MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8292948dc01246cbe55ab7c75f6a70da2fd0ebf065960e9249b48160f0363b7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8292948dc01246cbe55ab7c75f6a70da2fd0ebf065960e9249b48160f0363b7a
SHA3-384 hash: 0b1db5402e086a362d70ca4ea720a095ce13f9869ee95aca2505493e3507f0716ff0a6fd17e28ced3b987edcdb232129
SHA1 hash: 2b3deb38584b3d2176c33924f83d8dd7831e20f8
MD5 hash: c15f4817cacb70c2d5be5c54b1fa2855
humanhash: green-friend-minnesota-nine
File name:c15f4817cacb70c2d5be5c54b1fa2855.exe
Download: download sample
Signature Stop
Create hunting rule
File size:872'960 bytes
First seen:2021-12-29 03:20:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 95d45e77143988fbcae4ec8ca9a8169e (4 x ArkeiStealer, 4 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 12288:+QDvUlJbboUv8FuNfVBD9RKT2eHFw1rfQgcg70L:iJnoqMUdBGT2eWVTcAw
Threatray 818 similar samples on MalwareBazaar
TLSH T10605231C3FA1D03AC88B0AF219E6CB956D2F76117D33C74BAF5C2B9B7E61194495A302
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://116.202.188.27/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.188.27/ https://threatfox.abuse.ch/ioc/287975/

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c15f4817cacb70c2d5be5c54b1fa2855.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-29 03:23:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/333bb07b-8c6f-49f1-bcfb-9cc29262bc61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216760/
Detection(s):
Win.Packed.Generic-9917126-0
Create hunting rule

Win.Dropper.Lockbit-9917808-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3460/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit greyware lockbit smokeloader
Link:
https://www.filescan.io/uploads/61cbd44eec6c6c14a9fa84a6/reports/b5b0464d-0f15-4274-ab01-77c000a57797/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59fde39d-dbb0-4ec8-9397-8a590b64c881
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913661
Signature
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546139 Sample: Y8wk3KHrA6.exe Startdate: 29/12/2021 Architecture: WINDOWS Score: 100 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Multi AV Scanner detection for domain / URL 2->103 105 Multi AV Scanner detection for dropped file 2->105 107 9 other signatures 2->107 12 Y8wk3KHrA6.exe 2->12         started        15 Y8wk3KHrA6.exe 2->15         started        17 Y8wk3KHrA6.exe 2->17         started        19 Y8wk3KHrA6.exe 2->19         started        process3 signatures4 119 Contains functionality to inject code into remote processes 12->119 121 Writes many files with high entropy 12->121 123 Injects a PE file into a foreign processes 12->123 21 Y8wk3KHrA6.exe 1 17 12->21         started        25 Y8wk3KHrA6.exe 13 15->25         started        27 BackgroundTransferHost.exe 15->27         started        29 Y8wk3KHrA6.exe 13 17->29         started        31 Y8wk3KHrA6.exe 19->31         started        process5 dnsIp6 79 api.2ip.ua 77.123.139.190, 443, 49732, 49739 VOLIA-ASUA Ukraine 21->79 59 C:\Users\...\Y8wk3KHrA6.exe:Zone.Identifier, ASCII 21->59 dropped 61 C:\Users\user\AppData\...\Y8wk3KHrA6.exe, MS-DOS 21->61 dropped 33 Y8wk3KHrA6.exe 21->33         started        36 icacls.exe 21->36         started        81 192.168.2.1 unknown unknown 29->81 file7 process8 signatures9 99 Injects a PE file into a foreign processes 33->99 38 Y8wk3KHrA6.exe 1 23 33->38         started        process10 dnsIp11 83 tzgl.org 211.168.197.211, 49740, 49750, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 38->83 85 kotob.top 203.228.9.102, 49741, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 38->85 87 api.2ip.ua 38->87 63 C:\Users\user\AppData\Local\...\build2.exe, PE32 38->63 dropped 65 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 38->65 dropped 67 C:\_readme.txt, ASCII 38->67 dropped 69 38 other files (37 malicious) 38->69 dropped 109 Infects executable files (exe, dll, sys, html) 38->109 111 Modifies existing user documents (likely ransomware behavior) 38->111 43 build2.exe 38->43         started        file12 signatures13 process14 signatures15 113 Machine Learning detection for dropped file 43->113 115 Writes many files with high entropy 43->115 117 Injects a PE file into a foreign processes 43->117 46 build2.exe 43->46         started        process16 dnsIp17 89 116.202.188.27, 49759, 80 HETZNER-ASDE Germany 46->89 91 noc.social 149.28.78.238, 443, 49757 AS-CHOOPAUS United States 46->91 71 d06ed635-68f6-4e9a...57b9a3695102930.zip, Zip 46->71 dropped 73 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 46->73 dropped 75 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 46->75 dropped 77 10 other files (none is malicious) 46->77 dropped 93 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->93 95 Tries to harvest and steal browser information (history, passwords, etc) 46->95 97 Tries to steal Crypto Currency Wallets 46->97 51 cmd.exe 46->51         started        file18 signatures19 process20 process21 53 conhost.exe 51->53         started        55 taskkill.exe 51->55         started        57 timeout.exe 51->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8292948dc01246cbe55ab7c75f6a70da2fd0ebf065960e9249b48160f0363b7a/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-24 05:37:00 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
35 of 43 (81.40%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkjjjdoacjdmxzk2w7dv62tq3ix5b27qmwla5esjwsawb4bwhn5a._file
Verdict:
malicious
Similar samples:
43b31ea75f3c0666523aefc13e216a651e8e93feaeff1165cb35ed374365cdd6
Stop
4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2
Stop
aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11
Stop
c3ade1984ff9031d528776a359b03e496cecb26c332bd826465eef2da60f41b1
Stop
d4a30f137e41ba8ea5fffa89ae9fc3b01364e4f880584946d0067c4b8532a384
Stop
f15e2ae6168ce22adfb50ee1838cfda69a046b13dc8a5a751379a71ceb76b650
Stop
+ 808 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/211229-dwcjbadaeq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Malware Config
C2 Extraction:
http://tzgl.org/fhsgtsspen6/get.php
https://noc.social/@kipriauk10
https://c.im/@kipriauk11
Unpacked files
SH256 hash:
8f8baef5dfbdc24e95559a2d0ee5685ea8ee5a2565825973bfa5cea139d960ee
MD5 hash:
6fde2babde771aae1f3b959f0f3c614a
SHA1 hash:
ddc9d2f1bd06a1df44db8a75b57fcf2b7b123179
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/c922d51b-f224-4b48-87b8-1aedaa9a0714/
SH256 hash:
8292948dc01246cbe55ab7c75f6a70da2fd0ebf065960e9249b48160f0363b7a
MD5 hash:
c15f4817cacb70c2d5be5c54b1fa2855
SHA1 hash:
2b3deb38584b3d2176c33924f83d8dd7831e20f8
Link:
https://www.unpac.me/results/c922d51b-f224-4b48-87b8-1aedaa9a0714/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8292948dc01246cbe55ab7c75f6a70da2fd0ebf065960e9249b48160f0363b7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216760/

Comments