MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55d8c8e92a1efdffdb85ec2276d9c4e215c1a43b077360c20f108e425a5fa437. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55d8c8e92a1efdffdb85ec2276d9c4e215c1a43b077360c20f108e425a5fa437
SHA3-384 hash: ff04f9c1e70783ec8c5ad3613a61a417a14d47bd66a96ecdaeed94af7af196374897d24d52fdf585c7cbc9f31187ad8c
SHA1 hash: 2ee830c4f01f58431fc14106e060557df347422f
MD5 hash: 6d2753ee91779da9987ff57fecc766d3
humanhash: nevada-bluebird-nitrogen-finch
File name:55d8c8e92a1efdffdb85ec2276d9c4e215c1a43b077360c20f108e425a5fa437
Download: download sample
Signature Stop
Create hunting rule
File size:840'192 bytes
First seen:2022-03-28 06:12:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 159dcaa804632f606b007a362cfb6cc5 (3 x Stop, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep 24576:4HsmfLOmXypy1Bu+tDHnAqa/lil9qAL4uU:4NOmCpyvu+9HbolcLfU
Threatray 760 similar samples on MalwareBazaar
TLSH T1080523133A86D531E4A652747C03C2B169B3B835193CA68F6BC657AD3F202D3DEB474A
File icon (PE):PE icon
dhash icon 5c59da3ce0c3c850 (12 x Stop, 11 x RedLineStealer, 8 x Smoke Loader)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258359/
Detection(s):
Win.Packed.Strab-9942213-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62415207a19c6494129da01e/reports/7592b2e7-bf7e-4415-8b23-1b61033232d8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6be5c32b-4365-40e5-ad07-138382d67390
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965522
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 598003 Sample: 1Vv1mQvjZt Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 10 other signatures 2->98 12 1Vv1mQvjZt.exe 2->12         started        15 1Vv1mQvjZt.exe 2->15         started        17 1Vv1mQvjZt.exe 2->17         started        19 1Vv1mQvjZt.exe 2->19         started        process3 signatures4 108 Contains functionality to inject code into remote processes 12->108 110 Writes many files with high entropy 12->110 112 Injects a PE file into a foreign processes 12->112 21 1Vv1mQvjZt.exe 1 16 12->21         started        25 1Vv1mQvjZt.exe 15->25         started        28 1Vv1mQvjZt.exe 12 17->28         started        30 1Vv1mQvjZt.exe 19->30         started        process5 dnsIp6 80 api.2ip.ua 162.0.218.244, 443, 49758, 49759 ACPCA Canada 21->80 58 C:\Users\...\1Vv1mQvjZt.exe:Zone.Identifier, ASCII 21->58 dropped 60 C:\Users\user\AppData\...\1Vv1mQvjZt.exe, MS-DOS 21->60 dropped 32 1Vv1mQvjZt.exe 21->32         started        35 icacls.exe 21->35         started        62 C:\Users\user\Desktop\...IVQSAOTAQ.png, data 25->62 dropped 104 Modifies existing user documents (likely ransomware behavior) 25->104 file7 signatures8 process9 signatures10 90 Injects a PE file into a foreign processes 32->90 37 1Vv1mQvjZt.exe 1 22 32->37         started        process11 dnsIp12 82 zerit.top 31.166.126.91, 49761, 80 MOBILY-ASEtihadEtisalatCompanyMobilySA Saudi Arabia 37->82 84 fuyt.org 151.251.30.69, 49760, 49762, 80 IBGCBG Bulgaria 37->84 86 api.2ip.ua 37->86 64 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 37->64 dropped 66 C:\_readme.txt, ASCII 37->66 dropped 68 C:\Users\...