MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81fb516d3efaf5c684ef50221e3f4bfb084b0d718d59bac7f6bbe8ea4c632f27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81fb516d3efaf5c684ef50221e3f4bfb084b0d718d59bac7f6bbe8ea4c632f27
SHA3-384 hash: 44c511aa29c4dce15c2bd7e91e99e6b09507bd8412061e02269527c212bc4c29d1812ea6f4a13dd009b78b56231681de
SHA1 hash: 95da658589e8447a1a06908abb3def7d10c3901e
MD5 hash: c9521c0437497e7b7af255429a93c8b2
humanhash: pluto-mexico-music-item
File name:5.exe
Download: download sample
Signature Stop
Create hunting rule
File size:890'880 bytes
First seen:2021-05-06 10:58:42 UTC
Last seen:2021-05-06 12:02:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef8bfa67cab8f52c3f5ca31f772f6178 (4 x Stop, 1 x RaccoonStealer)
ssdeep 24576:bhPfM0uupZYB58aJ31X2NC/eAGbfRxRzyP:dP00uQYblJlXFWRbp7z6
Threatray 87 similar samples on MalwareBazaar
TLSH 981512A5F671CA4AFD1301743C5298E1CD073B97EB9404FE248CBA5BEA65018316FF6A
Reporter starsSk87264403
Tags:Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5.exe
Verdict:
Malicious activity
Analysis date:
2021-05-06 10:59:03 UTC
Tags:
installer trojan ransomware stop stealer vidar loader
Link:
https://app.any.run/tasks/96e8b9a5-3034-4257-a653-d1cb65dadeef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151524/
Detection(s):
SecuriteInfo.com.Dropper.Generic.VZR.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Sending an HTTP GET request
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/713794
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 405820 Sample: 5.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 51 jfus.top 2->51 53 api.faceit.com 2->53 55 api.2ip.ua 2->55 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 Yara detected Vidar stealer 2->63 65 3 other signatures 2->65 7 5.exe 1 16 2->7         started        12 5.exe 12 2->12         started        14 5.exe 2->14         started        signatures3 process4 dnsIp5 57 api.2ip.ua 77.123.139.190, 443, 49720, 49735 VOLIA-ASUA Ukraine 7->57 47 C:\Users\user\AppData\Local\...\5.exe, PE32 7->47 dropped 49 C:\Users\user\...\5.exe:Zone.Identifier, ASCII 7->49 dropped 67 Detected unpacking (changes PE section rights) 7->67 69 Detected unpacking (overwrites its own PE header) 7->69 16 WerFault.exe 9 7->16         started        19 WerFault.exe 9 7->19         started        21 WerFault.exe 9 7->21         started        27 5 other processes 7->27 71 Antivirus detection for dropped file 12->71 73 Multi AV Scanner detection for dropped file 12->73 75 Machine Learning detection for dropped file 12->75 23 WerFault.exe 12->23         started        25 WerFault.exe 14->25         started        file6 signatures7 process8 file9 29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->35 dropped 37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 25->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->45 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81fb516d3efaf5c684ef50221e3f4bfb084b0d718d59bac7f6bbe8ea4c632f27/
Threat name:
Win32.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 10:59:08 UTC
File Type:
PE (Exe)
Extracted files:
65
AV detection:
32 of 47 (68.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qh5vc3j67l24nbhpkarb4p2l7meewdlrrvm3vr7wxpuoutddf4tq._file
Verdict:
malicious
Similar samples:
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
Stop
2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7
Stop
31e991e037ef5ee29b3921a8ed21fe3c1284914efb88a12e8bdda2e094a41b18
Stop
6e8dafc9ac2e48e6b42dd15ce4c49d0dc0a83e6ca93fafeec8b87244ec05dea0
Stop
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
Stop
7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913
Stop
8f4d8aa16d1bfe09808ce2c6b24c3ad550bc41643bc5624a9506c66873c172a8
Stop
c5ed16a495c5efbbf19918adfe4a954decc118b18691f38741d12d4f465948a5
Stop
cba06b69cbe644420f5cfb726060d77d4abca93e1acb3815a465f1b00cf111e1
Stop
ec6a8a30d1d66e885ef75aaf70786fb1c05ccb1ae252c918a62a882a3babf591
Stop
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210506-vqmq7fk2wa/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Looks up external IP address via web service
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
9b3dc949d6d3cce7f9dd94b51ba8d822ee345d0df2f90f8a6618684824e2b95b
MD5 hash:
a6fe56089c98ee5373b4cf22d4b16d74
SHA1 hash:
120c33917ab39703c4ada6789748c8eed157c164
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/3de3a0bc-bce4-4461-8c38-2dfac51038a2/
Parent samples :
7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913
cba06b69cbe644420f5cfb726060d77d4abca93e1acb3815a465f1b00cf111e1
a2cc7061a035063d8ac5790c38bd123a632d43a1af2514dea36d0c5aaf66d200
31e991e037ef5ee29b3921a8ed21fe3c1284914efb88a12e8bdda2e094a41b18
feaac22107a4c4e6cdcf35878a1296fca8dc6efc970c0ba98b1cf93b80e063aa
3763170476b8a4c3cb592cbea6c4471ba2ea2463db9f7839fda502ef0a06b092
1ed1b4315c2525253918400777d7622581d7f8c161101e918999bd9d8c99be85
8d9062b1794c331d8a460427f88ce18b0a8b79204fdae3eb5c144aaacb791c55
c422dca376d729a0c4a92257bba7fd8bd5c46b236746edf45b0e1f6331bd7e9d
2518104c566d86c2a2876c2c030a1c54f300726d8a15b39e67d10725f7a51110
4db37a46432a8cf387a6ba70d689db2675c3a6f5294fe5ff7db3d785f068671f
c5ed16a495c5efbbf19918adfe4a954decc118b18691f38741d12d4f465948a5
8f9f63245c270e8442f15043c540d52aee08f4b3532d8df265d5244dc5644ce8
8f4d8aa16d1bfe09808ce2c6b24c3ad550bc41643bc5624a9506c66873c172a8
2fb3d980507741c8bbe5ddaa3ccee423d774bb9ec2f1c21c74b2eef05a5c62c1
d9aa00965d02283e49858296e530b1c730d7a427c36970f4d8d36d2f5e78d0ce
e0fffaaa25dc5ace2bf9e00b3787ebb45299f98fc8d4dbe6aad888c03e6164aa
fe2ff75d50ee83ff92a927eb120cd0f5997df50f204d47919e4b7ad3a909ed69
50164e878b632fdf08b4f0de2060872ede8970238cbcfc55e32bfc1f81dfb4e2
44d267b517f8af6f68f9548528ccfe6f532e6f18ac6f4ba32c4363afd29d59f8
4191eab7dce6ae84489c20d6ac93d123e42bf0019060847cf76e7be00139eb1c
869bd0ca39150a6e0f87609ca7e927211ba9cf636b69c33c3cd09db85922dd94
c97b731d2d70f964dbe2775fcf0fd7cf0d7ff68a0fdb31c3038a9c97ca4da6b4
6e8dafc9ac2e48e6b42dd15ce4c49d0dc0a83e6ca93fafeec8b87244ec05dea0
ec6a8a30d1d66e885ef75aaf70786fb1c05ccb1ae252c918a62a882a3babf591
f896070688915d517ec78e784f370089c15b012806dd3a3d33557e2bc3d44e2c
4176503a6e226f3ee78f38f37bd7fd9cb38e834def41ce5395a0fde5a4acfb7b
badb76b10b7d736402cc13fcd7330d29afc485da7b54c3372a78d5c98114c93f
09d2850085ff6cbe46fb427311af739e0628572289ceb4c3180ee50682070b98
27ac1959b9c2137b608a59a1cdfbad3d398941c92f590a1d92a9fbe004d27ef9
2edaa364594d0abb1ed74bf9ef76616c483c7cb77482c1189730f2da8cb3084e
17d78ceccf9fd168bf7e1d92260e5369bbd058639587ab92ea78763aafe0e5ee
2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7
81fb516d3efaf5c684ef50221e3f4bfb084b0d718d59bac7f6bbe8ea4c632f27
b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891
cb69509065e372794a18a74fa502f7bca8fa6e4be5a0fdb09c4c13dcceb364b6
f93b5dd205a567ba3445a361220e4da8a8652a9ef3f06a14d0e33f71bee0ee52
75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c
06db31be7914d281c35acd803c526fc82e474aa2dc340806b76ee4ab0be240bd
924c25e503792d12b9c161919878e29f47c1acce08cc4c03976bbc0e60ce181e
f0cda71528dfdf5b3fbc8af58a61aef5f9d6432c0359ab8d9df62209e6ce6d01
b9aaf852417503d7ff055b60e91d326743e7f0e225d51ba63b726e137aa64810
6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154
6a67b3b72238ab1e9ede09686b226413829c7a48a858845f09e8abd0dd094823
4fc4936de4eb693ec57ae17e722c1c68e46afbc0c82f3c45d254c39571008f8b
101648667ad547177c6a6bfd210af66397cd0a7e0ec3e4b2b98ecfe5963a293c
SH256 hash:
81fb516d3efaf5c684ef50221e3f4bfb084b0d718d59bac7f6bbe8ea4c632f27
MD5 hash:
c9521c0437497e7b7af255429a93c8b2
SHA1 hash:
95da658589e8447a1a06908abb3def7d10c3901e
Link:
https://www.unpac.me/results/3de3a0bc-bce4-4461-8c38-2dfac51038a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
FlyAgent
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81fb516d3efaf5c684ef50221e3f4bfb084b0d718d59bac7f6bbe8ea4c632f27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151524/

Comments