MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
SHA3-384 hash: 170b85aea7910fe8bbb2f8997cc741165f837959d6a5af2b466232f1e78929ec3e3313741b7e36f1a770086cac3bdf65
SHA1 hash: a80015c29c9455b897feb8e88e2d086fb99a81d3
MD5 hash: ab5052012a4ff9313bfa1d7bfe9dec76
humanhash: robert-mike-saturn-november
File name:1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exe
Download: download sample
Signature Stop
Create hunting rule
File size:848'896 bytes
First seen:2024-07-24 11:41:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e3a468e33131e43ff6cb0ed3ba60251f (2 x DanaBot, 2 x Stop, 1 x Gozi)
ssdeep 12288:4jlKZpqVz+tyrG3SxSGJp0hp/IY/qaW/mQSOqlX+dti+J9uVOuoNZlDqc0Y/I+wJ:moIzwYVxz5Y/R4mQS5uDJcVqTNg+
Threatray 1'579 similar samples on MalwareBazaar
TLSH T18805F100B780D039E0B716F8497553B9A62E7DE1AB6560CB22D97BEE57346E0FC3121B
TrID 37.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
20.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.5% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 25ac1378319b9b91 (29 x Amadey, 24 x Smoke Loader, 14 x RedLineStealer)
Reporter Anonymous
Tags:exe Stop


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Dropper.Generickdz-9939781-0
Create hunting rule

