MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 19


Intelligence 19 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71
SHA3-384 hash: bdb89bd283e73dc5d141ba68541d458e859b63524b3977b9258efc8b832184939b93dd5ef7f9c7997c349c8fe605de16
SHA1 hash: f0fb600a2b9428b2dd33fd8a7d781f4f59423241
MD5 hash: 42fe928b06e704ec51f6d9e679a4b2e4
humanhash: oven-potato-winter-bakerloo
File name:3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71.exe
Download: download sample
Signature Stop
Create hunting rule
File size:829'952 bytes
First seen:2025-01-01 21:01:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f937f2af706dbcbf43ed87b459c473ae (2 x Stop, 1 x Loki, 1 x Smoke Loader)
ssdeep 12288:x/4LAaAmpqSAQjWW6OCEVRxpHsSCfCP31pQlGYtQAN3WdYB89XoU2VwwZGEX8cAF:BpaYW5fRxpHs743vQ0xAnB8992VVsEv
Threatray 843 similar samples on MalwareBazaar
TLSH T172050133B1B0CA37DA6509318839D6B06529B85DDA30F56773F5AF2F2D712884AE131D
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon fcfcb4f4d4d4d8c0 (19 x RedLineStealer, 16 x RaccoonStealer, 14 x Smoke Loader)
Reporter Chainskilabs
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
431
Origin country :
US US
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71.exe
Verdict:
Malicious activity
Analysis date:
2025-01-01 21:04:48 UTC
Tags:
evasion ransomware stop djvu xor-url generic
Link:
https://app.any.run/tasks/77829dc5-0a22-42a7-83b8-0d5e6adf273c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Generic-9903366-0
Create hunting rule

Win.Trojan.Generic-9903727-0
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6775ad4c74a2bd296e250392
Tags:
phishing dridex
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a TCP request to an infection source
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Searching for synchronization primitives
Deleting a recently created file
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6775ad4be38b4c3562b787c1/reports/ec628f50-5136-4064-a973-13991de5389a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf986c1e-f014-48e5-a522-caba719542e7
Result
Threat name:
Babuk, Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1583095
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583095 Sample: 16oApcahEa.exe Startdate: 01/01/2025 Architecture: WINDOWS Score: 100 52 rlrz.org 2->52 54 znpst.top 2->54 56 2 other IPs or domains 2->56 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 8 other signatures 2->66 9 16oApcahEa.exe 2->9         started        12 16oApcahEa.exe 2->12         started        14 16oApcahEa.exe 2->14         started        16 16oApcahEa.exe 2->16         started        signatures3 process4 signatures5 74 Detected unpacking (changes PE section rights) 9->74 76 Detected unpacking (overwrites its own PE header) 9->76 78 Writes a notice file (html or txt) to demand a ransom 9->78 88 2 other signatures 9->88 18 16oApcahEa.exe 1 17 9->18         started        80 Antivirus detection for dropped file 12->80 82 Multi AV Scanner detection for dropped file 12->82 84 Machine Learning detection for dropped file 12->84 22 16oApcahEa.exe 12->22         started        86 Injects a PE file into a foreign processes 14->86 24 16oApcahEa.exe 14->24         started        26 16oApcahEa.exe 16->26         started        process6 dnsIp7 58 api.2ip.ua 104.21.32.1, 443, 49704, 49705 CLOUDFLARENETUS United States 18->58 46 C:\Users\user\AppData\...\16oApcahEa.exe, PE32 18->46 dropped 48 C:\Users\...\16oApcahEa.exe:Zone.Identifier, ASCII 18->48 dropped 28 16oApcahEa.exe 18->28         started        31 icacls.exe 18->31         started        file8 process9 signatures10 90 Injects a PE file into a foreign processes 28->90 33 16oApcahEa.exe 1 20 28->33         started        process11 dnsIp12 50 znpst.top 92.246.89.93, 49706, 80 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 33->50 38 C:\_readme.txt, ASCII 33->38 dropped 40 C:\Users\...\DefaultLayouts.xml.irjg (copy), data 33->40 dropped 42 ExplorerStartupLog...nce.etl.irjg (copy), data 33->42 dropped 44 107 other malicious files 33->44 dropped 68 Tries to harvest and steal browser information (history, passwords, etc) 33->68 70 Infects executable files (exe, dll, sys, html) 33->70 72 Modifies existing user documents (likely ransomware behavior) 33->72 file13 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 05:57:42 UTC
File Type:
PE (Exe)
Extracted files:
85
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4kznnhl2f36yrxfp2qonuqi6mwb5o4twrekjnjrrtarmkj5dzyq._file
Verdict:
malicious
Label(s):
stopransomware
Create hunting rule
Similar samples:
44bab40d0ba2224516ff0258b70b04529dee4ff397d0380131725fc19e347cff
Stop
4baef09afa940e86cdb9651c83bb40b87674e507e5c4e697cd00997b4caed201
Stop
5651c726a433d942eb9cdbe74c6631178fa3e243e0953e0a55f54f1752e05682
Stop
5aeeb53a492389bfaaa1a2d15b98324c159ded6cd2e55dd67efb3eba6e4ee270
Stop
9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba
Stop
adc2c80f4a9f969a641f2674c94bd576420b34d338b12ba5b4cab09e6c51a466
Stop
e7884968f8cdd98fc26fd218c60024dac348ed12eac668021b6e18e785821b57
Stop
+ 833 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu discovery persistence ransomware
Link:
https://tria.ge/reports/250101-zvfegatqaz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Modifies file permissions
Detected Djvu ransomware
Djvu Ransomware
Djvu family
Malware Config
C2 Extraction:
http://rlrz.org/fhsgtsspen6/get.php
Verdict:
Malicious
Tags:
ip_address_lookup_website Win.Trojan.Generic-9903366-0
YARA:
n/a
Link:
https://app.threat.zone/submission/82104868-d8d2-4171-815f-d9d6c716d9f9
Unpacked files
SH256 hash:
d3eb4e4bc1c9e42583f64f3918a95545cca2f59d0c66f05736353b817cd2eece
MD5 hash:
1130269cb19cf0ecdc2ca1018fdd4bbf
SHA1 hash:
adfcb3c426cd69a5d4ddf88f392395add55967e6
Detections:
djvu_ransomware
Create hunting rule
win_stop_auto
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
MALWARE_Win_STOP
Create hunting rule
Link:
https://www.unpac.me/results/b438347d-0377-4f7e-9fd9-66a87050149b/
Parent samples :
6aae67d87cd2ef23c4b9265c8e83db5142f00154e66e47b1e54219cea794682b
3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71
SH256 hash:
3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71
MD5 hash:
42fe928b06e704ec51f6d9e679a4b2e4
SHA1 hash:
f0fb600a2b9428b2dd33fd8a7d781f4f59423241
Link:
https://www.unpac.me/results/b438347d-0377-4f7e-9fd9-66a87050149b/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f1596b4ebd1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f1596b4ebd177ec46e57ea0e6d208f32c1ebb93b448a4b5318cc116293d1e71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_david_CSC846
Create hunting rule
Author:David
Description:CSC-846 Golang
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::FindNextVolumeA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpSetOption

Comments