MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 737952d5a6f4f8c7ef21795e0a9bea82081007dd7b8514df0a6d299d31f94748. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 737952d5a6f4f8c7ef21795e0a9bea82081007dd7b8514df0a6d299d31f94748
SHA3-384 hash: a2fbc1b47ac5f6b980c6d9df52ee8af70eebebff910d902a73f6f23a381ef83840a60f0caf3d6ac93dd2d3b642a69b25
SHA1 hash: 05939aa84500e8594c8496df47d41214ab483801
MD5 hash: 04c09921760efeb685ae489f154eea47
humanhash: timing-bacon-winter-berlin
File name:737952d5a6f4f8c7ef21795e0a9bea82081007dd7b8514df0a6d299d31f94748
Download: download sample
Signature Stop
Create hunting rule
File size:794'624 bytes
First seen:2022-03-25 08:51:30 UTC
Last seen:2022-03-25 10:51:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 95ad07e52855bf052511ff6b3b1e2bcf (9 x Stop, 1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep 24576:IoaO7JQI2hjYsuaMBhfKFlH0KXEM5hLy:nnu1SaMDiaM5ly
Threatray 902 similar samples on MalwareBazaar
TLSH T134F42332B7D3EC70DA5B38342D26C2F12E7ED57614829547BB44263EDE322C2B66B215
File icon (PE):PE icon
dhash icon 5c59da3ce0c3c850 (12 x Stop, 11 x RedLineStealer, 8 x Smoke Loader)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257605/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.29079.29822.11605.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11322/overview
Behaviour
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware hlux packed
Link:
https://www.filescan.io/uploads/623d82f49253b276b76a7b70/reports/1d65dbe7-d60a-4866-ba37-c286fc4c85b7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d51218d-9090-4b0c-9d9f-e0dcb2e0c836
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964452
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596930 Sample: KQrSPU2yTa Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 6 other signatures 2->64 8 KQrSPU2yTa.exe 2->8         started        11 KQrSPU2yTa.exe 2->11         started        13 KQrSPU2yTa.exe 2->13         started        15 KQrSPU2yTa.exe 2->15         started        process3 signatures4 68 Multi AV Scanner detection for dropped file 8->68 70 Machine Learning detection for dropped file 8->70 72 Injects a PE file into a foreign processes 8->72 17 KQrSPU2yTa.exe 18 8->17         started        74 Contains functionality to inject code into remote processes 11->74 22 KQrSPU2yTa.exe 1 16 11->22         started        76 Sample uses process hollowing technique 13->76 24 KQrSPU2yTa.exe 12 13->24         started        26 WMIADAP.exe 13->26         started        28 KQrSPU2yTa.exe 12 15->28         started        process5 dnsIp6 50 fuyt.org 177.207.85.94, 49783, 80 TELEFONICABRASILSABR Brazil 17->50 38 C:\_readme.txt, ASCII 17->38 dropped 40 C:\Users\user\Desktop\YPSIACHYXW.png, data 17->40 dropped 42 C:\Users\user\Desktop\WUTJSCBCFX.docx, data 17->42 dropped 48 3 other malicious files 17->48 dropped 66 Modifies existing user documents (likely ransomware behavior) 17->66 52 api.2ip.ua 162.0.218.244, 443, 49773, 49774 ACPCA Canada 22->52 54 192.168.2.1 unknown unknown 22->54 44 C:\Users\user\AppData\...