MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a0edc9a74176c2fc135bcc85ff57459c17afee6245380b54e1c1ce6f0a0c0d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	5a0edc9a74176c2fc135bcc85ff57459c17afee6245380b54e1c1ce6f0a0c0d1
SHA3-384 hash:	0a206c4b2fcfd3b30c24d83cde79cb146a4a3858a298cdfb83407bef0b5276521aef108f7ba766e874448e43d5f96327
SHA1 hash:	e407a5c0eaa388785caa2914399f5793f83d530d
MD5 hash:	51fd5e6cc36b204e21f3477988d454ce
humanhash:	delta-april-triple-utah
File name:	51fd5e6cc36b204e21f3477988d454ce.exe
Download:	download sample
Signature	Stop Create hunting rule
File size:	843'264 bytes
First seen:	2022-03-11 19:36:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efc09099dc764fac02664e8bd8784b14 (6 x RedLineStealer, 1 x N-W0rm, 1 x Loki)
ssdeep	24576:SCbWqYMKf0FYHEke49PHti7sCQznPFnyFA5R+Z:SGKfMYqQNivQzdnf50
TLSH	T11105F120BA90D035F1BB52F859B9836DAA1E7EE15B2050CF62C56BEE17346E1EC30717
File icon (PE):
dhash icon	2dec1370399b9b91 (25 x RedLineStealer, 21 x Smoke Loader, 8 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe Ransomware Stop

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

n/a

Vendor Threat Intelligence

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/249691/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Launching a process

Creating a process with a hidden window

Adding an access-denied ACE

Сreating synchronization primitives

Deleting a recently created file

Searching for synchronization primitives

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8926/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/622ba4e20cd58dbd92806f4a/reports/a3fcd7b5-935f-420b-b94e-eac08ee131d4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fab0cbd8-4002-46f3-a8f6-3af2ee629350

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/955198

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Found ransom note / readme

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Possible FUD Crypter (malicious underground PE packer) detected

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a0edc9a74176c2fc135bcc85ff57459c17afee6245380b54e1c1ce6f0a0c0d1/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-03-11 19:37:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lihnzgtuc5wc7qjvxtef75lulhaxv7xgerjybnkodqoon4faydiq._file

Verdict:

malicious

Result

Malware family:

djvu

Score:

10/10

Tags:

family:djvu ransomware

Link:

https://tria.ge/reports/220311-ybsp1seacj/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Detected Djvu ransomware

Djvu Ransomware

Malware Config

C2 Extraction:

http://fuyt.org/test1/get.php

Unpacked files

SH256 hash:

c2bd9d2d4b74119e6326432cff11b66967ad03dd16cf8489872104c6673c4458

MD5 hash:

06718f08b9c144f804038889eb3275db

SHA1 hash:

c47188bd4f0c94a58a2ef2ced234108689ad368b

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/3f597c41-473f-4c4e-842c-efe1f96729c0/

Parent samples :

5a0edc9a74176c2fc135bcc85ff57459c17afee6245380b54e1c1ce6f0a0c0d1
8e59e609d766b97d507b0bc9947d0a4b45431a3e3a2f3ade98a14a51cfb96fd0
1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95
7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b

SH256 hash:

5a0edc9a74176c2fc135bcc85ff57459c17afee6245380b54e1c1ce6f0a0c0d1

MD5 hash:

51fd5e6cc36b204e21f3477988d454ce

SHA1 hash:

e407a5c0eaa388785caa2914399f5793f83d530d

Link:

https://www.unpac.me/results/3f597c41-473f-4c4e-842c-efe1f96729c0/

Malware family:

Djvu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5a0edc9a7417/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a0edc9a74176c2fc135bcc85ff57459c17afee6245380b54e1c1ce6f0a0c0d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968