MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913
SHA3-384 hash: cc86b137561b28c4ea4edcd77e8e32c2740a527bd80c8e482c6a15b9ebc7411bd5725f6e5090d7df1f5ba64190c0a48e
SHA1 hash: 018b779e492947098b43a808cd66c85f67a99ea9
MD5 hash: 260aa1a70ea222b9c3f07ba9adeccebf
humanhash: florida-lithium-tango-table
File name:260aa1a70ea222b9c3f07ba9adeccebf.exe
Download: download sample
Signature Stop
Create hunting rule
File size:839'168 bytes
First seen:2021-05-05 10:00:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f77eacdc1c752fb1a609412b79e56b7 (1 x Stop, 1 x ArkeiStealer, 1 x DanaBot)
ssdeep 12288:YcnUmfdtmPpOqdaNDjQ2BZ3I2t2LLTKRq69RWbUbTCXr+AWxzYwhJ6byPIROHN:kmFtmONvHt4WjkCCb+XxzYwhSyARIN
Threatray 55 similar samples on MalwareBazaar
TLSH F805F130AA80C035F5FBA5F84AB9837CE93C7AA05B2450CB62E516FE52275E59F31347
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://jfus.top/nddddhsspen6/get.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://jfus.top/nddddhsspen6/get.php https://threatfox.abuse.ch/ioc/29201/

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/150240/
Detection(s):
SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Sending an HTTP GET request
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 10:01:14 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p3ztl44rbe3k7yx73sxp6a7oa2xvtkzcdnyqnsweojgjkswxhejq._file
Verdict:
malicious
Similar samples:
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
Stop
2ae59af40109d186eb8999211e8ad933d2fffec609a2bdbd87a8aa4e9654a111
Stop
5fba5879d38cea0fd0f956b583c7b5ecd0105928d26315935d4f7a8f9797d885
Stop
712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913
Stop
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
Stop
7c9bc6a878b6cb355bb2a5c70170aa48b1e8f369dd64ee47df3ac9ea9e213b02
Stop
9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9
Stop
aa8c5d42026ac9a483f1984f762441d7f5805ef914819b473f9e15353995cc99
Stop
b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944
Stop
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
Stop
+ 45 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar discovery evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210505-5wkgj5bpgn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Djvu Ransomware
Vidar
Unpacked files
SH256 hash:
9b3dc949d6d3cce7f9dd94b51ba8d822ee345d0df2f90f8a6618684824e2b95b
MD5 hash:
a6fe56089c98ee5373b4cf22d4b16d74
SHA1 hash:
120c33917ab39703c4ada6789748c8eed157c164
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/a54128c6-ba2c-4df5-ba34-bdcba0faa248/
Parent samples :
7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913
cba06b69cbe644420f5cfb726060d77d4abca93e1acb3815a465f1b00cf111e1
a2cc7061a035063d8ac5790c38bd123a632d43a1af2514dea36d0c5aaf66d200
31e991e037ef5ee29b3921a8ed21fe3c1284914efb88a12e8bdda2e094a41b18
feaac22107a4c4e6cdcf35878a1296fca8dc6efc970c0ba98b1cf93b80e063aa
3763170476b8a4c3cb592cbea6c4471ba2ea2463db9f7839fda502ef0a06b092
1ed1b4315c2525253918400777d7622581d7f8c161101e918999bd9d8c99be85
8d9062b1794c331d8a460427f88ce18b0a8b79204fdae3eb5c144aaacb791c55
c422dca376d729a0c4a92257bba7fd8bd5c46b236746edf45b0e1f6331bd7e9d
2518104c566d86c2a2876c2c030a1c54f300726d8a15b39e67d10725f7a51110
4db37a46432a8cf387a6ba70d689db2675c3a6f5294fe5ff7db3d785f068671f
c5ed16a495c5efbbf19918adfe4a954decc118b18691f38741d12d4f465948a5
8f9f63245c270e8442f15043c540d52aee08f4b3532d8df265d5244dc5644ce8
8f4d8aa16d1bfe09808ce2c6b24c3ad550bc41643bc5624a9506c66873c172a8
2fb3d980507741c8bbe5ddaa3ccee423d774bb9ec2f1c21c74b2eef05a5c62c1
d9aa00965d02283e49858296e530b1c730d7a427c36970f4d8d36d2f5e78d0ce
e0fffaaa25dc5ace2bf9e00b3787ebb45299f98fc8d4dbe6aad888c03e6164aa
fe2ff75d50ee83ff92a927eb120cd0f5997df50f204d47919e4b7ad3a909ed69
50164e878b632fdf08b4f0de2060872ede8970238cbcfc55e32bfc1f81dfb4e2
44d267b517f8af6f68f9548528ccfe6f532e6f18ac6f4ba32c4363afd29d59f8
4191eab7dce6ae84489c20d6ac93d123e42bf0019060847cf76e7be00139eb1c
869bd0ca39150a6e0f87609ca7e927211ba9cf636b69c33c3cd09db85922dd94
c97b731d2d70f964dbe2775fcf0fd7cf0d7ff68a0fdb31c3038a9c97ca4da6b4
6e8dafc9ac2e48e6b42dd15ce4c49d0dc0a83e6ca93fafeec8b87244ec05dea0
ec6a8a30d1d66e885ef75aaf70786fb1c05ccb1ae252c918a62a882a3babf591
f896070688915d517ec78e784f370089c15b012806dd3a3d33557e2bc3d44e2c
4176503a6e226f3ee78f38f37bd7fd9cb38e834def41ce5395a0fde5a4acfb7b
badb76b10b7d736402cc13fcd7330d29afc485da7b54c3372a78d5c98114c93f
09d2850085ff6cbe46fb427311af739e0628572289ceb4c3180ee50682070b98
27ac1959b9c2137b608a59a1cdfbad3d398941c92f590a1d92a9fbe004d27ef9
2edaa364594d0abb1ed74bf9ef76616c483c7cb77482c1189730f2da8cb3084e
17d78ceccf9fd168bf7e1d92260e5369bbd058639587ab92ea78763aafe0e5ee
2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7
81fb516d3efaf5c684ef50221e3f4bfb084b0d718d59bac7f6bbe8ea4c632f27
b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891
cb69509065e372794a18a74fa502f7bca8fa6e4be5a0fdb09c4c13dcceb364b6
f93b5dd205a567ba3445a361220e4da8a8652a9ef3f06a14d0e33f71bee0ee52
75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c
06db31be7914d281c35acd803c526fc82e474aa2dc340806b76ee4ab0be240bd
924c25e503792d12b9c161919878e29f47c1acce08cc4c03976bbc0e60ce181e
f0cda71528dfdf5b3fbc8af58a61aef5f9d6432c0359ab8d9df62209e6ce6d01
b9aaf852417503d7ff055b60e91d326743e7f0e225d51ba63b726e137aa64810
6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154
6a67b3b72238ab1e9ede09686b226413829c7a48a858845f09e8abd0dd094823
4fc4936de4eb693ec57ae17e722c1c68e46afbc0c82f3c45d254c39571008f8b
101648667ad547177c6a6bfd210af66397cd0a7e0ec3e4b2b98ecfe5963a293c
SH256 hash:
7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913
MD5 hash:
260aa1a70ea222b9c3f07ba9adeccebf
SHA1 hash:
018b779e492947098b43a808cd66c85f67a99ea9
Link:
https://www.unpac.me/results/a54128c6-ba2c-4df5-ba34-bdcba0faa248/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1195796/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/150240/

Comments