MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 909204a217771a3830a59178d9bdcabec2c4b58eeb96aab7e10f34c2daee4392. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 909204a217771a3830a59178d9bdcabec2c4b58eeb96aab7e10f34c2daee4392
SHA3-384 hash: d3ba2cab7fb0c1d8d0380bd26fa17222d4b184c54621c1e7e749a0dfc9d6fe2898cafffc89691a65e15461b23420c9b6
SHA1 hash: 5c15e55e3c108f940ea38adba6217a78638aa9c6
MD5 hash: 03216ee38c31d0994a688710dc0f2663
humanhash: undress-juliet-high-yellow
File name:909204a217771a3830a59178d9bdcabec2c4b58eeb96aab7e10f34c2daee4392
Download: download sample
Signature Stop
Create hunting rule
File size:809'984 bytes
First seen:2022-03-28 06:15:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f1855557318264240cd30e161847f03 (2 x Stop, 1 x RaccoonStealer)
ssdeep 12288:zZOVZjjxAQ7FWWX3jSYSwmxHivzctLK+eF5LBszuUD3YbZeJRQpqQn0LqcH:NA1FJjzSTwgtLK+eF9B/Xb7pqpH
Threatray 970 similar samples on MalwareBazaar
TLSH T189050210BB90D035D5B752F8497A93AC7A2EBAA05B2895CF32D55BEE16342E0FC31317
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258385/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11705/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed ransomware virut
Link:
https://www.filescan.io/uploads/624152e0a19c6494129da3a4/reports/bee81e66-fa45-485c-bbb4-11af306f37e1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3815d21d-93da-4a53-abe2-0f54f5361ee1
Result
Threat name:
Djvu Vidar Zorab
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965569
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Possible FUD Crypter (malicious underground PE packer) detected
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Yara detected Zorab Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 598055 Sample: Fty7JnQJSO Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 13 other signatures 2->85 10 Fty7JnQJSO.exe 2->10         started        13 Fty7JnQJSO.exe 2->13         started        15 Fty7JnQJSO.exe 2->15         started        17 Fty7JnQJSO.exe 2->17         started        process3 signatures4 91 Possible FUD Crypter (malicious underground PE packer) detected 10->91 93 Contains functionality to inject code into remote processes 10->93 95 Writes many files with high entropy 10->95 19 Fty7JnQJSO.exe 1 16 10->19         started        97 Injects a PE file into a foreign processes 13->97 23 Fty7JnQJSO.exe 12 13->23         started        25 Fty7JnQJSO.exe 12 15->25         started        27 Fty7JnQJSO.exe 17->27         started        process5 dnsIp6 73 api.2ip.ua 162.0.218.244, 443, 49714, 49715 ACPCA Canada 19->73 75 192.168.2.1 unknown unknown 19->75 55 C:\Users\...\Fty7JnQJSO.exe:Zone.Identifier, ASCII 19->55 dropped 57 C:\Users\user\AppData\...\Fty7JnQJSO.exe, MS-DOS 19->57 dropped 29 Fty7JnQJSO.exe 19->29         started        32 icacls.exe 19->32         started        file7 process8 signatures9 107 Injects a PE file into a foreign processes 29->107 34 Fty7JnQJSO.exe 1 23 29->34         started        process10 dnsIp11 67 zerit.top 186.182.55.44, 49716, 80 TechtelLMDSComunicacionesInteractivasSAAR Argentina 34->67 69 fuyt.org 115.91.217.231, 49717, 49718, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 34->69 71 api.2ip.ua 34->71 47 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 34->47 dropped 49 C:\_readme.txt, ASCII 34->49 dropped 51 C:\Users\...\SmartScreenCache.dat.mmuz (copy), data 34->51 dropped 53 41 other files (38 malicious) 34->53 dropped 87 Modifies existing user documents (likely ransomware behavior) 34->87 39 build2.exe 34->39         started        file12 signatures13 process14 signatures15 89 Injects a PE file into a foreign processes 39->89 42 build2.exe 39->42         started        process16 dnsIp17 77 5.252.21.17, 49724, 80 FIRSTDC-ASRU Russian Federation 42->77 59 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 42->59 dropped 61 C:\Users\user\AppData\...\mozglue[1].dll, PE32 42->61 dropped 63 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 42->63 dropped 65 9 other files (none is malicious) 42->65 dropped 99 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->99 101 Tries to steal Mail credentials (via file / registry access) 42->101 103 Tries to harvest and steal browser information (history, passwords, etc) 42->103 105 Tries to steal Crypto Currency Wallets 42->105 file18 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/909204a217771a3830a59178d9bdcabec2c4b58eeb96aab7e10f34c2daee4392/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 06:26:47 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