Win.Packed.Dropperx-9943955-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a0e88f6f74caeb2f89b3ea
Tags:
Execution Generic Infostealer Network Ransomware Static Stealth Stop
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a TCP request to an infection source
Modifying an executable file
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a0e88f2d20df2572998619/reports/367eda3c-1154-4d59-9018-64b223651c5c/overview
Verdict:
Malicious
Labled as:
Wapomi.BA virus
Link:
https://www.hybrid-analysis.com/sample/7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd33abee-0acb-4d8e-9646-a8e974c3fdf4
Result
Threat name:
Babuk, Bdaejec, Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1479992
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Bdaejec
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479992 Sample: 1887D44BD913B81D9943F4B5637... Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 68 zerit.top 2->68 70 fuyt.org 2->70 72 4 other IPs or domains 2->72 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 14 other signatures 2->88 9 1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exe 1 2->9         started        13 1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exe 2->13         started        15 1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exe 2->15         started        17 rundll32.exe 2->17         started        signatures3 process4 file5 58 C:\Users\user\AppData\Local\Temp\FlErwU.exe, PE32 9->58 dropped 96 Detected unpacking (changes PE section rights) 9->96 98 Detected unpacking (overwrites its own PE header) 9->98 100 Writes a notice file (html or txt) to demand a ransom 9->100 110 3 other signatures 9->110 19 1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exe 1 16 9->19         started        23 FlErwU.exe 14 9->23         started        102 Antivirus detection for dropped file 13->102 104 Multi AV Scanner detection for dropped file 13->104 106 Machine Learning detection for dropped file 13->106 26 1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exe 13->26         started        108 Injects a PE file into a foreign processes 15->108 28 FlErwU.exe 15->28         started        30 1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exe 15->30         started        signatures6 process7 dnsIp8 74 api.2ip.ua 188.114.96.3, 443, 49711, 49713 CLOUDFLARENETUS European Union 19->74 48 1887D44BD913B81D99...3DA239827A9CD95.exe, PE32 19->48 dropped 50 1887D44BD913B81D99...exe:Zone.Identifier, ASCII 19->50 dropped 32 1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exe 19->32         started        35 icacls.exe 19->35         started        76 ddos.dnsnb8.net 44.221.84.105, 49710, 49712, 49723 AMAZON-AESUS United States 23->76 52 C:\Program Files\7-Zip\Uninstall.exe, PE32 23->52 dropped 54 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 23->54 dropped 56 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 23->56 dropped 90 Multi AV Scanner detection for dropped file 23->90 92 Detected unpacking (changes PE section rights) 23->92 94 Infects executable files (exe, dll, sys, html) 23->94 37 WerFault.exe 22 16 23->37         started        39 cmd.exe 28->39         started        file9 signatures10 process11 signatures12 80 Injects a PE file into a foreign processes 32->80 41 1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exe 19 32->41         started        46 conhost.exe 39->46         started        process13 dnsIp14 78 zerit.top 92.246.89.93, 49715, 49716, 49721 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 41->78 60 CortanaUnifiedTile...che.dat.iiof (copy), DOS 41->60 dropped 62 C:\Users\...\CortanaUnifiedTileModelCache.dat, DOS 41->62 dropped 64 C:\_readme.txt, ASCII 41->64 dropped 66 119 other malicious files 41->66 dropped 112 Tries to harvest and steal browser information (history, passwords, etc) 41->112 114 Infects executable files (exe, dll, sys, html) 41->114 116 Modifies existing user documents (likely ransomware behavior) 41->116 file15 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 11:42:06 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p63qpnqibsee7lzwnouorbodpzuk3kgns254jcl2pxykwagbojya._file
Verdict:
malicious
Similar samples:
2831300675369e6ac5d928446186f83bedc4027fe6db617039e5b224258ed0b6
Stop
35ba91ddf0d41590d0de137bc1d6e5524d8a84ecfabdae793e6b3a499f2c67d4
Stop
6a455892dc6b808ff4f012010f20ad4bbf16b881b9c235d98c85565591289012
Stop
786bb21f95e657b07a7bfb151e4e0d0f27fe443ac855e467e9b7d3fa643c62ab
Stop
a0038a7651f4408728f4a8c7a2abe43b237fc9dc6645fa34e5c4d9c212658878
Stop
b299675e7e4654beadcaa2c38a96bf8324bbde96904ede17fdd88ebb7fdf2748
Stop
bf771de1c2a064ca7acf4cecbeeb6a4f23895befc680a76747f8a7c7c7c3d80c
Stop
df4cf6f6be06bfd7eaf23bffc9c16639573228bc72fd6262352a242b5bdf2080
Stop
+ 1'569 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu aspackv2 discovery persistence ransomware
Link:
https://tria.ge/reports/240724-nt2ersvaqj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/test1/get.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e6fd8f01-9b8b-40e9-b58f-8e2f3eca6c68
Unpacked files
SH256 hash:
c2bd9d2d4b74119e6326432cff11b66967ad03dd16cf8489872104c6673c4458
MD5 hash:
06718f08b9c144f804038889eb3275db
SHA1 hash:
c47188bd4f0c94a58a2ef2ced234108689ad368b
Detections:
djvu_ransomware
Create hunting rule
win_stop_auto
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/2fba8f12-0fbe-4ecf-ac36-3378ab1340cb/
Parent samples :
5a0edc9a74176c2fc135bcc85ff57459c17afee6245380b54e1c1ce6f0a0c0d1
8e59e609d766b97d507b0bc9947d0a4b45431a3e3a2f3ade98a14a51cfb96fd0
1887d44bd913b81d9943f4b5637e01b057d20d757b23cd6ea3da239827a9cd95
7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
232d25948db02a80f05a71382a8fda0000fb08df82778f30322d5844ce7d167b
SH256 hash:
5d9cdd79e1c44d243c41190520ce7400dc2ac1ba360ca2a67d7cdabb46e1f583
MD5 hash:
42cf8fdf0527bdcf9e49b5d0e21b145f
SHA1 hash:
2a4ee54c273c43ecc0b681a81cc355ec5980ce38
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/2fba8f12-0fbe-4ecf-ac36-3378ab1340cb/
SH256 hash:
7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
MD5 hash:
ab5052012a4ff9313bfa1d7bfe9dec76
SHA1 hash:
a80015c29c9455b897feb8e88e2d086fb99a81d3
Link:
https://www.unpac.me/results/2fba8f12-0fbe-4ecf-ac36-3378ab1340cb/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Stop

Executable exe 7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindFirstVolumeA
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::CreateConsoleScreenBuffer
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::WriteConsoleInputA
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleOutputCharacterW
KERNEL32.dll::WriteConsoleW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExA
KERNEL32.dll::CopyFileA
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileW

Comments