\KQrSPU2yTa.exe, PE32 22->44 dropped 46 C:\Users\...\KQrSPU2yTa.exe:Zone.Identifier, ASCII 22->46 dropped 30 KQrSPU2yTa.exe 22->30         started        33 icacls.exe 22->33         started        file7 signatures8 process9 signatures10 78 Injects a PE file into a foreign processes 30->78 35 KQrSPU2yTa.exe 12 30->35         started        process11 dnsIp12 56 api.2ip.ua 35->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/737952d5a6f4f8c7ef21795e0a9bea82081007dd7b8514df0a6d299d31f94748/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 12:55:21 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=on4vfvng6t4mp3zbpfpavg7kqiebab65pocrjxyknuuz2mpzi5ea._file
Verdict:
malicious
Similar samples:
2a06da1f6bb8f01f932093ed9ae5f1ca2ff7b53b89dfd46a0102200cf3ebaead
Stop
30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6
Stop
45af7d799a8e6cd7b9427908e7bdba67693f63402b0b32316982656bf7d17462
Stop
52422d05aae55225fb5983fe567d620c32729fb30c5988396a4e5d0590897d78
Stop
923d2af76cd47509cd42c94e47b6198321b16c2123b09bb39aa26b8c3daf9647
Stop
b35685146d30d976ea7a856d4f6011e2433d8a40244c320be021d40ed33f0ee0
Stop
b64aa8f8680b708f1cd34d360ba85b4bfcbc37a6bcb1961dc9541045ec6b9289
Stop
+ 892 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu ransomware
Link:
https://tria.ge/reports/220325-kss58aded4/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/test1/get.php
Unpacked files
SH256 hash:
abcf7d30cc3d111d0b472db7829aad9186623fea0a4eb2d009364a3badd036f7
MD5 hash:
5671aa66c7c6dd564040040af56613f5
SHA1 hash:
3acd65229fb3e9b95c0de6b15a4601f2a8ed1304
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/fa88d52c-050c-41bf-9207-6f5333f9ca1d/
Parent samples :
635a5c00275d4f354e8f38c646c9210440bacc46088c45907132d82b11877783
2ec22ff642ea83f3ebccca4b3e339e489862f19734cdb412fb45f19861e87dca
7a4023b282b7224de166066ae699391f13d915f86b2d0b40c2a5b0fe1a9718cd
45af7d799a8e6cd7b9427908e7bdba67693f63402b0b32316982656bf7d17462
d43db3b64f29b961752c284a490ea67f6d50ff514120fcf30fd5c613eb1ae1f4
48ddbcd8f3032a8fdc0a3d4a9d8aeda6c308f483086e1225fdddc4aa7427efe4
538cec6a5804462e03a8ed88b60f42b86ec186d1d0b13035481fdf914cbdec58
923d2af76cd47509cd42c94e47b6198321b16c2123b09bb39aa26b8c3daf9647
929b053934a3572ebc7c94b4c52999586abeccc2c8dc90dbe0e49464c866fbeb
43063ca44a4aa0295b67ef271fe75da47885ca435478d748db142bf70b1aa536
b35685146d30d976ea7a856d4f6011e2433d8a40244c320be021d40ed33f0ee0
aa214ec9d85ba13d56a8bee47e408b5e4f3a4b88343cbcc1a24bf40e15b829d2
ae058994900610eeff5d5a9cdd8c0bc6ecaf25e94e3b51d31b836f88e1c345c2
0bb327c21f967f2f0a4d1c7baf7fbbd0d608379dcb5437326132406241672090
9d17aa2b72c65fb399bf814b75dc2d81fcb224ffe14025f6172a899f78ad4b1d
16c2af1b62a1e35ec8a6ac6d70ab1a37c5f396bb0828ef929a48d34f9e8e85ee
70d1c2b0ef9851cdaa3930c9281b66a36c19be11fa22abb48f2a9b22a3a8b2ab
927eb77870eec687543f74894047efc68cad08c584da6b2e1c40c6581383fba0
3428d97c2e4b6847ef7f475ec2e0ad81822c18316aed26167e7dca854ba6d558
16133d7ddaca6879a788f0907cec69b2a2617320584d221298d7bcc588ebf318
52422d05aae55225fb5983fe567d620c32729fb30c5988396a4e5d0590897d78
548824b5b105eab5762d911049d55f931a2fc16cfeb6765376e46a200f93d38b
