MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642
SHA3-384 hash:	1b7c35c151e9647b5ed95dae44f65714165322cf5f0496a7edbb47881a36eee715d575752050ecb32673ae16a78c10ee
SHA1 hash:	8ed7f141816dfdc4f4f69e084e1a737f4d7f26da
MD5 hash:	180344b7af592c3e81e9cab9cbc54383
humanhash:	timing-vegan-fifteen-one
File name:	180344b7af592c3e81e9cab9cbc54383.exe
Download:	download sample
Signature	Stop Alert Create hunting rule
File size:	707'072 bytes
First seen:	2023-07-15 13:20:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0af0ab32fec6d387d477684bace95bf2 (1 x Stop, 1 x Tofsee, 1 x RedLineStealer)
ssdeep	12288:9clInhxhpN6LyC8a9JtbsCx0oopfjksLm42J69bS/EvIP7c:9RbQLD8a97sCbI9mNJ69m/EQP7
Threatray	2'196 similar samples on MalwareBazaar
TLSH	T17AE412703550D532C85650719C24D2B8792DBC22FD199987BA983FAF3D3229CA7EE78C
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	000818280a030600 (3 x Smoke Loader, 1 x Stop, 1 x GCleaner)
Reporter	obfusor
Tags:	exe Stop

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

271

Origin country :

HK

Vendor Threat Intelligence

CAPE Sandbox STOP

Detection:

STOP

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/420417/

ClamAV Detected

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

greyware packed xpack

Link:

https://www.filescan.io/uploads/64b29d407a9c6ddebf0ad0e4/reports/10d72aa1-3239-4525-882f-49e9e6b9f6ca/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer STOP Ransomware

Malware family:

STOP Ransomware

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1c8ff701-5a2a-41aa-b5a7-2f95301125aa

Joe Sandbox Djvu

Result

Threat name:

Djvu

Alert

Create hunting rule

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1273581

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642/

ReversingLabs TitaniumCloud Win32.Trojan.SmokeLoader

Threat name:

Win32.Trojan.SmokeLoader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-15 12:29:45 UTC

File Type:

PE (Exe)

Extracted files:

18

AV detection:

21 of 24 (87.50%)

Threat level:

  5/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nknjtinhdbx7riml3ilcbcieufai6u2o2gem2bj5xgsm5ghwmzba._file

Threatray malicious

Verdict:

malicious

Similar samples:

2831300675369e6ac5d928446186f83bedc4027fe6db617039e5b224258ed0b6

Stop

35ba91ddf0d41590d0de137bc1d6e5524d8a84ecfabdae793e6b3a499f2c67d4

Stop

6a455892dc6b808ff4f012010f20ad4bbf16b881b9c235d98c85565591289012

Stop

83c4c80adbeb1d8411e49c1d14a886af6a26c9fb9827d8852d4e45e4a5f09b17

Stop

a0038a7651f4408728f4a8c7a2abe43b237fc9dc6645fa34e5c4d9c212658878

Stop

b299675e7e4654beadcaa2c38a96bf8324bbde96904ede17fdd88ebb7fdf2748

Stop

d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d

Stop

+ 2'186 additional samples on MalwareBazaar

Hatching Triage vidar

Result

Malware family:

vidar

Alert

Create hunting rule

Score:

  10/10

Tags:

family:djvu family:vidar botnet:https://t.me/eagl3z discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/230715-qlnj2sag54/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Detected Djvu ransomware

Djvu Ransomware

Vidar

Malware Config

C2 Extraction:

http://zexeq.com/raud/get.php
https://t.me/eagl3z
https://steamcommunity.com/profiles/76561199159550234

UnpacMe djvu_ransomware win_stop_auto

Unpacked files

SH256 hash:

857104156aa4da841ae31c6491bc6256d21939bcecf70e67c5d0fcfb748ba2eb

MD5 hash:

49407b6f44a5f4188b374fe0c32b99dd

SHA1 hash:

490d7ae6e0992f3babbeb8989ac9aa6e6c773c9c

Detections:

djvu_ransomware

Alert

Create hunting rule

win_stop_auto

Alert

Create hunting rule

Link:

https://www.unpac.me/results/b45013e2-b2d4-4186-a1dc-788e24a24601/

Parent samples :

a4b3953a8fdbee6fccaa3c25847c3da85e78d33377e73e6bebe3fe9d00a4de84
6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642

SH256 hash:

6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642

MD5 hash:

180344b7af592c3e81e9cab9cbc54383

SHA1 hash:

8ed7f141816dfdc4f4f69e084e1a737f4d7f26da

Link:

https://www.unpac.me/results/b45013e2-b2d4-4186-a1dc-788e24a24601/

VMRay STOP

Malware family:

STOP

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6a9a99a1a718/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

exe 6a9a99a1a7186ff8a18bda16208904a1408f534ed188cd053db9a4ce98f66642

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2635570/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/420417/