MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 795aa5cf33f918f0d642b2e47c67ef031e8297834be19030b7eb2c19700104a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 8 File information Comments

SHA256 hash:	795aa5cf33f918f0d642b2e47c67ef031e8297834be19030b7eb2c19700104a8
SHA3-384 hash:	839d5575c1c4e7bdc0cb3dde5f948db9cfd7b46e83d9f4a06f98efbd2a5e0529e16a8db6e5c2f78ffdf2b4edc76207c6
SHA1 hash:	b67f31dbf54f4d5850c4d8d2d77cdccb10912660
MD5 hash:	a5eaa600cad0782f530955052027a231
humanhash:	johnny-double-mango-purple
File name:	795aa5cf33f918f0d642b2e47c67ef031e8297834be19030b7eb2c19700104a8
Download:	download sample
Signature	Stop Create hunting rule
File size:	692'800 bytes
First seen:	2021-09-30 12:13:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	26b2a22c1afb78875d9384441bc03abe (4 x ArkeiStealer, 4 x RedLineStealer, 2 x Stop)
ssdeep	12288:RHbV5ATRrAxUsFcv+fWIEEGFD8S8Dq1Dl2P4lvLGbEC3P7jzR+:RHhYxSREEGFD8S8Dq1J3hUECfw
TLSH	T1B0E423607DD495BBE70614BA887FD2B6862EF8704665743A3758462E2F742C0E23E3D3
File icon (PE):
dhash icon	4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter	JAMESWT_WT
Tags:	exe Stop

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://23.88.108.1/	https://threatfox.abuse.ch/ioc/228179/

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/193545/

Detection(s):

Win.Packed.Generic-9897371-0

Win.Packed.Generic-9897548-0

Win.Packed.Generic-9897607-0

Win.Packed.Generic-9897628-0

Win.Packed.Fragtor-9897699-0

Win.Packed.Generic-9898145-0

Win.Packed.Fragtor-9898153-0

Win.Packed.Generic-9898156-0

Win.Packed.Generic-9898162-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Sending an HTTP GET request

Sending an HTTP GET request to an infection source

Creating a window

Unauthorized injection to a recently created process

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f803cb04-065e-48d3-b417-c633511045dc

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/862190

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/795aa5cf33f918f0d642b2e47c67ef031e8297834be19030b7eb2c19700104a8/

Threat name:

Win32.Trojan.Racealer

Status:

Malicious

First seen:

2021-09-29 14:54:37 UTC

AV detection:

34 of 45 (75.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pfnkltzt7empbvscwlshyz7pampiff4djpqzamfx5mwbs4abasua._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/210930-pebq8shfa8/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

Unpacked files

SH256 hash:

5f2bb7899383d9e75afd1e4e6bb4b77281c35944598c865c2018563f662c00ef

MD5 hash:

1f4344483a27a452ef55e32870e05ed6

SHA1 hash:

032a3a8d46d823cd1405f2227df653178908f94a

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/feee75e2-0577-4cb2-8cc5-624b94d2d44d/

Parent samples :

55e262d517e470787760c984868f07d582f8d8efd9ff98db0870c48c9a51c23d
28987da061d42bee399b3cafd876c34826eea824758ae23ead826fe971cb978f
96888e3f86a786d67fe5d2df9f5d195721ec70de964fb1467a263eaa2a9c80bd
1662a370129d1175bb6064da3b8080158ebe848ab34e433c67e93d4f3481b148
5f1d4edb0181437d5c6e270977eec68d3daf4bd63edbc4c29e691573ca2ed9e6
d34b0333afa76522d268ba1886698f7f98550fa0da5cae603486127bae326c59
d58fb2c3a56ea6bce3e4d7979a1e6860db641e53a4821005ac4a58cf447ce876
795aa5cf33f918f0d642b2e47c67ef031e8297834be19030b7eb2c19700104a8

SH256 hash:

795aa5cf33f918f0d642b2e47c67ef031e8297834be19030b7eb2c19700104a8

MD5 hash:

a5eaa600cad0782f530955052027a231

SHA1 hash:

b67f31dbf54f4d5850c4d8d2d77cdccb10912660

Link:

https://www.unpac.me/results/feee75e2-0577-4cb2-8cc5-624b94d2d44d/

Malware family:

STOP

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/795aa5cf33f9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/795aa5cf33f918f0d642b2e47c67ef031e8297834be19030b7eb2c19700104a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/193545/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample