MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4642c5bc794aed8a3c6280bb9565a346588e4e35f054332553bc581b2cb5d489. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 7 File information Comments

SHA256 hash:	4642c5bc794aed8a3c6280bb9565a346588e4e35f054332553bc581b2cb5d489
SHA3-384 hash:	cb303fa87df45dda30ce9988061d0948adaa9a453984457b2e521b3de5c2eaca2b54950788d1ea26035484ba3424ed5c
SHA1 hash:	e590b314e4e0dc98d4e691f43af84e390cb5993f
MD5 hash:	3063e803297785cc396e7342e401100f
humanhash:	cold-kentucky-carbon-item
File name:	3063e803297785cc396e7342e401100f.exe
Download:	download sample
Signature	Stop Create hunting rule
File size:	679'936 bytes
First seen:	2022-10-03 15:43:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2d5ec24fb9d2ee4cf8208f9e16125d4f (5 x Smoke Loader, 3 x GCleaner, 3 x ArkeiStealer)
ssdeep	12288:qIDKtULYbQyZKghunEJCFZ5lVJZ0LYXpOwt92f0xkONQm6SkIRq0/FZbz234nY:qXWCQy3u/RZyQpN0zEQ3RIRq07+3d
TLSH	T186E422E632C0C477D66655B228A49950B9EFAB134731C78A7BD80A6C4F712C36E3931B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9a9acafecee6eaee (53 x Smoke Loader, 24 x Amadey, 14 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Stop

abuse_ch

Stop C2:
http://23.88.115.141/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://23.88.115.141/	https://threatfox.abuse.ch/ioc/866186/

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/316163/

Detection(s):

Win.Packed.Dropperx-9973281-0

Win.Packed.Dropperx-9973291-0

Win.Packed.Crypterx-9973294-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Creating a process with a hidden window

Adding an access-denied ACE

Сreating synchronization primitives

Deleting a recently created file

DNS request

Sending an HTTP GET request

Searching for synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/633b0342d5955f6f49d5d126/reports/bbbc1231-8ba3-461f-bb72-017e66b31570/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8ddbde55-2163-47f2-9ea3-74e2b4b27bc5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4642c5bc794aed8a3c6280bb9565a346588e4e35f054332553bc581b2cb5d489/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-10-03 15:44:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=izbmlpdzjlwyupdcqc5zkzndizmi4trv6bkdgjktxrmbwlfv2seq._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/221003-s6f2tadch2/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Detected Djvu ransomware

Djvu Ransomware

Vidar

Malware Config

C2 Extraction:

http://winnlinne.com/test1/get.php
https://t.me/larsenup
https://ioc.exchange/@zebra54

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/359b0873-7db1-4921-acc0-8a0cee21788f

Unpacked files

SH256 hash:

1d18b56af68dc83bd5fe61d057f69312082bef894386508cd0f64be3dc3b6e9a

MD5 hash:

3154e4e1340503915350e6a9f1b814a1

SHA1 hash:

1e7db3c7e9bb20dd4972d2da804a3e6936b7f0ad

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/e6fd7560-b338-491b-b478-aed2b989bcb2/

Parent samples :

e9265a7c39599d92c7e8a44fc5004cb90b4a5d6828091b0a2835b944c24efad0
4642c5bc794aed8a3c6280bb9565a346588e4e35f054332553bc581b2cb5d489

SH256 hash:

4642c5bc794aed8a3c6280bb9565a346588e4e35f054332553bc581b2cb5d489

MD5 hash:

3063e803297785cc396e7342e401100f

SHA1 hash:

e590b314e4e0dc98d4e691f43af84e390cb5993f

Link:

https://www.unpac.me/results/e6fd7560-b338-491b-b478-aed2b989bcb2/

Malware family:

Djvu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4642c5bc794a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4642c5bc794aed8a3c6280bb9565a346588e4e35f054332553bc581b2cb5d489

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RansomwareTest8 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

exe 4642c5bc794aed8a3c6280bb9565a346588e4e35f054332553bc581b2cb5d489

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2261244/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/316163/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample