MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47dc60477bc9c5c8c3bd3cca454cec1121c2dac80c07ef460fe80b43d8fd38a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47dc60477bc9c5c8c3bd3cca454cec1121c2dac80c07ef460fe80b43d8fd38a2
SHA3-384 hash: c5cb653e19499f4106c11ada57cc967e12e522b02944f7f5627bcac7ea89e2f6cf9b8609d3d691defb1b24ed897063d4
SHA1 hash: a1840a0a0b614318f7c89bf96ba41375efefd99f
MD5 hash: 1efd23164dc23febe2ca4bad166594ce
humanhash: alaska-london-georgia-bacon
File name:47dc60477bc9c5c8c3bd3cca454cec1121c2dac80c07ef460fe80b43d8fd38a2
Download: download sample
Signature Stop
Create hunting rule
File size:786'944 bytes
First seen:2022-04-06 12:08:47 UTC
Last seen:2022-04-06 13:00:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0eee5b00eee30e3f45148ced95e2478e (4 x Stop, 2 x N-W0rm)
ssdeep 12288:RnjuIIceN5t8pg8v8Oe//AZXUJK4XN3tC9iMExiTWfgvcGcpqioZnF4Ni:Rax5t08///gUJrN3o9FExiqfwv6qioj
Threatray 1'225 similar samples on MalwareBazaar
TLSH T156F40200BB90C039F5B716F449BAD365BA3EB9B19B2494CB62D916ED0734AD0EC7131B
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
43D8.exe
Verdict:
Malicious activity
Analysis date:
2022-04-05 03:28:42 UTC
Tags:
trojan ransomware stop loader stealer vidar
Link:
https://app.any.run/tasks/9f7971e8-eb37-4a46-bd32-7b2933dad0e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/261242/
Detection(s):
Win.Dropper.Tofsee-9942707-0
Create hunting rule

