MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 12


Intelligence 12 IOCs 3 YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6
SHA3-384 hash: e685f4625a9103e91775420ad4f1c6e18a2d764c0463515b11e4aafb22234b3cc9cf83d6552c79feae863965ded36637
SHA1 hash: 6dd0ebfb6692ff48101744cbbcf78183ead269f7
MD5 hash: 505d564e02b600967f65ce37d79b80e1
humanhash: low-finch-vegan-tango
File name:505d564e02b600967f65ce37d79b80e1.exe
Download: download sample
Signature Stop
Create hunting rule
File size:213'401 bytes
First seen:2022-06-18 19:15:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash acdcb3eeeb627a85bc10fa3bf256b492 (1 x Smoke Loader, 1 x PrivateLoader, 1 x Stop)
ssdeep 3072:JDk4lsjQ41pj8rH4Zm+7T1pTF7HxcUfhVg+HgjTJSubWP9CdOISnzGG0L:jIQEA7AJDT9xXvHcTj0qN
TLSH T151245B24B181F47AE4A30035E4EA83F4996D69306BA448FFE7D44F2B5B352D2D631B27
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00cce8f0d0e871b2 (3 x Stop, 1 x Smoke Loader, 1 x TeamBot)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
94.140.112.166:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.112.166:80 https://threatfox.abuse.ch/ioc/716127/
http://abababa.org/test3/get.php https://threatfox.abuse.ch/ioc/716130/
176.124.201.194:42409 https://threatfox.abuse.ch/ioc/716131/

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281199/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.33366.16957.10927.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Launching a process
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21891/overview
Behaviour
MalwareBazaar
MeasuringTime
CallSleep
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay shell32.dll strictor
Link:
https://www.filescan.io/uploads/62ae24b0473553ed319e9fdc/reports/03273029-250f-4b4a-834b-f6539e602b8d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65c44dad-e230-4f05-8b5b-df9c82c13233
Result
Threat name:
CryptOne, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015764
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648260 Sample: o1dXxyQmEx.exe Startdate: 18/06/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 13 other signatures 2->64 8 o1dXxyQmEx.exe 4 20 2->8         started        13 acgvahf 2->13         started        process3 dnsIp4 50 85.202.169.116, 49741, 49752, 49768 GUDAEV-ASRU Netherlands 8->50 52 212.193.30.45, 49740, 80 SPD-NETTR Russian Federation 8->52 54 5 other IPs or domains 8->54 40 C:\Users\...\Amz15ddWiklaUAA2p74mItLA.exe, PE32+ 8->40 dropped 42 C:\Users\...\2oFExJOM2jgXQ643wHNixwrk.exe, PE32 8->42 dropped 44 C:\Users\user\...44iceProcessX64[1].bmp, PE32+ 8->44 dropped 46 C:\Users\user\AppData\...\searchApp[1].exe, PE32 8->46 dropped 74 May check the online IP address of the machine 8->74 76 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->76 78 Disable Windows Defender real time protection (registry) 8->78 15 2oFExJOM2jgXQ643wHNixwrk.exe 8->15         started        18 Amz15ddWiklaUAA2p74mItLA.exe 1 8->18         started        80 Detected unpacking (changes PE section rights) 13->80 82 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->82 84 Maps a DLL or memory area into another process 13->84 86 2 other signatures 13->86 file5 signatures6 process7 file8 96 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->96 98 Maps a DLL or memory area into another process 15->98 100 Checks if the current machine is a virtual machine (disk enumeration) 15->100 102 Creates a thread in another existing process (thread injection) 15->102 21 explorer.exe 2 15->21 injected 36 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 18->36 dropped signatures9 process10 dnsIp11 48 mariton.ws 141.8.199.157, 443, 49819, 49827 SPRINTHOSTRU Russian Federation 21->48 38 C:\Users\user\AppData\Roaming\acgvahf, PE32 21->38 dropped 66 Benign windows process drops PE files 21->66 68 Injects code into the Windows Explorer (explorer.exe) 21->68 70 Writes to foreign memory regions 21->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->72 26 explorer.exe 6 21->26         started        30 explorer.exe 21->30         started        32 explorer.exe 21->32         started        34 5 other processes 21->34 file12 signatures13 process14 dnsIp15 56 mariton.ws 26->56 88 System process connects to network (likely due to code injection or exploit) 26->88 90 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->90 92 Tries to steal Mail credentials (via file / registry access) 26->92 94 Tries to harvest and steal browser information (history, passwords, etc) 26->94 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 19:20:28 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfnf2intq25i4mfvm7f6k5nsj3iqj3sysa32jcvc2j3ukk5aw2ta._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:djvu family:recordbreaker family:redline family:tofsee family:vidar family:xmrig botnet:10k#24343 botnet:937 discovery evasion infostealer miner persistence ransomware spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/220618-xyr7bsagam/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
Vidar Stealer
XMRig Miner Payload
Amadey
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RecordBreaker
RedLine
RedLine Payload
Tofsee
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
xmrig
Malware Config
C2 Extraction:
http://abababa.org/test3/get.php
185.215.113.15/Lkb2dxj3/index.php
http://93.115.28.51/
svartalfheim.top
jotunheim.name
https://t.me/tg_dailylessons
https://busshi.moe/@olegf9844xx
176.124.201.194:42409
Unpacked files
SH256 hash:
595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6
MD5 hash:
505d564e02b600967f65ce37d79b80e1
SHA1 hash:
6dd0ebfb6692ff48101744cbbcf78183ead269f7
Link:
https://www.unpac.me/results/bb5ddf35-3063-472c-adf8-61a0008d4907/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CoinMiner_Strings
Create hunting rule
Author:Florian Roth
Description:Detects mining pool protocol string in Executable
Reference:https://minergate.com/faq/what-pool-address
Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Tofsee
Create hunting rule
Author:ditekSHen
Description:Detects Tofsee
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MINER_monero_mining_detection
Create hunting rule
Author:Trellix ATR team
Description:Monero mining software
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:privateloader
Create hunting rule
Author:Andre Tavares
Description:Detects downloader PrivateLoader loader and core, based on string encryption and an http header used on C2 comms
Rule name:PUA_Crypto_Mining_CommandLine_Indicators_Oct21
Create hunting rule
Author:Florian Roth
Description:Detects command line parameters often used by crypto mining software
Reference:https://www.poolwatch.io/coin/monero
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_privateloader
Create hunting rule
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:win_tofsee_w0
Create hunting rule
Author:akrasuski1
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:XMRIG_Monero_Miner_RID2DC1
Create hunting rule
Author:Florian Roth
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281199/

Comments