MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43c3d524f132423d0dde8c50ab358fac413c68221b1bb733bbfe1f4ef6a4e759. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43c3d524f132423d0dde8c50ab358fac413c68221b1bb733bbfe1f4ef6a4e759
SHA3-384 hash: f898642ed018de0a43fef8f77ae3e485b5f66e375719bb1397bf5369d6958592ac66eec495d48212d9623cec64724fc5
SHA1 hash: 247fca99c72758a2779412a58270ad54dad7afe3
MD5 hash: 2887c0f490d38170e31cfd01eb4d0dc9
humanhash: sodium-potato-princess-wisconsin
File name:2887c0f490d38170e31cfd01eb4d0dc9.exe
Download: download sample
Signature Stop
Create hunting rule
File size:858'624 bytes
First seen:2021-05-22 18:35:39 UTC
Last seen:2021-05-22 19:01:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a7f08b08e9bc297d39a90ef1d588aa8f (2 x RaccoonStealer, 1 x Stop)
ssdeep 24576:6Qs64UrCX8NHjGXkmE8UtGAOdxf15vuldzCyqBeXsL:uMCX8NHdXTOdxd8TKeX
Threatray 110 similar samples on MalwareBazaar
TLSH 4805F121A7A1C034E1FF12F49AB59279653A7DE1677818FF22C23AE926341E09D3075F
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://45.67.231.132/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.67.231.132/ https://threatfox.abuse.ch/ioc/57108/

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2887c0f490d38170e31cfd01eb4d0dc9.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-22 18:46:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e5e89e9-2a29-4ea0-8b01-2b6933d7e846

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Troj.Androm-TY.32658.289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
DNS request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Sending an HTTP GET request
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.spre.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/788818
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 421214 Sample: 40GOxNu23P.exe Startdate: 22/05/2021 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Multi AV Scanner detection for domain / URL 2->98 100 Antivirus detection for URL or domain 2->100 102 5 other signatures 2->102 12 40GOxNu23P.exe 2->12         started        15 40GOxNu23P.exe 2->15         started        17 40GOxNu23P.exe 2->17         started        19 40GOxNu23P.exe 2->19         started        process3 signatures4 120 Detected unpacking (changes PE section rights) 12->120 122 Detected unpacking (overwrites its own PE header) 12->122 124 Contains functionality to inject code into remote processes 12->124 126 Writes many files with high entropy 12->126 21 40GOxNu23P.exe 1 16 12->21         started        128 Injects a PE file into a foreign processes 15->128 25 40GOxNu23P.exe 15->25         started        27 40GOxNu23P.exe 12 17->27         started        29 40GOxNu23P.exe 19->29         started        process5 dnsIp6 90 api.2ip.ua 77.123.139.190, 443, 49700, 49703 VOLIA-ASUA Ukraine 21->90 70 C:\Users\user\AppData\...\40GOxNu23P.exe, PE32 21->70 dropped 72 C:\Users\...\40GOxNu23P.exe:Zone.Identifier, ASCII 21->72 dropped 31 40GOxNu23P.exe 21->31         started        34 icacls.exe 21->34         started        file7 process8 signatures9 130 Injects a PE file into a foreign processes 31->130 36 40GOxNu23P.exe 1 26 31->36         started        process10 dnsIp11 84 asvb.top 35.235.74.220, 49704, 49705, 49706 GOOGLEUS United States 36->84 86 192.168.2.1 unknown unknown 36->86 88 api.2ip.ua 36->88 62 C:\Users\user\AppData\...\updatewin2.exe, PE32 36->62 dropped 64 C:\Users\user\AppData\...\updatewin1.exe, PE32 36->64 dropped 66 C:\Users\user\AppData\Local\...\5.exe, PE32 36->66 dropped 68 240 other files (226 malicious) 36->68 dropped 104 Infects executable files (exe, dll, sys, html) 36->104 106 Modifies existing user documents (likely ransomware behavior) 36->106 41 5.exe 36->41         started        46 updatewin2.exe 36->46         started        48 updatewin1.exe 2 36->48         started        file12 signatures13 process14 dnsIp15 92 45.67.231.132, 49713, 80 SERVERIUS-ASNL Moldova Republic of 41->92 94 tttttt.me 95.216.186.40, 443, 49712 HETZNER-ASDE Germany 41->94 74 C:\Users\user\AppData\...\pY4zE3fX7h.zip, Zip 41->74 dropped 76 C:\Users\user\AppData\...\1YJkjgTpnLU.zip, Zip 41->76 dropped 78 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 41->78 dropped 82 58 other files (none is malicious) 41->82 dropped 108 Tries to steal Mail credentials (via file access) 41->108 110 Tries to harvest and steal browser information (history, passwords, etc) 41->110 112 Writes many files with high entropy 41->112 50 cmd.exe 41->50         started        80 C:\Windows\System32\drivers\etc\hosts, ASCII 46->80 dropped 114 Detected unpacking (overwrites its own PE header) 46->114 116 Mutes Antivirus updates and installments via hosts file black listing 46->116 118 Modifies the hosts file 46->118 52 updatewin1.exe 48->52         started        file16 signatures17 process18 process19 54 conhost.exe 50->54         started        56 timeout.exe 50->56         started        58 powershell.exe 52->58         started        process20 60 conhost.exe 58->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43c3d524f132423d0dde8c50ab358fac413c68221b1bb733bbfe1f4ef6a4e759/
Threat name:
Win32.Trojan.Hynamer
Create hunting rule
Status:
Malicious
First seen:
2021-05-22 17:15:04 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipb5kjhrgjbd2do6rrikwnmpvraty2bcdmn3om537ypu55ve45mq._file
Verdict:
malicious
Similar samples:
06db31be7914d281c35acd803c526fc82e474aa2dc340806b76ee4ab0be240bd
Stop
101648667ad547177c6a6bfd210af66397cd0a7e0ec3e4b2b98ecfe5963a293c
Stop
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
Stop
4fc4936de4eb693ec57ae17e722c1c68e46afbc0c82f3c45d254c39571008f8b
Stop
75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c
Stop
924c25e503792d12b9c161919878e29f47c1acce08cc4c03976bbc0e60ce181e
Stop
9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9
Stop
aa8c5d42026ac9a483f1984f762441d7f5805ef914819b473f9e15353995cc99
Stop
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
Stop
f0cda71528dfdf5b3fbc8af58a61aef5f9d6432c0359ab8d9df62209e6ce6d01
Stop
+ 100 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1d76a465540f6a904ac9f1310fe3a3824b5b4549 discovery evasion persistence spyware stealer
Link:
https://tria.ge/reports/210522-13walqja96/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Raccoon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43c3d524f132423d0dde8c50ab358fac413c68221b1bb733bbfe1f4ef6a4e759

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 43c3d524f132423d0dde8c50ab358fac413c68221b1bb733bbfe1f4ef6a4e759

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1256494/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-22 19:01:52 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0047] File System Micro-objective::Delete File
4) [C0049] File System Micro-objective::Get File Attributes
5) [C0051] File System Micro-objective::Read File
6) [C0052] File System Micro-objective::Writes File
7) [C0033] Operating System Micro-objective::Console
8) [C0040] Process Micro-objective::Allocate Thread Local Storage
9) [C0043] Process Micro-objective::Check Mutex
10) [C0041] Process Micro-objective::Set Thread Local Storage Value
11) [C0018] Process Micro-objective::Terminate Process
12) [C0039] Process Micro-objective::Terminate Thread