MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9c252ebf30585544502edd6120ab215df5278133819172d63ae8ec18403168db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Stop
Vendor detections: 13
| SHA256 hash: | 9c252ebf30585544502edd6120ab215df5278133819172d63ae8ec18403168db |
|---|---|
| SHA3-384 hash: | 0fd6b9cad381911b3e14e5ce4f8b6d51bf13139aeca0885bf5d1c79fdf8a536f2c86df8ef0f039daf9522cb8ac5b911c |
| SHA1 hash: | 3d5f586e1f18a2ee123cf5c692d8784dc26a9fe6 |
| MD5 hash: | 6f7348e2178c51cd438962c397f1ba90 |
| humanhash: | fruit-double-steak-two |
| File name: | 6f7348e2178c51cd438962c397f1ba90.exe |
| Download: | download sample |
| Signature | Stop |
| File size: | 713'728 bytes |
| First seen: | 2022-07-31 01:25:43 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | aecd89e1ed4b02149a7c23933e46d475 (5 x RedLineStealer, 3 x Stop, 1 x ArkeiStealer) |
| ssdeep | 12288:NTrxy0TmiRrQTofDxYXyZeJWrLqCxHyqI1i4S/YT0bTgSOVohNFncbBFjkGZSDa2:RvReyZeC5xHIMQobLOGhHncbBFAGZt |
| Threatray | 1'343 similar samples on MalwareBazaar |
| TLSH | T138E41230B7A0C837C8FA6130D470A656657ABC6252BC4C4FF354276E7E61AF14ABE712 |
| TrID | 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | 38b078cccacccc53 (62 x Smoke Loader, 25 x Stop, 21 x RedLineStealer) |
| Reporter |  abuse_ch |
| Tags: | exe Stop |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://95.217.244.216/517 | https://threatfox.abuse.ch/ioc/840131/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
411
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
8/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
greyware packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Verdict:
Malicious
Result
Threat name:
Djvu, Vidar
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.RealProtect
Status:
Malicious
First seen:
2022-07-31 01:26:11 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
21 of 26 (80.77%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 1'333 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Vidar
Malware Config
C2 Extraction:
http://acacaca.org/test1/get.php
https://t.me/cheaptrains
https://mastodon.social/@ffolegg94
https://t.me/cheaptrains
https://mastodon.social/@ffolegg94
Unpacked files
SH256 hash:
460677002477997e886cc69e877193e9aae99473d797324a631792b93decacc2
MD5 hash:
3698c5247b7dc80076f8b9a7c2c74869
SHA1 hash:
2c43bbcb9ff12ce664bde794f520e6bab29a4880
Detections:
win_stop_auto
Parent samples :
a8988eb3a6ec363ad6cfef8b2a20473a71b281d7861346d1df0a35a7bd275092
0f00ce0e83bf4c6fb75ae2c9876efe1be790d8d6f88744b331387aa36c9cf216
108db3a08d3480eabc99496d69095c248ee28a99322cf83d831eaaf9f2a84d9f
711eb2d970c6b7af7e9592227e0380ab6b550243efc05dff5420cb55d32307a0
a461934a0985ea594c18ec2aae98a19104d4a0bd28dc5eed8e155ebaa6b830be
aa493715423d58772968e67bdf3eb2e528cdf6841f9a3450bb191ade5b800343
7846a97eb48c7bf94f88f45205c05f3680240ccab8be07130b7dec943db0d1f1
9c252ebf30585544502edd6120ab215df5278133819172d63ae8ec18403168db
1c07425a2ae25cf34d4ec2563846ca85aac64fa33f2b55bf73ded0b21d93ae8d
4498a7aab301aa3bd2d87f97c8ac9d155266477d1aa06e53633bff359446bb71
cd0dcd4db4cde13fd3c18384880d8a407b82bedd423cf36ce43eb195f0d83122
00650eef0237b8636cba044cc835767f90df5be3803c74c22de6f0bf5260c731
2d70c53a2c97bf9e5dccab50e60ab9aef632b257a39c1890e011bbb35c6f1a91
6ddfedae802f4f8fb5cd24185155151334aec02cc89a54f21d04b412741c536f
f0a89147aed3bf309a02375ec557fd7d02ea65fe8fb82df114567287a7ce7948
bf2adfc7db7063fef37da90e51082716a62374d46cc46c1eeff27aab0696231c
f047dec42901d262d8b27349645566c92d92c4a6f57be08140f99a8ea1cb9bae
35a90e21c38bb5f06f317e44bee9730c997fd74119b6be5995dd73cd6f6cf30d
bbe24a43e0fab174b0e301591ce108db5ba7fbbcda79ec7dc6cee0ca532069ce
bcee945208bd13be02544c87455bbc3778f62a6547e626455e21f59f52e808f0
3d853586b1c878bccbe2132b3da76c324182835c96c9d971eeb1dbab1f221764
a16b0c761ef6635edff487a9e8194106b0d43fe1de257712ebc0a7aaa96cf220
f9caafef25d6faedd1f0545b1518bde25e7e546f8df31be635cc7fd2628cc87d
