MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eaf2623442beeec8def2536d88d4c6cec7ba914e6794d783855eb88c4f45be5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eaf2623442beeec8def2536d88d4c6cec7ba914e6794d783855eb88c4f45be5
SHA3-384 hash: cd1c8bc03a38f1191029d6277a32198a5af36b762415ccb29cf395aae91a7211996ab4846f468d8e4807612036001c52
SHA1 hash: 1eb38684eab7019f2a8c04ff43fee10f94aea87a
MD5 hash: 31527ffe31cedfbd0db03c0fb829d02b
humanhash: oven-alpha-magnesium-magnesium
File name:file
Download: download sample
Signature Stop
Create hunting rule
File size:756'224 bytes
First seen:2023-09-20 14:12:33 UTC
Last seen:2023-09-27 08:43:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c9420ade60b1def8d80cadba5c09306a (4 x Smoke Loader, 2 x Stealc, 2 x RedLineStealer)
ssdeep 12288:nshxdOUh1zOuMBTqN7aL8uyI81pCEuGhMURgvuXX7XJBe8XjDFZGh/iA8/HxhlAy:ns7dOUh15MBRLPKCEqggGn7v5nAr5n4b
Threatray 2'342 similar samples on MalwareBazaar
TLSH T158F412213495C877E99A05310821CBB0293FBC764D798A0B3B945BBF2E313D7EE5974A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0400001010408000 (1 x Stop)
Reporter andretavare5
Tags:exe Stop


Avatar
andretavare5
Sample downloaded from https://vk.com/doc52355237_665938507?hash=m6OB9an6EOeD8heKew1wDxncbYrgO4cjTs8IHxSGOMH&dl=uy9JCFMd880sjLNRgNT9fjPRywC1WLtHDR3fT9z2QTX&api=1&no_preview=1#test2