\SmartScreenCache.dat.wdlo (copy), data 37->68 dropped 70 36 other files (34 malicious) 37->70 dropped 100 Infects executable files (exe, dll, sys, html) 37->100 102 Modifies existing user documents (likely ransomware behavior) 37->102 42 build2.exe 37->42         started        file13 signatures14 process15 signatures16 106 Writes many files with high entropy 42->106 45 build2.exe 42->45         started        process17 dnsIp18 88 5.252.21.17, 49771, 80 FIRSTDC-ASRU Russian Federation 45->88 72 d06ed635-68f6-4e9a...57b9a2251850877.zip, Zip 45->72 dropped 74 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 45->74 dropped 76 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 45->76 dropped 78 10 other files (none is malicious) 45->78 dropped 114 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->114 116 Tries to steal Mail credentials (via file / registry access) 45->116 118 Tries to harvest and steal browser information (history, passwords, etc) 45->118 120 Tries to steal Crypto Currency Wallets 45->120 50 cmd.exe 45->50         started        file19 signatures20 process21 process22 52 conhost.exe 50->52         started        54 taskkill.exe 50->54         started        56 timeout.exe 50->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55d8c8e92a1efdffdb85ec2276d9c4e215c1a43b077360c20f108e425a5fa437/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-28 04:16:01 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxmmr2jkd3677w4f5qrhnwoe4ik4djb3a5zwbqqpccheews7uq3q._file
Verdict:
malicious
Similar samples:
2ec22ff642ea83f3ebccca4b3e339e489862f19734cdb412fb45f19861e87dca
Stop
48ddbcd8f3032a8fdc0a3d4a9d8aeda6c308f483086e1225fdddc4aa7427efe4
Stop
7a4023b282b7224de166066ae699391f13d915f86b2d0b40c2a5b0fe1a9718cd
Stop
9c703d32fa73fde2328022f3e1fad58bb2fd1cc739dd6f68dbe3d88fdcee2664
Stop
ae058994900610eeff5d5a9cdd8c0bc6ecaf25e94e3b51d31b836f88e1c345c2
Stop
b3c88f1eb3f1aaa88b244a3fc1d7a58d061d141e8d6708148ba2db99b274490c
Stop
c1e3dbf11b5b3d434c8026bb344d5e9fd6daba717622ccfc4e07cadf051cba72
Stop
+ 750 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu ransomware
Link:
https://tria.ge/reports/220328-gyrb2agef2/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/test1/get.php
Unpacked files
SH256 hash:
af6b33f859593dcb716c81b1416e52ad8cdf8e7a36662893ac3be277f9805430
MD5 hash:
5262fd9d36dba4cbc654a7331d3f684d
SHA1 hash:
666f465de6a152f2e005d00d6fcc937c89ec0af1
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/54eab2dc-4ef4-4aeb-88f9-617ae3efe880/
Parent samples :
9f9c835122ff42d9777bbe0ecc066c53bea50721728d4f0473604070f3ce295c
a9095f44928219267930271d2ad000c7b2f7f2616db4ad186e5d3aa283d14764
17c1844f37315d9081efa1c39abcdb3612c531dcf01c303425346dd352a3b117
b7529c27c65c9f3cd9ddce5c6c8c193d258e8f54d8c11e9db618feec3cb9258b
d932dbe6a5be50d4668037cd66420fc424de0b57368ed6fc8a1d249f4d6d1e10
fc0d639c0918938bdf00fa6f1dc4bc03002c328428fc34a34b050aee8e3beb8c
8435fa985a445994ae3b8134721302ecd6dbfa29d1052eb8471721649ab1b522
e1be354a31a340c3ebe7bf14ed0fbbcb788a47190b253d05067e9e8698c25698
f8db10513db12a4bb861d7b1f52e56f5de5f5dba7614fdee3db67b191fee85c6
de1bec11380a046d35656cb592a399445a6deb5934a2892dcd5dac3d0f61c55e
1a08fad680a026c1168055baef403eb4aa36ddfcd6b96ab9f277fa120a360977
3f47e5ae4e51db104552e401e1627716e84ecf49a18469afa36359eaaa27455a
