MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88804aa72fa1c55bf7c758f8cc69a28b06eddf31337f6ae9f842b8ba515d213b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	88804aa72fa1c55bf7c758f8cc69a28b06eddf31337f6ae9f842b8ba515d213b
SHA3-384 hash:	db8b1ab8c135b182af0df0e7a0385f25d1cf3bb7b423dbe9d781a8dbba1748009634db04c7031c12188d44bc6fffcbf8
SHA1 hash:	84dd7f4e2e66362212849971f54c6ba76aa1bf6c
MD5 hash:	9c78e468c87b55de16e25d50cd2a01b5
humanhash:	william-burger-skylark-pennsylvania
File name:	9c78e468c87b55de16e25d50cd2a01b5.exe
Download:	download sample
Signature	Stop Create hunting rule
File size:	892'416 bytes
First seen:	2021-06-08 07:08:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e81b9f97b533b87273485fe586897046 (3 x Stop, 1 x Glupteba)
ssdeep	12288:l15f/AAq+rFHATDpXVwCU+qIp/JbLbLdPVHk5esNQ5H4OaULc4t/GGOaU7NY8d:ljnq+SDpFwCj/Bk5esNu4O/Qu/zN8
Threatray	263 similar samples on MalwareBazaar
TLSH	CF15F100BAA0C034F5F612F55A7682BFA439BDA1BB6450CB52C42ADE3635DE0AD31F57
Reporter	abuse_ch
Tags:	exe Stop

abuse_ch

Stop C2:
http://185.99.133.218/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.99.133.218/	https://threatfox.abuse.ch/ioc/67932/

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9c78e468c87b55de16e25d50cd2a01b5.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-08 07:54:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/08129040-3ee8-4260-9f33-5a005aeb4ac2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/165212/

Detection(s):

Win.Malware.Generic-9868195-0

Win.Malware.Generic-9868256-0

Win.Malware.Generic-9868266-0

Win.Malware.Pwsx-9868289-0

Win.Malware.Pwsx-9868321-0

Win.Malware.Filerepmalware-9868326-0

Win.Malware.Generic-9868420-0

Win.Packed.Pwsx-9868520-0

Win.Packed.Generic-9868565-0

Win.Dropper.Glupteba-9868630-0

Win.Malware.Generic-9868676-0

Win.Malware.Pwsx-9869164-0

Win.Malware.Generic-9869165-0

Win.Packed.Filerepmalware-9869184-0

Win.Packed.Pwsx-9869260-0

Win.Malware.Generic-9869276-0

Win.Malware.Filerepmalware-9869285-0

Win.Packed.Stop-9869374-0

Win.Packed.Pwsx-9869375-0

Win.Packed.Pwsx-9869377-0

Win.Malware.Pwsx-9869390-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Launching a process

Creating a process with a hidden window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/798598

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/88804aa72fa1c55bf7c758f8cc69a28b06eddf31337f6ae9f842b8ba515d213b/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-06-03 13:41:03 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rcaevjzpuhcvx56hld4my2ncrmdo3xzrgn7wv2pyik4luuk5ee5q._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar discovery evasion persistence ransomware spyware stealer

Link:

https://tria.ge/reports/210608-tan2lykvba/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Disables Task Manager via registry modification

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

Deletes Windows Defender Definitions

Djvu Ransomware

Vidar

Unpacked files

SH256 hash:

41e56b8b94805135b173db7320c41de1ee40d5ae3916ae6ca5e97bdf3a933daa

MD5 hash:

c7a3e9c8a8d0f7597ce60fb5fdf50eb5

SHA1 hash:

24f034d6535e4027b11f056609129742b8e846e9

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/9653dee5-3315-4d23-aa31-1db7db5a77d9/

Parent samples :

8de1c803e333135d44bccdc6d357a6a25c60aae00a95f36d827c48142eb1c1ec
ee5b56341fc871f88e2a32899bb9ad27db349918616db5fe20dd6540ab309a52
b4a1845a21726b4826eb4157114d424c9a0f1c3112f67f587cbea352dd33ac61
d81ca2ed0abb074acee81a9f9a94c57589e070261297c5a318518fb82d6834b7
e8d9db4c4bb1013a830bbc9e0588d9e3db245113720d231709319551d3794185
9a248710ede1a89871928c90a232ada5efe6285ed4d7d8f6586ca04c93ba4058
a2212d4357d516c94ce27cd02e67c98e7f6715fb865eb52c962d404aa6666635
48f9f1e0b78e43e369c345080f9ea2dfae221585887535e898b4abce7e5d51c5
14ec14512e3fa567cecd4ac0c1254116e193bc3ea915ae45bb7bf81ea57d40e9
e1273fa249ab6710409cb7cad619d7f55257c60f71556a9020ac169e3013ac1c
e8203dbedbd53ecc87d5f35ff1ee8b8db3c71b00f4527cff5136c4125ba3b884
c16f961c7c33eebec372533924402b92161f4609b84f52f2ae0a309b1def6476
244975c13c9f8fd20b47432950a112f75af9d3591b33ae25b090560b99364140
5a1e038a00535de0be9b3912fc476c774dad4d06308af01f9da24471a61015b2
4cb30ba80bddfb782f7272133351681a964094ca073240db283be0107182aa30
88804aa72fa1c55bf7c758f8cc69a28b06eddf31337f6ae9f842b8ba515d213b
6d24cc1c0043f5f6a3f9c02d408575d5c17c58d60e616df059d75d07de8529de
969993c7de4cc91dc8422fd52d9099ea4bda31162fbbe110a5c21d8d3e5a9f3c
b8700f6758c2a698969205225d4e9cba9688a8d2dd30801826c178db0de9becb
a3cc50ef9c2d82f2473f0bd86f58e9d2e6c3a31bbd98b8e3fe6c7bbf4e3ebedd
7a2f648caf2fab403fc84e7c5a3f0d89e52e8f3b0c2492a26588f094e5981c9b
6e515984fde0582b4608f7982df15016c44df2f558859fcb4afabc25f9284054

SH256 hash:

88804aa72fa1c55bf7c758f8cc69a28b06eddf31337f6ae9f842b8ba515d213b

MD5 hash:

9c78e468c87b55de16e25d50cd2a01b5

SHA1 hash:

84dd7f4e2e66362212849971f54c6ba76aa1bf6c

Link:

https://www.unpac.me/results/9653dee5-3315-4d23-aa31-1db7db5a77d9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/88804aa72fa1c55bf7c758f8cc69a28b06eddf31337f6ae9f842b8ba515d213b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834