MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 753e459cfed4907d026639fd040584add7f2ffa4eff58a310ee32372b976d5ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 753e459cfed4907d026639fd040584add7f2ffa4eff58a310ee32372b976d5ac
SHA3-384 hash: 8533655b6b20dfd93319eaf0d1323d7054fa69786ea6552a04c6d2631ec6a30fb61e08adad0185a9ae3e910c53f9e677
SHA1 hash: 065a29b3659072933c0b5ea4846617f850af715b
MD5 hash: 3415cbccf3b287367f813640b031143f
humanhash: golf-mexico-three-artist
File name:753e459cfed4907d026639fd040584add7f2ffa4eff58a310ee32372b976d5ac
Download: download sample
Signature Stop
Create hunting rule
File size:814'592 bytes
First seen:2022-04-05 06:11:24 UTC
Last seen:2022-04-05 06:44:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 90d6a39a45ddf49ce4fb487d0a67b6d0 (2 x Stop, 1 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 12288:3+eMa13573ZyNXjK8vqTyHDen3UZ8IMqd70MWY5UdAfp:3+s393PfyHK31IT7bWTdA
Threatray 1'113 similar samples on MalwareBazaar
TLSH T19F0512217382E834D490FD70A4B0FBF1557BBC3259606857EBB93B3A2D752A4A4B8307
File icon (PE):PE icon
dhash icon 480c1c4c4f590b14 (113 x Smoke Loader, 92 x RedLineStealer, 83 x Amadey)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260824/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.48891.19106.26776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/624bddc9db9ca5cf842236ca/reports/c13d1d7a-b193-4330-a613-affb34d1cf44/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be2eec3b-64ff-49f5-871c-fe7308150b30
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/970621
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/753e459cfed4907d026639fd040584add7f2ffa4eff58a310ee32372b976d5ac/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-04-05 06:12:14 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ou7elhh62sih2atghh6qibmevxl7f75e572yumio4mrxfolw2wwa._file
Verdict:
malicious
Similar samples:
45af7d799a8e6cd7b9427908e7bdba67693f63402b0b32316982656bf7d17462
Stop
8bacf2edda6b201539cda649b9a1668374a5bbeb9bfec05ed250c83cef65b6f6
Stop
923d2af76cd47509cd42c94e47b6198321b16c2123b09bb39aa26b8c3daf9647
Stop
b35685146d30d976ea7a856d4f6011e2433d8a40244c320be021d40ed33f0ee0
Stop
d0430be4b6ad4975b374c0a6374f13f9bee4f7a6e4354fe8cd0fd680743aada2
Stop
+ 1'103 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu ransomware
Link:
https://tria.ge/reports/220405-gx8jxseaam/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/test1/get.php
Unpacked files
SH256 hash:
00d4664bdd5cc65a2042ab5784da5a2177136d51b1b6999987161666c45943c6
MD5 hash:
2602a7f420fd51d765b9fd56400221a7
SHA1 hash:
788f39d89fb443fa39caaadfe7f24515bd8eb73c
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/8ac8f46f-e07b-48b4-9113-9581e3fd4809/
Parent samples :
753e459cfed4907d026639fd040584add7f2ffa4eff58a310ee32372b976d5ac
352183c26939f1524e1c9f777a0f5d5b7f4241409ca699adc28d321a0da0cc78
e1874cbdab0f1c7aa3b0312b9c5cea5dac9da3a23a9bfed2390eabca1649bf7e
2c412f6d77eb570bb74f1c52c08fb7cfe33d14a99179a1815d6702ae076b099c
2df12e8c0ae250b75fe5ea773ddf13835c9b8a34d10714246ccb4266e97ba2be
98ad8fb18714111b504cec9ca6a95f77520ad92a8ee331dc562a86b53f53aa2f
7c31ae17b7a7922d100fc9717a8927f2123a17e49c190dce9d8f1e29c434789b
9460c8ee8fe7a2aad2ceca9c34b3060a2bf1fbe050bae570e08560c6a7e92525
a7c4eb65f47cf8ffbdce873dc2f9ca0821fd755cb6d214b337b58f16b5d414a5