1edff28923d68b2853d4fb78ac673c6ed4c6d00a1f6c53e160bb717a0906145b
3ad17c55ff82d77132b6540e1053baeffc4c47f98a23c52bf5d88f0378b15371
5a4d3971664541b367066e6428098fb891e68b3a6fe0b8df52e66085cc764d4c
5ec2a6f1692c51a478c33c800cd12a1237de2c1dfd4e6a1982fdd05b23bd69d3
6bee8cdba2850877e705cf6412545e2e321339d39d4b2639864ebc4f4d5a340a
6bf8a626df0fcdfc44b1ea3401b1749c3effe848e549eb7e20d7216c23a5f023
7c192e65c2e3b074cc0d5f23c219aa06a765c3fbf9ab35eb99009e9d90687127
7faa3c5a451101caee04dc8275d9269d41cc73b5c042cc338e33b654b7f0924b
29fa88d3a26da9c979c5c10df4a0bf9d2a972fad38624200ffe80853455711e4
26da4bf440b1709fe00d64826185ee8ef62a5885bbfc8c835511b7202865adea
31b6af9b32727f5c93fa714da47cae02d7fe019bb99ef04c9bb48a316f3096d8
55d8c8e92a1efdffdb85ec2276d9c4e215c1a43b077360c20f108e425a5fa437
75f80da9276c13fc3d52974382c19f2d75dd40756b9cb6186ac08e056f2ce6b2
77f6b1419532a47164e324e6f2a68b57a35838c305a59415aac6c4452f9f8abe
122c593f41d588b3e7c72a499c092fed6b5e42264fb0651962061f7b4bb722f8
274f789229cfb721debcb8538e1bb6c7dc538d1afa74de51173343c6e030ecf0
660a52ecac1016144f8f7f9925a2c023e6c1c103a6c423238962a0d79b44c80b
4012bc4dd89fbf7eaad5214623cbcfc27a3c014d2bffdcc76ffa5dce704b4c4a
6395b1685411162de16f1720520350b2560992fe8158dc29c3d4bfcd35cc3a56
7406089920d8a814908b750d77fd224e3d27e84535ac6cc088d5a8f1dbd16e43
f02b45b579b65a1ea89f2d9443f2c1a1484dec0bc66591ff4d3ad6ce63d635aa
07be6cebf7cb6fec6e82da3e5855ffb5f0c5da5ce6ff0adfed897466b08387ad
76a97061aed8ee39ca3235b5f127df44cf9345cf5d95af10c9dbf11564b6549e
948ce483156ee498c5c9f12c052cbbf5125644ebd0c783d2831d551d148a8e6f
951f935a4d635364d6600071b51b60fdbb88f1963799357118973ca9b6c7d945
5997cac695f141c41240d248fc991e41122fe77fc345c7bbb73145fef81f429e
072358a173e1a843310b57da93eb0bb4a9f30489415b162de5fc2ea9e876bfff
e1331f18cf6e141b8659680fbbd58360597732fe21e9aa8906806d7d6de117f5
e557171e821568f59ea764731d05355e714eeb14019ea3cdfdfb7f427775ded7
f7b3c3137aa931a3ec93978f41edb88499f236f9759208e74fedf6a671c748c5
f9bd66fea33c2697c57b852a24c4e753fc52c43afae5eb5da4682053fa703139
3371e19ad7bdfd3c3ce5a63dd4105541a4c4a36a45760dc51da17ea2d41c3f69
6465e8cab5f5bff0e50c8a4d36c66fda4317584e166934ba315c51ca5c707618
8674c9ccf72e58a699642780869eafb33e39f150a8e4cb59c8d9d2e16986e0f0
a19bb352dd1f5f9c0b274718bf5c0b9a4889806571f0d982cdc9a5b9c3f55e28
eb3ab00a77c29d2846eebbb87f1837a48974d865e2d3bd0297c41c6cf118c741
f6eb0bdb2eababb98448c6acfbaea9d4a923188f5ae96179e0dee676a46cab15
f9d6979412439098e68e27f6e0cdaa3b7c41008376a35a0c6d498bcb4dc31169
88255867cebe9b14735d4c76285954c9603caf4049de9c55030d913cdacd67f2
faa1947193b79a891cf9a2c0bab81e4b96a201e4107c7a4960fa7f864f991cf5
eaba36cd0b2f1d466f2dd6c5cfe99e169b48e830cc6a3e048fd7c97158ea834d
cd3906a284a4c8b87e7fa8162a059dd893acdde7d44ee4991a43b5c3b67b7b56
d796df8e7ea24a1076fcb5ec457e0b0c14219905fd34bf8d8761a6d2b1c546f9
ea7188d459b48987f6cd7e3f23b420024748168812a084c60a8be5407344894a
00f34e84ff75283bed87c60a481ebb17f1909b94b0fb16009ae6b8bd30e9d446
5fd67e4b1a89e08aa02b8bf4af770eefac4b25f55081ed9ee2c21adcca23547a
9a488082120b56a0b294807e6b62599ce8a432533c57110f66c9e4223f03b358
843f583cf4f78748dad55bf2a9265812283b31333b878dd9852f80a8051dfe34
2084f6652ba0078d12b6d929b05b27948587c8e7113e187b28adba6b95f87741