35 of 42 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=scjajiqxo4ndqmffsf4ntpokx3bmjnmo5olkvn7bb42mfwxoioja._file
Verdict:
malicious
Similar samples:
2a06da1f6bb8f01f932093ed9ae5f1ca2ff7b53b89dfd46a0102200cf3ebaead
Stop
2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527
Stop
2ec22ff642ea83f3ebccca4b3e339e489862f19734cdb412fb45f19861e87dca
Stop
30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6
Stop
486ab4d9e0a524b8f734a9e45821538c31e18c7632af8e0765dc417b9a87c64d
Stop
923d2af76cd47509cd42c94e47b6198321b16c2123b09bb39aa26b8c3daf9647
Stop
962793c4decea8dd718bd96ccc4209ce744414a62e4afb93c79db64df4b792e2
Stop
+ 960 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu ransomware
Link:
https://tria.ge/reports/220328-g1gwdachbm/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/fhsgtsspen6/get.php
Unpacked files
SH256 hash:
0b6d28bc808b98429e7fc549e5a15a236ddb6cbb5a227f7334207b438a95267d
MD5 hash:
06ee09dec2db456a2e92a4b0f696678e
SHA1 hash:
d9eb1e744ac1294637ae72672e0f7edb0b14fc4e
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/5c5d17b4-f672-4180-98d4-61689e0b551a/
Parent samples :
9c703d32fa73fde2328022f3e1fad58bb2fd1cc739dd6f68dbe3d88fdcee2664
5ead4e743b06cfa32958083798960a587b108ee0170d3f475bb744cdb006761f
21ef7ee8609a2e98dec200eb22771a3ba86a18b7150211fc3aa6506e06b74c10
b70c7c27f9b8cebc5da0c75f5469c36ddd4a969ad29ec702a27571fa2ff27832
e531191d35e9d5543ae81a0915f9b02651ea54a6b3fe5ca61855a301ea53146a
5a1fb27924ab99541f08d3a46321b88fa4ce52a2346ebd92dc8da423c907cde3
ba53f24d6448dfc4b1a4a9b73d7d24ecc31a05a4e26ee051ba5ada4312f319d1
c1e3dbf11b5b3d434c8026bb344d5e9fd6daba717622ccfc4e07cadf051cba72
63d7b37217bad05463192bd2f5e39a4ac23ff21c52cd27bf541780d29cf77c7f
f2e3fa89c1a2c72ea78c4d32446221c08b30c7c3363f8248f04aa9eee2e15c70
44112b6d303c7df1528b55525872fef0f08de8c2a467f8e4d3b820f634f1f2c2
4f91cc5fef6093b6ccae6c91e02484dc33174df7d0e439fefe5f9b9171e388e3
6a803d7627d4fe8412c329487c9a95b34f3521ff2504fd077477cec1a9184ff9
54f94f7d533214086d2d2400b3b9b4d95e44d785334b5e47bf85ee0db24fd49b
98aeeffa753fd000731a7fc8bef2b3151cef2d9cc79ff03620cfba524e729ddd
11cbf8967f0dfb881a4a38c7abf2c26c61bfc68dc61a56a354c400a35f9a75eb
909204a217771a3830a59178d9bdcabec2c4b58eeb96aab7e10f34c2daee4392
0a04531f67450f23732ef2d41e6ac507ea10cdc39d513f1a379e9b3e0508e4f9
2db1bb25566f90ea473b56bcdc4670b9e6f730986a9c6f9d4b59a9ca6f542f54
9da0bdb7d44fe5cef1d36d302f47e941b72c848f9e2adaf106ca16ca1905faaa
703596cf1362533b7beb36bd72b994457ea1109cd3d6860bfe2cfc4b0b32a21a
c0bef9ba844c2d2cf99c9e7e397dcb9be6ba14bc8466603f6f2765e9213137d8
875ef5b3053d4d322471a9a9c0a7ea0b44c75178add2bb43ac4619ec78209cf1
e17ee8ffe9bb9062dcf3caad7e79785ec462faca7eb6e44302a5e0c03ad83a91
9ad258a814d69b7bfb48afaeda5a966308ffedb0cf7454a815c88c42629a745c
07e7dd3b968a15e42c67a728a9d143533d66af00ab9003961086c8c2ee3670f2
dcee34741b1210576a620d3e22d5945f1aea34f8d9940a0b9d098c7ebe0bd1d0
4f1bcdcbc93f0edf7a5b94c5da7b46ee72d4ba9619862036ed1cb202a07385c2
SH256 hash:
909204a217771a3830a59178d9bdcabec2c4b58eeb96aab7e10f34c2daee4392
MD5 hash:
03216ee38c31d0994a688710dc0f2663
SHA1 hash:
5c15e55e3c108f940ea38adba6217a78638aa9c6
Link:
https://www.unpac.me/results/5c5d17b4-f672-4180-98d4-61689e0b551a/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/909204a21777/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/909204a217771a3830a59178d9bdcabec2c4b58eeb96aab7e10f34c2daee4392

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258385/

Comments