Win.Dropper.LokiBot-9942830-0
Create hunting rule

Win.Packed.Pwsx-9943145-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12825/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/624d82ec40ce5db9f41aad36/reports/91435d0a-7264-4401-9a94-978e8816cac6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92e98dfa-0542-4417-9b19-37c8914ca202
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/971449
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 603943 Sample: KE8AR0Nd19 Startdate: 06/04/2022 Architecture: WINDOWS Score: 100 89 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->89 91 Multi AV Scanner detection for domain / URL 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 10 other signatures 2->95 12 KE8AR0Nd19.exe 2->12         started        15 KE8AR0Nd19.exe 2->15         started        17 KE8AR0Nd19.exe 2->17         started        19 KE8AR0Nd19.exe 2->19         started        process3 signatures4 103 Contains functionality to inject code into remote processes 12->103 105 Writes many files with high entropy 12->105 107 Injects a PE file into a foreign processes 12->107 21 KE8AR0Nd19.exe 1 16 12->21         started        25 KE8AR0Nd19.exe 12 15->25         started        27 KE8AR0Nd19.exe 12 17->27         started        29 KE8AR0Nd19.exe 19->29         started        process5 dnsIp6 83 api.2ip.ua 162.0.217.254, 443, 49771, 49772 ACPCA Canada 21->83 65 C:\Users\...\KE8AR0Nd19.exe:Zone.Identifier, ASCII 21->65 dropped 67 C:\Users\user\AppData\...\KE8AR0Nd19.exe, MS-DOS 21->67 dropped 31 KE8AR0Nd19.exe 21->31         started        34 icacls.exe 21->34         started        file7 process8 signatures9 117 Injects a PE file into a foreign processes 31->117 36 KE8AR0Nd19.exe 1 22 31->36         started        process10 dnsIp11 77 fuyt.org 115.88.24.202, 49774, 49779, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 36->77 79 zerit.top 118.33.109.122, 49773, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 36->79 81 api.2ip.ua 36->81 57 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 36->57 dropped 59 C:\_readme.txt, ASCII 36->59 dropped 61 C:\Users\...\SmartScreenCache.dat.uyjh (copy), data 36->61 dropped 63 30 other files (25 malicious) 36->63 dropped 97 Modifies existing user documents (likely ransomware behavior) 36->97 41 build2.exe 36->41         started        file12 signatures13 process14 signatures15 99 Writes many files with high entropy 41->99 101 Injects a PE file into a foreign processes 41->101 44 build2.exe 41->44         started        process16 dnsIp17 85 78.47.227.68, 49783, 80 HETZNER-ASDE Germany 44->85 87 t.me 149.154.167.99, 443, 49781 TELEGRAMRU United Kingdom 44->87 69 d06ed635-68f6-4e9a...57b9a3632918649.zip, Zip 44->69 dropped 71 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 44->71 dropped 73 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 44->73 dropped 75 10 other files (none is malicious) 44->75 dropped 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->109 111 Tries to steal Mail credentials (via file / registry access) 44->111 113 Tries to harvest and steal browser information (history, passwords, etc) 44->113 115 Tries to steal Crypto Currency Wallets 44->115 49 cmd.exe 44->49         started        file18 signatures19 process20 process21 51 conhost.exe 49->51         started        53 taskkill.exe 49->53         started        55 timeout.exe 49->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47dc60477bc9c5c8c3bd3cca454cec1121c2dac80c07ef460fe80b43d8fd38a2/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2022-04-06 00:57:25 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb
Stop
2c412f6d77eb570bb74f1c52c08fb7cfe33d14a99179a1815d6702ae076b099c
Stop
5a1fb27924ab99541f08d3a46321b88fa4ce52a2346ebd92dc8da423c907cde3
Stop
5bfb7408eced7cf5790acefb708fc0be56d126e81364992347fd005f12542372
Stop
63d7b37217bad05463192bd2f5e39a4ac23ff21c52cd27bf541780d29cf77c7f
Stop
86952bc63598b98d3695e09a6482b4af5edd4c596e5a6c2a2b84ca7f0d0cfa3f
Stop
886a9594355a0fce24f001f602bc6cae7bf2df2deeef18698cfe773e3c926f61
Stop
ad6a09d69bd7b57c329336a6ea486acd2c7c275e2a6a9703d95a93fd5fc0070b
Stop
ca42866c2af069fe5e9ed19c79e8b4ccd960cc5384e2e557f741e9ecc57726ab
Stop
ccaaa623e3091c4183a5550b58df11c9492b451b0e602c7e4fd3fd49c95645c8
Stop
+ 1'215 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu ransomware
Link:
https://tria.ge/reports/220406-pbfwsacch6/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/fhsgtsspen6/get.php
Unpacked files
SH256 hash:
3ed7ccef709627940ce7fd89d7e8a9ed99b2160a511b50b115c60f4c8a9dd9f7
MD5 hash:
4477c0e80bdd6d0557363be8c9a1727f
SHA1 hash:
7843f0981fafeed985f0a60b1d691d0183eed874
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc39494d-61aa-4fc7-a9b3-5e6f75802d09/
Parent samples :
5bfb7408eced7cf5790acefb708fc0be56d126e81364992347fd005f12542372
47dc60477bc9c5c8c3bd3cca454cec1121c2dac80c07ef460fe80b43d8fd38a2
b093323a99e89532c9d7891641f8c1c9fefd56f1270748ebeb88f29506b67e58
047cbc1661b949c6a55601cfb4752b7e18583f4d57e2bd190c18ca1d0f33e019
SH256 hash:
47dc60477bc9c5c8c3bd3cca454cec1121c2dac80c07ef460fe80b43d8fd38a2
MD5 hash:
1efd23164dc23febe2ca4bad166594ce
SHA1 hash:
a1840a0a0b614318f7c89bf96ba41375efefd99f
Link:
https://www.unpac.me/results/bc39494d-61aa-4fc7-a9b3-5e6f75802d09/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47dc60477bc9c5c8c3bd3cca454cec1121c2dac80c07ef460fe80b43d8fd38a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261242/

Comments