314273490c0e5ef5ff18f8d21ae624d260512a1a94aa4c8e7781a2643c129572
a6263ad79b7abeec91b82eeea57f3a439810e8ca894b13e74f1bc42968fc5de5
b64aa8f8680b708f1cd34d360ba85b4bfcbc37a6bcb1961dc9541045ec6b9289
fca203f38621ebabe5dca56eabdab5f6a7abe87cf585fa9d0f8a6bf8aa1915e5
ab20fb1bc76f2c56b1f7a70814f3e40c509f39e679594fa60e4cefc2c06ecfa1
b1077f9ca5014fff1ed0858d7af7353bf8c84c0e0c73afe206ce341fd4effa21
e97d63183f13032ab19f9766b24a141235e3873d40332929e65d7ba2d129325a
c9451bc19c0bc4b61d1873a8fa25a206fd3755fc50d61cc896cca8e9cec94486
e0b91e4a4f6c1e92719658f83cc4d4644f72ccdcc00a737b066dbb9b2b9ff772
ed871e17c502520e4084692bd2b4d902be1b3f556879af50b8aeccfed89f3ffe
f787a845e85d35f2ef189d51df495cb9e4dcfaba444c418c931c93d179f64210
8e3dd78c8d7690816bef14a1be4811adff826dabcbf72adf26502b7dd0f57bd2
1631e2571d7e0ebf784a263fe72777450189800806d145c4937492dfcb55f2d5
d3ca0ef14e8dc45497faba304acf842bb2f2913ca2108600ee2771f9e9a24f9c
e9e758383c0f518c4dbd1204a824762f5fac37375d8c5695c749ad1c36c0f108
b6b6783ceb1f14e70d6a9a22e1d9f133f65f9c7e700de82fc7621a2926e3a4b7
ab3bfacf38d1544dceacfe2ecd4dc8501182979913adbc56402e874e6d53a315
da0e4fadc9227bec63e5bfd562eefe9682c2131e4dfb8ba2a1a0eca7c699bb99
737952d5a6f4f8c7ef21795e0a9bea82081007dd7b8514df0a6d299d31f94748
7a8036c61f22b8f9a4ace433b65d393b271dede1a2be1a688c70c3838fbca5ff
8bacf2edda6b201539cda649b9a1668374a5bbeb9bfec05ed250c83cef65b6f6
63aa078445137e619fd3f1497eac18ee28a64796ae5e22a651bc4c3b48da6b72
38184b7ce38e838ee66079a498ec93128332e3a3d6dd55d779d8896c92b423a7
3940962cfc57b2aefd05cf6963fa66310487469c9034d749e9e46e259d7f9960
ad6a09d69bd7b57c329336a6ea486acd2c7c275e2a6a9703d95a93fd5fc0070b
6ba4e925a60367af40aa1eeccbc544b0ed2b6ea73f13112de046b9bb85533dea
baa36a93088b6dc0c08ff2c877f92ecd7a84314c5f9515b1108f13bc116ef1ab
be4a4943231d5aa88e6be315fc823b755c0a818eebbd3380d8165d0a6527eca8
b878b121123a08d96b205e2883f04cd75f6acd88d7e52a77e5bac139dbd067b8
bcc5f2c69c785eb5b8cec1447d741ae718ecd3dc59da3b767b1f4834c804f7b4
cbc5ce28b1925b070284c6cb443ef9197ed6d78d3d8b891189e7d103003cf8c0
6b263d1547dea150f2a1acc00b1b8f8ef30d400c31fe207e9f38a3a33e6461ee
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db
e61a99a0c183923e18d2fbad7188e4dd52157bbaf087423adfd16e9a77c6208b
2e47721a4fb2c1e36520d287b3251a9ea2b688de1f36541e8bc06c169c2b410a
c1d38432a5040db8be37ca31b025d1edd42be37799bfd254b3c6e7c4e37937b8
a77599bea195b9f858ce2d25943da1eb6552ceb843ec8af67a41ef2c7e17e7db
SH256 hash:
737952d5a6f4f8c7ef21795e0a9bea82081007dd7b8514df0a6d299d31f94748
MD5 hash:
04c09921760efeb685ae489f154eea47
SHA1 hash:
05939aa84500e8594c8496df47d41214ab483801
Link:
https://www.unpac.me/results/fa88d52c-050c-41bf-9207-6f5333f9ca1d/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/737952d5a6f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/737952d5a6f4f8c7ef21795e0a9bea82081007dd7b8514df0a6d299d31f94748

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 737952d5a6f4f8c7ef21795e0a9bea82081007dd7b8514df0a6d299d31f94748

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2084511/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/257605/

Comments