c39d0bcc9babaa2ebef7232a9309779125997079b7dbe86256aa81a8e46136f1
fdf17bd486e8fe2827d8552fe04349f5eaf50d913d2739b95bde28435fc2176f
c2732bf220926fb3f10675292a7d8bb19e8ae4e8632fb73358676004b8f3781a
dbbba5ed6e1404dd63b721b87853d55cebc7e29cb10b298929ee8928fd0987df
7885e6bc9751165bdf49b2b176e88cfd036f80456e415ba0d5c144be81f02278
7e9bd8a66a9e70d5d2d17a8b736ed71fe5dcc085432753d843d88afe99620525
27ecb95e187582157ad96d7731f49aac2799482d731171b61d25f1ef105a80d6
9b0e4f30696d798dbd39088a10241a8a2e2d5099f0c78a36259714d2628fceb4
86952bc63598b98d3695e09a6482b4af5edd4c596e5a6c2a2b84ca7f0d0cfa3f
c20421a2e632d8bd82991594c5c8fcff34b071746266ec42093deba17ff7c8fe
ca42866c2af069fe5e9ed19c79e8b4ccd960cc5384e2e557f741e9ecc57726ab
1bd067281f123e808ff66604e722a73ebd7fb1f1878920f82c47ae6e51091b18
2ce5184241a1e230edd3b7a2c915ba603513f7a48a4031e7c0a884df786b3439
3fc672b592e92f0f8acdf3d74b983a4a2187e21a9b54ef92c4cde06a128ac4aa
4a484e1b511a8bb6f33fa120f34ca8de09d75f314b119d22547f9e4989376405
4b4e3fb00a5cf1555e8ebe3b70a994e71bd60ba2fbbe6acb2e6b05b65c3e602c
6ab9df98b853747f6f695824bdbb6078fecaa80db820d49d965ba47bc1eb09ce
6b63d8b586f03f5f7d717492ff232a1fa227053b7ff829652264952a96cd4f90
6bf0186743a209899c300fdf0c35c2aa44738473ec8e26b0eddb457dfe23a5a2
7e62a8ee54b92e4955a8c731e85c66fb00c08376b31b06f2d34a05d3733080f0
63a178ba5e6fd7ae6faefd152b9391fdedad445a2a3d19c35ba588d4a968c24f
966f5c15efdda76ae17ac73d13726342128ba01bc76d7cf3a4e182b97149be04
9201c445aa5b19cb4f9b1e69380bbda0c61e7b6be54624ef06de53a4d0c06f70
13628a424b63a2b18802d91a156cbe82e07c3cd78e73c4f00c91c63a77dfa4fb
b9bd27bafdcaa5c96a9ffe8198e05ebe90eb0c9671f243e29cce4469030f7e5b
4fcbb9878857d3f1cf63248db731ed24dcef6e11e583f8104d8d829c0a5657d7
1530b4403058c0a5500e768e8343ef6a409840841a626010b2d2e605c61aef3c
3403d9a0810aed902cab68c90113dd9c78c68f8053fdfeed9370f8ea97e5d523
4844b55deeb9fd4c102aab6d1d9497b32b2e69b0932d7aa02d9a3123563071af
6299c892c7773da3fde36361d4fb1b7f9baf11ab4860904b044497ee58568d59
9387f229b024e42b535623ce833898228e27c420e44001e9a7ad9a92920688fb
44205baa7eb6e146d73d56cef94b471719f77c70f297deee71d001867b1468fa
275219a0d787e1f90a88f6b4b962c3e03518b99dbab82df4be636f52155cd7cb
841973ff78a233e8b50ac8e441dee80097b75d86ab63500ca4426feb22c249b1
613535567a37a3e04049e87d3c7001e34d559965fa890e06ea537bf7e24c5015
acbe3cb22b708349bbaef5d295b8e6b8cf599ff775cc7375bc8057d444c52708
dfddd16d58fceab9b15647b38b96d0e548f7b28270f4751f1edf4e1e5a6a4cb1
992b4598b3915a39290c89813b37fa3867a72c936751d8f354bd9b547ccb0de5
798060e1ffcdefb2421ad22066507dcaefeb28517cbc2c8d158bfe566ade1d6e
ce58ee230764523b860e29d9e2bb09b5fc50d68db05a7265109227b3f6e0e962
d4a3ba78588399c3ef3606d7536613393afdaecc9447c45ee52b2ea82152e0a9
SH256 hash:
753e459cfed4907d026639fd040584add7f2ffa4eff58a310ee32372b976d5ac
MD5 hash:
3415cbccf3b287367f813640b031143f
SHA1 hash:
065a29b3659072933c0b5ea4846617f850af715b
Link:
https://www.unpac.me/results/8ac8f46f-e07b-48b4-9113-9581e3fd4809/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/753e459cfed4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/753e459cfed4907d026639fd040584add7f2ffa4eff58a310ee32372b976d5ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 753e459cfed4907d026639fd040584add7f2ffa4eff58a310ee32372b976d5ac

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2084511/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/260824/

Comments