MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72
SHA3-384 hash: 6d4a4e4d4363a37a168f4c19399cd304c3bcbca27c7e2833e9690d29f5e731008c84bebefb055ff6aa72d2ab1e2f18a4
SHA1 hash: bd21cfaad543e6f593218b32a6207d7ea96b0062
MD5 hash: 133c316394311ae70d18116165d1e719
humanhash: maine-comet-carpet-massachusetts
File name:133c316394311ae70d18116165d1e719.exe
Download: download sample
Signature Stop
Create hunting rule
File size:750'592 bytes
First seen:2021-07-17 09:47:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97bf1f0575aad20ea6d291ede0d6d0ff (1 x CryptBot, 1 x Stop)
ssdeep 12288:oXGqZgAwKZhnMnbRuvpldkqQWzW69r4a24thzFvi+kVosRDNikz1ibj+AQOXV:oXGdAwKZhnMn90Y2qW924t1FviZVtR0t
Threatray 368 similar samples on MalwareBazaar
TLSH T157F4122072B1E123D5E24970DD788AB02B3BBC626D74B58E72873B0F1D721CA7569393
Reporter abuse_ch
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
133c316394311ae70d18116165d1e719.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-17 09:50:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/996ef5f1-b55e-4ecf-b62f-27a5d33d4279

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172327/
Detection(s):
Win.Malware.Generic-9879218-0
Create hunting rule

Win.Malware.Generic-9879225-0
Create hunting rule

Win.Malware.Generic-9879270-0
Create hunting rule

Win.Malware.Filerepmalware-9879273-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a7303d9-56c3-49ff-802d-673ba12f386b
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817798
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Anomaly
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450209 Sample: UH1umwogqD.exe Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 49 clientconfig.passport.net 2->49 57 Multi AV Scanner detection for domain / URL 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Found ransom note / readme 2->61 63 3 other signatures 2->63 9 UH1umwogqD.exe 2->9         started        12 UH1umwogqD.exe 2->12         started        14 UH1umwogqD.exe 2->14         started        16 UH1umwogqD.exe 2->16         started        signatures3 process4 signatures5 67 Multi AV Scanner detection for dropped file 9->67 69 Detected unpacking (changes PE section rights) 9->69 71 Detected unpacking (overwrites its own PE header) 9->71 73 Machine Learning detection for dropped file 9->73 18 UH1umwogqD.exe 1 19 9->18         started        75 Contains functionality to inject code into remote processes 12->75 77 Injects a PE file into a foreign processes 12->77 23 UH1umwogqD.exe 1 18 12->23         started        25 UH1umwogqD.exe 13 14->25         started        27 UH1umwogqD.exe 13 16->27         started        process6 dnsIp7 51 astdg.top 202.21.110.213, 49744, 80 MOBINET-AS-MNMobinetLLCASMobinetInternetServiceProvi Mongolia 18->51 37 C:\_readme.txt, ASCII 18->37 dropped 39 C:\Users\user\Desktop\...\ZTGJILHXQB.docx, data 18->39 dropped 41 C:\Users\user\Desktop\...41EBFQQYWPS.png, data 18->41 dropped 47 3 other files (2 malicious) 18->47 dropped 65 Modifies existing user documents (likely ransomware behavior) 18->65 53 api.2ip.ua 77.123.139.190, 443, 49733, 49738 VOLIA-ASUA Ukraine 23->53 43 C:\Users\user\AppData\...\UH1umwogqD.exe, PE32 23->43 dropped 45 C:\Users\...\UH1umwogqD.exe:Zone.Identifier, ASCII 23->45 dropped 29 UH1umwogqD.exe 23->29         started        32 icacls.exe 23->32         started        file8 signatures9 process10 signatures11 79 Injects a PE file into a foreign processes 29->79 34 UH1umwogqD.exe 13 29->34         started        process12 dnsIp13 55 api.2ip.ua 34->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72/
Threat name:
Win32.Trojan.Hynamer
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 04:44:47 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1
Stop
6ed8e078433a7e7938f2084f83a640d707708ac99a246b31736bd22327664668
Stop
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
Stop
99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2
Stop
a3c074948f5e3d2b89f0035bbf7bd74b1a3ec0525dc1496b4463f55ef15f3521
Stop
b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944
Stop
ca7f21ad4f9b5ca208d0a43b76edc7bbb9c698289cb4fc718c884681c5dcf10f
Stop
d0da8d292459d68df7dbbd65379e80e970b79f93307f05aca7b95e967ad86d52
Stop
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
Stop
f8b60e554ed303e2debe7422bb363dcc33ace171d02388bce2e8ab5ce5364f5d
Stop
+ 358 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:517 discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210717-k1q13l63re/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://sslamlssa1.tumblr.com/
Unpacked files
SH256 hash:
f92ed70cc7dcba2962efbaecd758ccaadf606cb5d3f3211463cc0c1344e23184
MD5 hash:
1934f29c43141ddac6f2e6172eba4c9d
SHA1 hash:
59b58631c99b68a32168d0504625937169113c30
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/ecec26db-90a9-4417-95fd-cc953385d383/
Parent samples :
26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1
eaffdf51b17ef1b7b7bf01ab6e8c2dce61a3dbd875b368e06a6d3b95e100c6f1
bcba5928ffde896ba6925acda9a28f9236c5f11cf0e412d9f7e33b9fc8a69809
68cabd7315ca0809dd91aaecd6ff16e06a4859055f46d105a15dcb3b4a0e4737
804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72
e1aeb366d8c9064c8ab7ae46c41146a6990f84cd22c895c8ac4e3f4894d36552
4315d3d65c9e358666612573a25b54365c68fa3779dedcfb8bb6b58a76a0bdc7
942263c89534d74459991db826caf2e9a187c074730f5c4f0f83f8c91e980e38
cda712d2d4c887e23f50f43223c218980731520b9111410cdffed78d32cabd98
83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3
350ba023b14fb9b5a4068621cbde35492b8b0aa74048a5d5ed2a6028113efc00
65de8f856c797623ad2fd66f9e1dcce4a74b969334964b535cc0176eb588af95
SH256 hash:
804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72
MD5 hash:
133c316394311ae70d18116165d1e719
SHA1 hash:
bd21cfaad543e6f593218b32a6207d7ea96b0062
Link:
https://www.unpac.me/results/ecec26db-90a9-4417-95fd-cc953385d383/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1423741/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172327/

Comments