MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657
SHA3-384 hash: 643c045bd1d4cb2faecc39193dc977df42dfe5f2d7110cb24bd357e3ce7c937100a6bf7ad329638449dbcf9f83172009
SHA1 hash: 10e29764f0182cb7362460f6d925a88b9d772780
MD5 hash: b66204eff102db67bd94ec3096c765c3
humanhash: south-april-mars-autumn
File name:b66204eff102db67bd94ec3096c765c3.exe
Download: download sample
Signature Stop
Create hunting rule
File size:857'088 bytes
First seen:2021-07-07 16:10:40 UTC
Last seen:2021-07-07 16:52:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c9b4a6ea51ade86685cc7cb33cacbc0 (2 x RedLineStealer, 1 x Stop)
ssdeep 24576:jEEhx2jeV2PvB3dbNoJ7LMB150FzhK9kAfj9:oKV2LGLMmT2fj9
Threatray 329 similar samples on MalwareBazaar
TLSH T18205F11076A0D034E6F32AF55A7A53A9643E7EB25B3051CF52D06AEE6B34AD0EC31317
Reporter abuse_ch
Tags:exe Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b66204eff102db67bd94ec3096c765c3.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-07 16:18:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1fa23cca-9558-4a36-8ba1-bbd2f29e3d11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170243/
Detection(s):
SecuriteInfo.com.Variant.Graftor.974954.7756.4912.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef8c5646-7a69-4f5a-8b8c-db6edb1b54f4
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813005
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445416 Sample: Jhy2YPMShA.exe Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 8 Jhy2YPMShA.exe 2->8         started        11 Jhy2YPMShA.exe 2->11         started        13 Jhy2YPMShA.exe 2->13         started        process3 signatures4 61 Detected unpacking (overwrites its own PE header) 8->61 63 Writes many files with high entropy 8->63 65 Injects a PE file into a foreign processes 8->65 15 Jhy2YPMShA.exe 1 18 8->15         started        67 Contains functionality to inject code into remote processes 11->67 19 Jhy2YPMShA.exe 12 11->19         started        21 Jhy2YPMShA.exe 12 13->21         started        process5 dnsIp6 49 api.2ip.ua 77.123.139.190, 443, 49717, 49726 VOLIA-ASUA Ukraine 15->49 33 C:\Users\...\Jhy2YPMShA.exe:Zone.Identifier, ASCII 15->33 dropped 23 Jhy2YPMShA.exe 15->23         started        26 icacls.exe 15->26         started        file7 process8 signatures9 59 Injects a PE file into a foreign processes 23->59 28 Jhy2YPMShA.exe 1 19 23->28         started        process10 dnsIp11 43 astdg.top 170.84.181.70, 49727, 80 RRVirtualInformaticaBR Brazil 28->43 45 dgos.top 134.122.53.92, 80 DIGITALOCEAN-ASNUS United States 28->45 47 api.2ip.ua 28->47 35 C:\Users\user\AppData\Local\...\Apps.index, COM 28->35 dropped 37 C:\_readme.txt, ASCII 28->37 dropped 39 C:\Users\user\Desktop\PALRGUCVEH.mp3, data 28->39 dropped 41 157 other files (152 malicious) 28->41 dropped 69 Tries to harvest and steal browser information (history, passwords, etc) 28->69 71 Modifies existing user documents (likely ransomware behavior) 28->71 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 16:11:05 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sy2opo62chkc5v7nut34yglf32qwvncyo7fuexjsf2bqz5r2azlq._file
Verdict:
malicious
Similar samples:
6ed8e078433a7e7938f2084f83a640d707708ac99a246b31736bd22327664668
Stop
712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913
Stop
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
Stop
7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913
Stop
99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2
Stop
a3c074948f5e3d2b89f0035bbf7bd74b1a3ec0525dc1496b4463f55ef15f3521
Stop
aa8c5d42026ac9a483f1984f762441d7f5805ef914819b473f9e15353995cc99
Stop
b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944
Stop
d0da8d292459d68df7dbbd65379e80e970b79f93307f05aca7b95e967ad86d52
Stop
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
Stop
+ 319 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/210707-avefn7wpr6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Modifies file permissions
Unpacked files
SH256 hash:
73228a57289666d98769ea178a6a97f532b613ed6e05f6af986799f14344ebe1
MD5 hash:
7a06560f3aa1bb8bce36f0beab0899e2
SHA1 hash:
c9a7226a5953617b190d658409e27f664c1fa196
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/13b0e546-fd28-47c2-9fbf-0379e6e9ba6b/
Parent samples :
9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657
bfbf6bb9393e511a06e90d432e7538059ae75f9f1525f0f503d1d0bec0d32124
ff9e059a789e94573fb32a918657d5c5c59b5395fab873cbcec7b1543435fe93
808047c44b88e64eaeaa2c63b136dce30013db875ebdcfe24a22e0e292a757cc
ca7f21ad4f9b5ca208d0a43b76edc7bbb9c698289cb4fc718c884681c5dcf10f
a88f6e7db37ee058a26742f7cd2d92927eeb70e863c025a9758a7b710e152f81
SH256 hash:
9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657
MD5 hash:
b66204eff102db67bd94ec3096c765c3
SHA1 hash:
10e29764f0182cb7362460f6d925a88b9d772780
Link:
https://www.unpac.me/results/13b0e546-fd28-47c2-9fbf-0379e6e9ba6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe 9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1423741/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170243/

Comments