MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 459f87dce80d42334ec603305dd3625d019a7bf76670096cae08a57eb51bbb68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 459f87dce80d42334ec603305dd3625d019a7bf76670096cae08a57eb51bbb68
SHA3-384 hash: daf27c6b4029a2a07e46d90d1efc9b0f09f6f02eb77b8d1f0ba369b3dfb9f9791e48af548a96a6ba1f72062878280046
SHA1 hash: b9366ae432c626d2eea4262ec5b293f0d8ac4703
MD5 hash: 75c643780f0bb1e066e6614e66ad7e1c
humanhash: beryllium-artist-indigo-ack
File name:75c643780f0bb1e066e6614e66ad7e1c.exe
Download: download sample
Signature Stop
Create hunting rule
File size:812'544 bytes
First seen:2022-09-06 08:53:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f4cd42daa1f7c78fcb6be8e5ade55e (1 x RecordBreaker, 1 x Smoke Loader, 1 x Stop)
ssdeep 24576:NRLftbUKW9+Vx35k8DWEsALPsNrMTqdeA8Qce9:NR9WYVx3a8DI0gcqNGe9
Threatray 1'692 similar samples on MalwareBazaar
TLSH T170050210BBA0C034E0B712F0557A82ACB93E3EA19B6154CF63E529EE6B356E4DC71747
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0d8c8c8e0e4a099 (1 x Stop, 1 x Smoke Loader, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
75c643780f0bb1e066e6614e66ad7e1c.exe
Verdict:
Malicious activity
Analysis date:
2022-09-06 08:57:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5dd72ff5-e067-4623-8597-b0ed9320b5ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/308113/
Detection(s):
Win.Packed.Pwsx-9965190-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36771/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63170af52021c816b88f94e9/reports/3ad97a10-c71e-48df-a4f4-690b5961225e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfa40e3a-481e-42ef-a573-672b78de3d18
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065492
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 698024 Sample: CwIkDnga3P.exe Startdate: 06/09/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 5 other signatures 2->60 8 CwIkDnga3P.exe 2->8         started        11 CwIkDnga3P.exe 2->11         started        13 CwIkDnga3P.exe 2->13         started        15 CwIkDnga3P.exe 2->15         started        process3 signatures4 64 Multi AV Scanner detection for dropped file 8->64 66 Machine Learning detection for dropped file 8->66 68 Injects a PE file into a foreign processes 8->68 17 CwIkDnga3P.exe 19 8->17         started        22 CwIkDnga3P.exe 1 16 11->22         started        24 CwIkDnga3P.exe 12 13->24         started        26 CwIkDnga3P.exe 12 15->26         started        process5 dnsIp6 48 acacaca.org 211.119.84.112, 49744, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 17->48 36 C:\Users\user\...\ChromeSetup.exe.oopu (copy), MS-DOS 17->36 dropped 38 C:\Users\user\Downloads\ChromeSetup.exe, MS-DOS 17->38 dropped 40 C:\Users\user\Desktop\SNIPGPPREP.pdf, data 17->40 dropped 46 5 other malicious files 17->46 dropped 62 Modifies existing user documents (likely ransomware behavior) 17->62 50 api.2ip.ua 162.0.217.254, 443, 49728, 49729 ACPCA Canada 22->50 42 C:\Users\user\AppData\...\CwIkDnga3P.exe, PE32 22->42 dropped 44 C:\Users\...\CwIkDnga3P.exe:Zone.Identifier, ASCII 22->44 dropped 28 CwIkDnga3P.exe 22->28         started        31 icacls.exe 22->31         started        file7 signatures8 process9 signatures10 70 Injects a PE file into a foreign processes 28->70 33 CwIkDnga3P.exe 12 28->33         started        process11 dnsIp12 52 api.2ip.ua 33->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/459f87dce80d42334ec603305dd3625d019a7bf76670096cae08a57eb51bbb68/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 02:13:52 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwpypxhibvbdgtwgamyf3u3cluazu67xmzyas3fobcsx5ni3xnua._file
Verdict:
malicious
Similar samples:
0f307e93c8748420970921cd14a83a4a6e01d8cc9b87aa0d978b7277877ccc06
Stop
547804cc69c7d2f281d1ef57f54319adc186d920ba6fa0fb75e82d76bc9493f2
Stop
548fbdc91fdab245ad38f40ab00e08bf15fcec469b0fe9879c0b30c6954d940c
Stop
55043585c15ff65ca4b8df91c0b0f1c883d4cfd40933c6d25c2d9159e2f0757c
Stop
a137ef69c31ccb16b44e956b49a71361b8ad50c06d82b508032239b573677f4d
Stop
bebf3064e366d052d6594d3e23ed074a410a0bee3007545110c2cd10b2954f07
Stop
dc93dc6e3f38d8e8a8961ecb9366572adc01cac682c3649714b94bbd6e8b10c1
Stop
ebe9d795ebe7b5b98a4d4eb27bcdfaee9d9567424a563cc74ffb4fd2fa712744
Stop
f5568dbc0f8640a105c3a7c4243e627fbf8218df12c9f331a38cf11e93f58358
Stop
fae85f9f8092c35c0a2d2057f231f4e4886163679ecbf0fe43c2d232414efa82
Stop
+ 1'682 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu discovery persistence ransomware
Link:
https://tria.ge/reports/220906-ktwmqsabd8/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://acacaca.org/test1/get.php
Unpacked files
SH256 hash:
85695273b917fdac31f790ee22b084f2d7d24430a7c514e363b7a901cadcfef1
MD5 hash:
6ba4c0e6e6fa4822300c028a09219049
SHA1 hash:
e3fe100fdb3778d7fd7c3cefbdbcaf4aff2bb0a7
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/ac21f9eb-b46e-450d-826c-c78ff80e357e/
Parent samples :
f0c85caaf9a9bc7a346836461a0420bdac364fe06a9ea70af7e03f2aeb8fb061
459f87dce80d42334ec603305dd3625d019a7bf76670096cae08a57eb51bbb68
66c0de6a8d1dcbf550055bafa1ba909a3a0fc48c832b77b27469aa9fa900ce0a
SH256 hash:
459f87dce80d42334ec603305dd3625d019a7bf76670096cae08a57eb51bbb68
MD5 hash:
75c643780f0bb1e066e6614e66ad7e1c
SHA1 hash:
b9366ae432c626d2eea4262ec5b293f0d8ac4703
Link:
https://www.unpac.me/results/ac21f9eb-b46e-450d-826c-c78ff80e357e/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/459f87dce80d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/459f87dce80d42334ec603305dd3625d019a7bf76670096cae08a57eb51bbb68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 459f87dce80d42334ec603305dd3625d019a7bf76670096cae08a57eb51bbb68

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2261244/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/308113/

Comments