MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b74200e92d384d0fa4223f8c9fafd1365f4b9a0c3e2d107f2b65d3457794a10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	6b74200e92d384d0fa4223f8c9fafd1365f4b9a0c3e2d107f2b65d3457794a10
SHA3-384 hash:	185f77c2aaf2dabe94dd45f05f5be8613d4a7feaed581ad7ec70dbff5bbb3abd877b79a6d6bf496b5a376cdb6750bb55
SHA1 hash:	a32da20f5273eb71e5338af67a55a7de413c53ad
MD5 hash:	46734c71fa5e2d210284d571a2b32b48
humanhash:	ceiling-sad-magazine-happy
File name:	6b74200e92d384d0fa4223f8c9fafd1365f4b9a0c3e2d107f2b65d3457794a10
Download:	download sample
Signature	Stop Create hunting rule
File size:	752'640 bytes
First seen:	2023-05-18 13:57:01 UTC
Last seen:	2023-05-21 11:16:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3547ca43eea0a55e45859d2d3c2d6f0b (2 x Stop, 1 x RedLineStealer)
ssdeep	12288:Y8FBgLAQp49GQGWE8URsVtczeWMoPkPgW6rGBTejJObJjBNaUDkKE:WLzp49UGVtczPMoPkYWqGBTejJO3Na
Threatray	1'768 similar samples on MalwareBazaar
TLSH	T14EF422113AA2D471E97A113898A5C6665E37BCB10BB65ACF37D8243F1E38BD1DE70306
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000100006104000 (1 x Stop)
Reporter	JaffaCakes118
Tags:	Stop

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-05-18 04:03:46 UTC

Tags:

loader smoke trojan stealer vidar ransomware stop fabookie amadey miner

Link:

https://app.any.run/tasks/78b45637-35be-4204-b895-97e9df7d7d99

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.29323.BadIN.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request

Creating a file

Launching a process

Creating a process with a hidden window

Adding an access-denied ACE

Сreating synchronization primitives

Deleting a recently created file

Sending a custom TCP request

Searching for synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Gathering data

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/6b74200e92d384d0fa4223f8c9fafd1365f4b9a0c3e2d107f2b65d3457794a10

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e1c7cdee-f864-4408-b11d-f5a74744165c

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1236429

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b74200e92d384d0fa4223f8c9fafd1365f4b9a0c3e2d107f2b65d3457794a10/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-05-18 06:01:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 37 (70.27%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nn2cadus2ocnb6scep4mt6x5cns7jonayprncb7swzotiv3zjiia._file

Verdict:

malicious

Stop

35ba91ddf0d41590d0de137bc1d6e5524d8a84ecfabdae793e6b3a499f2c67d4

Stop

6a455892dc6b808ff4f012010f20ad4bbf16b881b9c235d98c85565591289012

Stop

83c4c80adbeb1d8411e49c1d14a886af6a26c9fb9827d8852d4e45e4a5f09b17

Stop

a0038a7651f4408728f4a8c7a2abe43b237fc9dc6645fa34e5c4d9c212658878

Stop

b299675e7e4654beadcaa2c38a96bf8324bbde96904ede17fdd88ebb7fdf2748

Stop

d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d

Stop

+ 1'758 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar botnet:9dfa7ee730fa2f1efb5ed51dbbec22f5 discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/230518-q9greaah8x/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Detected Djvu ransomware

Djvu Ransomware

Vidar

Malware Config

C2 Extraction:

http://zexeq.com/raud/get.php
https://steamcommunity.com/profiles/76561199263069598
https://t.me/cybehost

Unpacked files

SH256 hash:

73c5945a60d82e8da47c17290d959b8240a87b08fc1419dc15b2d71bec78d949

MD5 hash:

8e2aacd95f63ef0b3143d71c45339b4c

SHA1 hash:

8e65171bbba30ca66cfec169c2c5a6049925443a

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/11247e09-c2d8-47a9-8ce7-a3767c703c00/

Parent samples :

073288cf76b4cf05299bd491d99eee7323c23c80d31f5632d17469fddf4593ec
1602a3f2931c5d793cc9500c69850fa4cc12b319c0eb2198d18c176579273fd2
22497547a2b75686dffc674699174778510bb76a14141249581b8cecffdf9c2d
42861dac2769a42a12bc836dafa23317be73911646b00abcb7b70aac34e061f8
4833cee293c3ab4e6d6068d81afad03d27d1ab0314a4ee092a65c66d56325b16
6b74200e92d384d0fa4223f8c9fafd1365f4b9a0c3e2d107f2b65d3457794a10
968dd2b3636954d551acef1487e898e1d10231e55f43f62369fe76555def03bb
8f2486c896e10bb516f077a31e6d36c281c868ca4214ab44ee4d5306311d481e
3e618b09bbab54dd0bd81e5ff61964768c527c998f5e9464a0239ca7ec23cadf
9e7dfc2e09525f92fd865aa1a1bb141a7bbb152f04a80d254c7d3b0853e07ef0
3c3cee50db58610d6292c0f1c6ef8f40d519cf814a17ad7a6dada0194e0f3388
1c163c65c9c41543f8941a29597df12521b512988deb9b389938475e9d46beb1
dfd6ed04039241b2bf6985e4810043386acf78249d55a3ab4a758c73b539c5bf
26b3be5bb284467b876c6fc017b9a8e7b7c99dd667c82aeac71e2cbd0f7027ed
9ebee44cdf471a2b69c261d3ff33d6be7bd07f755061311e3ceb8590b54369c3
5e75b2121f0a0419871b8dfdcdd276bb98d2d2f19adb248a7732e1dc127d4e71
8f07652a83851ae8be7dd1371b82dc5ef035e74954f7f0c2ed73e85fe6b554c6
70365b7e7cb7451145d67b2b96721ac09ae6794d592b5a9d1dec808d322b53b5
c14b06a3a76dc9d5673c5e98d318d5906c407869bec5ae0a66c0b8635fd61531
626b97523ea1c89f3337be39efaa901c3a39d26bc108cc0c5d9e2eaffb2b79b4
d35afbada1b1ae2f895e400e0a8cf05836b4ac916c4f1a781930a9324bfc37c0
d383cd06a306d385f79adce125d2816d81e1a067c160ae62270f0b2b8183f1d2
e33388664324a90a21ad9902ecb1ba409f2a888b23d61b1a32ad30d5ae3beaa1
b7ec42faae4bbaedc15483e17176375dd38e15af6bbab3fa5cd8aaf94bd57102

SH256 hash:

6b74200e92d384d0fa4223f8c9fafd1365f4b9a0c3e2d107f2b65d3457794a10

MD5 hash:

46734c71fa5e2d210284d571a2b32b48

SHA1 hash:

a32da20f5273eb71e5338af67a55a7de413c53ad

Link:

https://www.unpac.me/results/11247e09-c2d8-47a9-8ce7-a3767c703c00/

Malware family:

STOP

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6b74200e92d3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b74200e92d384d0fa4223f8c9fafd1365f4b9a0c3e2d107f2b65d3457794a10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Windows_Ransomware_Stop_1e8d48ff Create hunting rule
Author:	Elastic Security

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample