MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8170e05d46e8e1b261870c11639faeb06c7dfb81388e76f7f8c17aea5d135a5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8170e05d46e8e1b261870c11639faeb06c7dfb81388e76f7f8c17aea5d135a5b
SHA3-384 hash: 2d23cc4dc382e15b738fba3358bcc35cb86a1a1cbe7a4399ac606007124a8ff05c1d0003d496b78797844dfc939c0472
SHA1 hash: 2dc58807272ed491b2594602ee09f55118435db7
MD5 hash: 295b3461275799ebd0a1fb6f55587aad
humanhash: pluto-bluebird-helium-undress
File name:8170e05d46e8e1b261870c11639faeb06c7dfb81388e76f7f8c17aea5d135a5b
Download: download sample
Signature Stop
Create hunting rule
File size:753'664 bytes
First seen:2021-09-14 06:37:13 UTC
Last seen:2021-09-14 08:09:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c90767c35dbcc528936a0ed1ce028de (4 x RedLineStealer, 3 x RaccoonStealer, 3 x Stop)
ssdeep 12288:WZTfkJHctRp5yZKi1Ni+HGDAV1n3In1Mqxl4TKCDhSxGt4VWqU41rTtSUQTiq0:W6J8twN1Ni+mm1nKfmK2SxGAfL1tSUQP
Threatray 637 similar samples on MalwareBazaar
TLSH T169F41222B5A1E072D8E66E7000708BB167B77D26A5648A477726377C3F343F14A2E35B
dhash icon a3bcdcac9c8cb4ac (1 x Stop, 1 x ArkeiStealer)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8170e05d46e8e1b261870c11639faeb06c7dfb81388e76f7f8c17aea5d135a5b
Verdict:
Suspicious activity
Analysis date:
2021-09-14 07:09:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a3485af4-3e9e-471e-9804-a2ed1b4b629a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187676/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.14677.7780.17825.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61750adba9d585e6d5370c59/reports/a9642b46-4d10-47b6-a45d-6a9dea601d01/overview
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7c97dc8-c359-4aea-9f41-4e5a87eacb3e
Result
Threat name:
Clipboard Hijacker Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850613
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483043 Sample: lB2RFTpyni Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Antivirus detection for URL or domain 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 6 other signatures 2->81 10 lB2RFTpyni.exe 2->10         started        13 lB2RFTpyni.exe 2->13         started        process3 signatures4 91 Detected unpacking (changes PE section rights) 10->91 93 Detected unpacking (overwrites its own PE header) 10->93 95 Contains functionality to inject code into remote processes 10->95 97 Writes many files with high entropy 10->97 15 lB2RFTpyni.exe 1 16 10->15         started        99 Injects a PE file into a foreign processes 13->99 19 lB2RFTpyni.exe 12 13->19         started        process5 dnsIp6 73 api.2ip.ua 77.123.139.190, 443, 49738, 49739 VOLIA-ASUA Ukraine 15->73 43 C:\Users\...\lB2RFTpyni.exe:Zone.Identifier, ASCII 15->43 dropped 21 lB2RFTpyni.exe 15->21         started        24 icacls.exe 15->24         started        file7 process8 signatures9 83 Injects a PE file into a foreign processes 21->83 26 lB2RFTpyni.exe 1 24 21->26         started        process10 dnsIp11 67 securebiz.org 175.117.131.127, 49741, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 26->67 69 tbpws.top 106.241.4.103, 49740, 49743, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 26->69 71 api.2ip.ua 26->71 55 BrowserMetrics-5F7...E1C.pma.wiot (copy), DOS 26->55 dropped 57 C:\Users\...\0.0.filtertrie.intermediate.txt, DOS 26->57 dropped 59 C__Windows_SystemA...he_Desktop_2[1].txt, DOS 26->59 dropped 61 353 other files (340 malicious) 26->61 dropped 101 Modifies existing user documents (likely ransomware behavior) 26->101 31 build2.exe 26->31         started        34 build3.exe 26->34         started        file12 signatures13 process14 signatures15 103 Detected unpacking (changes PE section rights) 31->103 105 Detected unpacking (overwrites its own PE header) 31->105 107 Machine Learning detection for dropped file 31->107 36 build2.exe 31->36         started        109 Uses schtasks.exe or at.exe to add and modify task schedules 34->109 111 Injects a PE file into a foreign processes 34->111 41 build3.exe 34->41         started        process16 dnsIp17 63 116.203.165.54, 49749, 80 HETZNER-ASDE Germany 36->63 65 dimonbk83.tumblr.com 74.114.154.22, 443, 49748 AUTOMATTICUS Canada 36->65 45 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 36->45 dropped 47 C:\Users\user\AppData\...\freebl3[1].dll, PE32 36->47 dropped 49 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 36->49 dropped 53 9 other files (none is malicious) 36->53 dropped 85 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->85 87 Tries to harvest and steal browser information (history, passwords, etc) 36->87 89 Tries to steal Crypto Currency Wallets 36->89 51 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 41->51 dropped file18 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8170e05d46e8e1b261870c11639faeb06c7dfb81388e76f7f8c17aea5d135a5b/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 14:50:52 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfyoaxkg5dq3eymhbqiwhh5owbwh364bhchhn57yyf5ouxitljnq._file
Verdict:
malicious
Similar samples:
0c1571e0f22ecc1c3ed2b80ee90df329d820e287ac0be834aa905726ea96887e
Stop
5651c726a433d942eb9cdbe74c6631178fa3e243e0953e0a55f54f1752e05682
Stop
5d232ce70bfdc3344ad9c117da898e5d72ea5a5ff0704933735abb186714c9f4
Stop
adc2c80f4a9f969a641f2674c94bd576420b34d338b12ba5b4cab09e6c51a466
Stop
dc6f024b81983ce22d883ccc346b3888d984e360196b3e472c1cce3f79b70fa0
Stop
fd9842238da90428e16ae7954f2ad0f2bda6cfed2bde5f8383a546f7b257f350
Stop
+ 627 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/210914-hd24gaabdl/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Detected Djvu ransomware
Djvu Ransomware
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
Unpacked files
SH256 hash:
a63762084ef112b002f0dbcbb324e12aae0cd43b854ff62f6b41e16aae56c4a1
MD5 hash:
529f4a3c06afc6a2ad0de95c69f9f779
SHA1 hash:
e054c663a3cee9b7f136fa1756ff6e294da6f4bb
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/efdbfb48-340d-4800-b8e1-ada0f7f15e02/
Parent samples :
0b997d3d00ae436ba3826875fe1be1677cbdd7d57514a61344c1a36690696a43
0eb5ef5f274b388cb80999b93f192b6842ef0e6efb705c150934c38542baebd6
d7d0b6dfc8cb990d781d5e08eed888ed739c055949a43ba3491e090fc948505b
7937026664caf538e91af9f7fd4a821ec0ed441e1ab0d309274fa3de7649f2d3
13b58ca7069be911b9da14d853d3bb2ae88a0b3a09f9c730588d5e7e97eded53
510c4a055a75958718026d211543fad83f92d5df820e23b160d5a1b3210dac8f
76930f4dc516570491aaf144c1937bb3c35238ed5af78a0d31dd645d4fabb0ff
f3a4459b98919ba055a2c9437d092d18c889d5a1bbaea31a2cbe5ac250bc600a
a5affec055f99fd10e30746c2ec70dc9d99b8e9c740b6f9e14d56972fe5a56e6
03852e30ab9c4e38366f634c4db92874716d98af406827bf08f3840571dda9b3
2165b8ef60238fe77115134616c526ba309d3d7dc3bec76ecfa3385d8a293246
8170e05d46e8e1b261870c11639faeb06c7dfb81388e76f7f8c17aea5d135a5b
b45cbf2e959f4712e3bc2c20409d76af50440da980e16edac9c99d6de8271c6e
c7a0c3037dd774dc0036ff06cf41ffc139271a13438efac4545b777558430532
602b02381887a5bc8683284e03c29226c55406689389c00bdab9a080028ef4f0
0b651db2a463fa6fba6327d2a6d8e90281525ee24c42a59332846c23b805aec3
d7339f167796f39f54ed7c31aa5e31673a63050e52e0491f2b62db569e0af165
5c0fb4c8665f2fd33d83edde4809cf0203ce3fc1f4d53d62db5db8d7b843b01b
c78ce80498caf92b71e9135974e4b7a0b75a91600588e3f865a96e020926d9c4
5918c48c13824de78dd03662d6bce3f3aa8a2bf834c77dad38e81627fbec61a2
85e5e1bc250dd0718e877a04b84b7688f4717363814ac9708b7ea2abcc37b76c
d3de307ed78a6067914803abcc409e87186827d0ecfb2737587e993376b6849c
6d35913d505c88664a82cdebc152ff7946052d4e53a8a3e91822e6471c2dd1ae
a900139492d599c18bc8c54abac1b846aba0d0aa11ec9e1fb70b322089996921
3c998eb7608baa12de1d875b9e37d1ad590d9c541f638a3a5e5c42e172c20bfc
b745b1a05ea601deb736ca97b135132cab7fe3c50670e6b1f7837a0fe79689c8
2078b64d057d683b0ad4aef79ee66f181901bc54331920426b3f724b8c11aa11
b2cfd5cd948b40e9152e4dd8abe0aa346ba030afae6974b1cb598be87bafe2a8
cdb3a68fbec8030f92b0d4da8b1c0bab77a96bb351d71fae4ed69ba17383b96a
015e62c016d4371efd1e5de2a7b2b0b1b1b895eea55430efc43f8bbbae85ed0f
8f94c9b6164e8bf02fb45724774a96a53aae6f1f9b341a80ba8f6bf63ba52dfa
ccaaa623e3091c4183a5550b58df11c9492b451b0e602c7e4fd3fd49c95645c8
SH256 hash:
8170e05d46e8e1b261870c11639faeb06c7dfb81388e76f7f8c17aea5d135a5b
MD5 hash:
295b3461275799ebd0a1fb6f55587aad
SHA1 hash:
2dc58807272ed491b2594602ee09f55118435db7
Link:
https://www.unpac.me/results/efdbfb48-340d-4800-b8e1-ada0f7f15e02/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8170e05d46e8e1b261870c11639faeb06c7dfb81388e76f7f8c17aea5d135a5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187676/

Comments