MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9afbb8c00bf106a25976ed149b7b5b5009c2c1a918ed60ea939624ea7e6b01ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9afbb8c00bf106a25976ed149b7b5b5009c2c1a918ed60ea939624ea7e6b01ce
SHA3-384 hash: 5d4d1d6903891e34a1db46a7ebdfee8191a830271ffb400415b685b8be9ed66e3bf72d4116d5d0cd87feabcf31fb6736
SHA1 hash: d3380ff478f82f7b5846f49b10c2fb69678c92de
MD5 hash: 607e8c642a43b9731d34aaab4043d922
humanhash: five-eleven-tennis-bakerloo
File name:build.bin
Download: download sample
Signature Stop
Create hunting rule
File size:817'664 bytes
First seen:2022-06-24 07:36:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e7b1c49466dffa58be5c95fbe6c61443 (2 x ArkeiStealer, 1 x Stop)
ssdeep 12288:udnUL6WGI+yRJ+S6cPZ9quQg/v5jRRCU7atEBQJJR04F92g4fjbZh2p7vhAE:udnUGztQP7v9P7aOBQJJm4F9yX2ZhAE
TLSH T11A0512E0B690D47AC4153E318956CBA1733BBE15F5702907B7B09B1E2EB33C0AA753A1
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c01edecea68c8ccc (154 x RedLineStealer, 98 x Smoke Loader, 36 x Stop)
Reporter KdssSupport
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
https://b24-fpqecx.bitrix24.site/crm_form_by2ve/
Verdict:
Malicious activity
Analysis date:
2022-06-24 02:17:36 UTC
Tags:
loader trojan stealer ransomware stop
Link:
https://app.any.run/tasks/3c77af4e-7041-42b0-a769-c7ca433d357a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/282924/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/22651/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62b569a0a6ececa45fc60508/reports/40aaa4d4-4337-4694-89bf-074488eec14d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/379eba14-5f8f-4652-83ed-227f28524139
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1019139
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651637 Sample: build.bin Startdate: 24/06/2022 Architecture: WINDOWS Score: 96 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 4 other signatures 2->51 8 build.exe 2->8         started        11 build.exe 2->11         started        13 build.exe 2->13         started        15 build.exe 2->15         started        process3 signatures4 53 Injects a PE file into a foreign processes 8->53 17 build.exe 1 17 8->17         started        55 Machine Learning detection for dropped file 11->55 21 build.exe 1 13 11->21         started        23 build.exe 13 13->23         started        25 build.exe 13 15->25         started        process5 dnsIp6 41 api.2ip.ua 162.0.217.254, 443, 49755, 49819 ACPCA Canada 17->41 35 C:\Users\user\AppData\Local\...\build.exe, PE32 17->35 dropped 37 C:\Users\user\...\build.exe:Zone.Identifier, ASCII 17->37 dropped 27 build.exe 17->27         started        30 icacls.exe 17->30         started        43 abababa.org 21->43 file7 process8 signatures9 57 Injects a PE file into a foreign processes 27->57 32 build.exe 13 27->32         started        process10 dnsIp11 39 api.2ip.ua 32->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9afbb8c00bf106a25976ed149b7b5b5009c2c1a918ed60ea939624ea7e6b01ce/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2022-06-24 07:37:08 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tl53rqal6edkewlw5ukjw623kae4fqnjddwwb2utsysou7tlahha._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/220624-jft2baagfr/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
Malware Config
C2 Extraction:
http://abababa.org/fhsgtsspen6/get.php
https://t.me/tg_superch
https://climatejustice.social/@olegf9844
Unpacked files
SH256 hash:
c0895781d7cdd53003fff560c586caa3ea1bf547f506b72cfb3cc252eea4ac68
MD5 hash:
be8b37eb87288e37e0680a59e96d6669
SHA1 hash:
629d99cfbdb426da3796532c1951f0c8eda6fec0
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/7f337d4f-4b4f-4b53-a4f0-3e8cef85e03d/
SH256 hash:
9afbb8c00bf106a25976ed149b7b5b5009c2c1a918ed60ea939624ea7e6b01ce
MD5 hash:
607e8c642a43b9731d34aaab4043d922
SHA1 hash:
d3380ff478f82f7b5846f49b10c2fb69678c92de
Link:
https://www.unpac.me/results/7f337d4f-4b4f-4b53-a4f0-3e8cef85e03d/
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9afbb8c00bf1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9afbb8c00bf106a25976ed149b7b5b5009c2c1a918ed60ea939624ea7e6b01ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282924/

Comments