddce6efa1a767
MD5 hash:
6ca4041c4ad3cf64702e47cd33f80448
SHA1 hash:
df4b734d159fdab4d8c900b664619a992ead5c39
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/aeb89a4e-a1ad-4271-b3a7-4ceb8dc2d6e9/
SH256 hash:
3575aeec9e4e351ba9c03ceff4ace3a4e2bb44c5f8148b680f00d195d8eb97f9
MD5 hash:
9a363169fe46bc5220ac931826851029
SHA1 hash:
f025ef2214c430f673fcc558f3c6ea75ad39756d
Link:
https://www.unpac.me/results/aeb89a4e-a1ad-4271-b3a7-4ceb8dc2d6e9/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3575aeec9e4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3575aeec9e4e351ba9c03ceff4ace3a4e2bb44c5f8148b680f00d195d8eb97f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 3575aeec9e4e351ba9c03ceff4ace3a4e2bb44c5f8148b680f00d195d8eb97f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2261244/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/308706/

Comments