853019600fa809d432cfe1b381078d1371c780494fafedf3dcebe7129f502576
ba63e0c94bf44bff7df015864e9e30257018b4a59a1ec6f42741e1a00d4043a4
54bd7123dbf17dde4e0c1e7d40f756988ba7577d039397c45ac15c766d4d7b2b
80628757406344d2053361607f9b117cceccdf7f906a4c87f17fee06e01f2026
c4af7a91c2a2306fd088d9edc3f7f2a96472f5397d62ae628653e510109a8a28
cf768a979f38ed8a623cfea619e3d86dbd52244a80c075f4ccb8a4f3e69867d3
46d9afd6bded40cce91aedeb42a534cb65852667b6176eb924b8bc80094ca956
79a45215fb18155b4ce7d6d4cde5351b7da9d25b0850431fd7f1b8373e9041b8
379adf36c2cf8f91ca2490e4d233bc9d1d89c5444fcd23378d8978c8b473e793
41de03ca89e7bc4f66cf30cc7223eabf25ab4af29d41738afe1fb26b105be66b
610cc309ef1470210e8cac4b9e275ca08d1aa5253b3855b423b5625c835538d5
6c8b6cc6dffcecac3efb9091bc2b6922d413e6b1b235b00141df69c541ce1857
874e3b322e52f6db4567ff2fe844e0db53d12c047aec4d2b94079967590be6f3
04181e992f1c21b2f8bf8a9d97f100b467baeb7a8c2eae815c190214b78cd95f
ec68ecb76f9de88508168f3182139391aac1f1ef611dcdacab1f48c4e01f4ff1
c2a9c90a2187e7f04f6b822fd154e207f9cd1a2f3868ecfd5665a900c2e975df
d0430be4b6ad4975b374c0a6374f13f9bee4f7a6e4354fe8cd0fd680743aada2
0f2b11270a5c77377343e285285d4b4d529d34d2a8bf7d077442cc0b70985f68
37e82053ad87813e558ca979c998dd7689f665b0b666bec79bae320a8f51f751
8263b30538813ef7975b89a1e5c3fead8b51553655d48a0e371afc372e968c2d
34dd029dffa207f22de0cfe7ddab10bddc6e147d2be76eea1e72f9ab3423da37
0dd844d7e7b1737da39d1fba95f66a2e94470c04f4a94ae1c801406964cd1962
16983261c002fca9b06fe65551349aefc77e80c7dc5d17a97b63b82fec29fcf8
db7d95d3153dbd69648e3d1cc6c1addc0e54e878bc9683ecad0ccdd110e8eb16
40b6d94441d08df4d7b6838c3ae112308ee5a6add4149a05e6dabef8bb0cff1f
94a51cf8ea8c4b965c47346160f237e180bafd3314814aa417036a9557c35c82
c91a690094339dbfc9a00048e5c97f7d4f099987e8a9b0082b3f08e06402b161
caab3bd04172cc69865a19c2644fccc85ede63755549e81087eab6b71f979b06
96c4162c5c26be0d16772ce9fc264ba17fc045d441b17cc235c0f421f1218783
786bb21f95e657b07a7bfb151e4e0d0f27fe443ac855e467e9b7d3fa643c62ab
91dcc81e8257de71a0d162f5b02654ce2895518a08112bb8c0ef764d575f1b99
65fde5e5870f711e845eb74592c1bf784f68d6a7746101a9f6c27afaf4537e42
48ba4b8f4d87039ee33cac2af62a67ee1fd9b3b1b02f4b183f78a7c326b4e42d
bd6d17b6695360291ff23bfe1417ec8413d9ff11b7db8a8475c248109506a09e
da0197bad20f02cc3ba3518daa460c3d40ced2349abecb67311647e0aaf870f3
e565c0b80462bd207d991cb9d9fd34c9d72b45e4696797f9d59f0e153b3a54a9
d247789cfeb8efdf3a061250c65767fe50764a414fa81ff276df0bf0d134ce47
72f533453a36b4608bb4ccd6a8d534fcb05d7d51a55420b546defae752774221
202259937df72d3e7e341ce852a48938616e0d98a091d976f5342bf82e132ce3
SH256 hash:
55d8c8e92a1efdffdb85ec2276d9c4e215c1a43b077360c20f108e425a5fa437
MD5 hash:
6d2753ee91779da9987ff57fecc766d3
SHA1 hash:
2ee830c4f01f58431fc14106e060557df347422f
Link:
https://www.unpac.me/results/54eab2dc-4ef4-4aeb-88f9-617ae3efe880/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/55d8c8e92a1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55d8c8e92a1efdffdb85ec2276d9c4e215c1a43b077360c20f108e425a5fa437

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 55d8c8e92a1efdffdb85ec2276d9c4e215c1a43b077360c20f108e425a5fa437

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2084511/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/258359/

Comments