Intelligence

File Origin
# of uploads :
140
# of downloads :
326
Origin country :
US US
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-20 14:14:29 UTC
Tags:
ransomware stop loader stealer vidar trojan arkei raccoonclipper
Link:
https://app.any.run/tasks/94268849-67ef-4854-affe-6e59f8a5e41c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450051/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/650afdee83a0c6425dfa7626/reports/affbe35c-c872-4e69-b972-2b5fb5cac9b0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6eaf2623442beeec8def2536d88d4c6cec7ba914e6794d783855eb88c4f45be5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9dd1d67e-29e2-4e86-83c6-4a0cc3e5e160
Result
Threat name:
Babuk, Clipboard Hijacker, Djvu, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311609
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Yara detected ZipBomb
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1311609 Sample: file.exe Startdate: 20/09/2023 Architecture: WINDOWS Score: 100 88 Snort IDS alert for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 12 other signatures 2->94 11 file.exe 2->11         started        14 file.exe 2->14         started        16 file.exe 2->16         started        18 2 other processes 2->18 process3 signatures4 108 Detected unpacking (changes PE section rights) 11->108 110 Detected unpacking (overwrites its own PE header) 11->110 112 Writes a notice file (html or txt) to demand a ransom 11->112 118 2 other signatures 11->118 20 file.exe 1 16 11->20         started        114 Injects a PE file into a foreign processes 14->114 24 file.exe 14->24         started        26 file.exe 16->26         started        116 Multi AV Scanner detection for dropped file 18->116 28 file.exe 18->28         started        30 schtasks.exe 18->30         started        process5 dnsIp6 76 api.2ip.ua 162.0.217.254, 443, 49712, 49713 ACPCA Canada 20->76 60 C:\Users\user\AppData\Local\...\file.exe, MS-DOS 20->60 dropped 32 file.exe 20->32         started        35 icacls.exe 20->35         started        78 192.168.2.1 unknown unknown 24->78 37 conhost.exe 30->37         started        file7 process8 signatures9 86 Injects a PE file into a foreign processes 32->86 39 file.exe 1 51 32->39         started        process10 dnsIp11 80 zexeq.com 187.170.26.222, 49715, 49716, 80 UninetSAdeCVMX Mexico 39->80 82 colisumy.com 211.168.53.110, 49714, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 39->82 84 api.2ip.ua 39->84 62 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 39->62 dropped 64 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 39->64 dropped 66 C:\...\watermark.bmp.wwty (copy), data 39->66 dropped 68 225 other malicious files 39->68 dropped 104 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->104 106 Modifies existing user documents (likely ransomware behavior) 39->106 44 build2.exe 39->44         started        47 build3.exe 1 39->47         started        file12 signatures13 process14 file15 120 Detected unpacking (changes PE section rights) 44->120 122 Detected unpacking (overwrites its own PE header) 44->122 124 Found many strings related to Crypto-Wallets (likely being stolen) 44->124 126 Injects a PE file into a foreign processes 44->126 50 build2.exe 44->50         started        70 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 47->70 dropped 128 Uses schtasks.exe or at.exe to add and modify task schedules 47->128 54 schtasks.exe 1 47->54         started        signatures16 process17 dnsIp18 72 t.me 149.154.167.99, 443, 49721 TELEGRAMRU United Kingdom 50->72 74 159.69.100.165, 10088, 49722 HETZNER-ASDE Germany 50->74 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->96 98 Found many strings related to Crypto-Wallets (likely being stolen) 50->98 100 Tries to harvest and steal browser information (history, passwords, etc) 50->100 102 Tries to steal Crypto Currency Wallets 50->102 56 WerFault.exe 50->56         started        58 conhost.exe 54->58         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eaf2623442beeec8def2536d88d4c6cec7ba914e6794d783855eb88c4f45be5/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 14:13:05 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
23 of 23 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2xsmi2efpxozdppeu3nrdkmntwhxkiu4z4u26bykxvyrrhulpsq._file
Verdict:
malicious
Similar samples:
2831300675369e6ac5d928446186f83bedc4027fe6db617039e5b224258ed0b6
Stop
35ba91ddf0d41590d0de137bc1d6e5524d8a84ecfabdae793e6b3a499f2c67d4
Stop
6a455892dc6b808ff4f012010f20ad4bbf16b881b9c235d98c85565591289012
Stop
83c4c80adbeb1d8411e49c1d14a886af6a26c9fb9827d8852d4e45e4a5f09b17
Stop
8c60fa8fa4b468973b28566c54ced1dd235a228c167972e87463e3ac0a44570f
Stop
a0038a7651f4408728f4a8c7a2abe43b237fc9dc6645fa34e5c4d9c212658878
Stop
b299675e7e4654beadcaa2c38a96bf8324bbde96904ede17fdd88ebb7fdf2748
Stop
+ 2'332 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:5c0b4a12d6c03dd98ed431d3eded2169 discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/230920-rjdshagg2s/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Detected Djvu ransomware
Djvu Ransomware
Vidar
Malware Config
C2 Extraction:
http://zexeq.com/test2/get.php
https://steamcommunity.com/profiles/76561199553369541
https://t.me/dastanatg
Unpacked files
SH256 hash:
0d3151e11fed85fa86c15cafa61d4807fc44e8480aa9e50b74ae34438d0c3aca
MD5 hash:
40c04297aacf33bc5c4b52adcec77dd2
SHA1 hash:
be58d92037948615aa73cc37a79ca5d65774ffaa
Detections:
djvu_ransomware
Create hunting rule
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/11cb93d2-2bba-48ff-9dfd-0680a563a585/
Parent samples :
a4f702819548499595cfb484106944739c629a615d1a1bca13bfd5a44b0bb36b
6a2cf1c2674d5295844c2a9f410d39856e7158671ec95aea13be7d993d67c716
6eaf2623442beeec8def2536d88d4c6cec7ba914e6794d783855eb88c4f45be5
SH256 hash:
6eaf2623442beeec8def2536d88d4c6cec7ba914e6794d783855eb88c4f45be5
MD5 hash:
31527ffe31cedfbd0db03c0fb829d02b
SHA1 hash:
1eb38684eab7019f2a8c04ff43fee10f94aea87a
Link:
https://www.unpac.me/results/11cb93d2-2bba-48ff-9dfd-0680a563a585/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6eaf2623442b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eaf2623442beeec8def2536d88d4c6cec7ba914e6794d783855eb88c4f45be5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/450051/

Comments