db328867b5c9fc7d025e762759a5a6a3bc40f224f6f45f7784f49aa719562cc2
ec67ab63bf01508d2035b97cc186b71e1291cd26dfec6a9949a736f128bf5ac4
0ed05a8007ceaeff0fe90839871072ffdf22bfe1792c5db28674c66144cff525
cc2c935220634bdbab53ba36f411e882859e88e86a86f768769561b6929c509a
11b50a72b92088693c236ee689690b8c9510a38a51bddc41c40e22186c948745
50b8cd897266758e38f8c6419df0ea95484f26745e07ee45268455cd41c15a2c
8cfb0888083949812a02ea8557a86b98969b88c7976a66eae17d493fee7f4436
c425fdbc1a11a24768fce96c757b62e9666b5304642f9047b28bf4d3f35ba020
b2c14eaeb6a575095e493fca5f5949edd7bde13be5e70fabed09a0b8e99c2f41
4304b0ef20facff0ee35283b974fbae32edacf7a8117254fb1a95560dd2a49e6
0a1c9c7ebc6754b1c815ed5f2ba39a212b0f899456cb0d28fbfeafe109b88c04
eb8444e6d256a2383c2b942e408769c6791479197fb03d736e6ae66538251e52
810337996b4f287b6936a21533733fb5427803f255329a73c0e9e81b4c96367c
e008b3b61d0625feaaa80cc6ed0bf86e7d392490c4b67244ce4d2b59cad44521
ce9398957a4f2d577967e6c2af8319c07d0c628fbe9d7530f1a6d53fe1e09ee2
b951f1f122fd93b6473f076192a2cd48b3e875df347b7d58e5471756e6d4b513
276e1dff0dd8ceedd5ebb1be0fa4727caedfba8ef0293573e140c72bc7b1c345
bebf3064e366d052d6594d3e23ed074a410a0bee3007545110c2cd10b2954f07
fae85f9f8092c35c0a2d2057f231f4e4886163679ecbf0fe43c2d232414efa82
548fbdc91fdab245ad38f40ab00e08bf15fcec469b0fe9879c0b30c6954d940c
f5568dbc0f8640a105c3a7c4243e627fbf8218df12c9f331a38cf11e93f58358
0f307e93c8748420970921cd14a83a4a6e01d8cc9b87aa0d978b7277877ccc06
dc93dc6e3f38d8e8a8961ecb9366572adc01cac682c3649714b94bbd6e8b10c1
f225dfd553d16fe8a79192bab77ddda192572a0bca4a8d9c0e6144268c8f605c
56193e0153f7965612b8ab1313fca8fb0b9c6d7e0ba8f6b09e835f1add424e4a
0d5f0a554acb1636e485ec722d6a0b4dedbfcd894fc8a5f35d9b32f873de891c
f463d93311b1db92d9ece5b9588a41b37ff3799741609de05d52f0c03c91bd98
9ac2de0fd32ea12ead3ad5a491e7d47d611b04d63f5ceeb93146c10c7399e85d
cad0bd3e89c5f5068e476052ea238068c73584d0569ad13fa4ae10752f7d1245
b023f3403fb515c7c5ab9df5aee75eb7b1ae3f9bd4c46abc3e4d6a7fc806f6e3
c6c817ed9bad54f4c1b151451232cc19315a0ff923166a7864c3a5a1367913b0
83a8555eba21e03e6a209b19ccd39f982a87e47baa428b5a24ef85c07578d801
64ac7c0e7932e2f05e7ac9cc7be1a28a6851c5e15bcee112ae85a1a87fea471c
eb04fd8cc7a8426d235b764cd0c999730dd20a5af66f1bbd6d68dd4ba7c2ff69
dfbef115e54ce80addae308aa6486b0831af5bd749578166c958abcfebaea40c
df03446a7935255e535ac0db6e92da530ef948780a213a20dbde2af3703f6254
b68538b100ee150e781073702a255243ae98011f491f4bde3a4746da9ed46c88
0f00ce0e83bf4c6fb75ae2c9876efe1be790d8d6f88744b331387aa36c9cf216
108db3a08d3480eabc99496d69095c248ee28a99322cf83d831eaaf9f2a84d9f
711eb2d970c6b7af7e9592227e0380ab6b550243efc05dff5420cb55d32307a0
a461934a0985ea594c18ec2aae98a19104d4a0bd28dc5eed8e155ebaa6b830be
aa493715423d58772968e67bdf3eb2e528cdf6841f9a3450bb191ade5b800343
7846a97eb48c7bf94f88f45205c05f3680240ccab8be07130b7dec943db0d1f1
9c252ebf30585544502edd6120ab215df5278133819172d63ae8ec18403168db
1c07425a2ae25cf34d4ec2563846ca85aac64fa33f2b55bf73ded0b21d93ae8d
4498a7aab301aa3bd2d87f97c8ac9d155266477d1aa06e53633bff359446bb71
cd0dcd4db4cde13fd3c18384880d8a407b82bedd423cf36ce43eb195f0d83122
00650eef0237b8636cba044cc835767f90df5be3803c74c22de6f0bf5260c731
2d70c53a2c97bf9e5dccab50e60ab9aef632b257a39c1890e011bbb35c6f1a91
6ddfedae802f4f8fb5cd24185155151334aec02cc89a54f21d04b412741c536f
f0a89147aed3bf309a02375ec557fd7d02ea65fe8fb82df114567287a7ce7948
bf2adfc7db7063fef37da90e51082716a62374d46cc46c1eeff27aab0696231c
f047dec42901d262d8b27349645566c92d92c4a6f57be08140f99a8ea1cb9bae
35a90e21c38bb5f06f317e44bee9730c997fd74119b6be5995dd73cd6f6cf30d
bbe24a43e0fab174b0e301591ce108db5ba7fbbcda79ec7dc6cee0ca532069ce
bcee945208bd13be02544c87455bbc3778f62a6547e626455e21f59f52e808f0
3d853586b1c878bccbe2132b3da76c324182835c96c9d971eeb1dbab1f221764
a16b0c761ef6635edff487a9e8194106b0d43fe1de257712ebc0a7aaa96cf220
f9caafef25d6faedd1f0545b1518bde25e7e546f8df31be635cc7fd2628cc87d
db328867b5c9fc7d025e762759a5a6a3bc40f224f6f45f7784f49aa719562cc2
ec67ab63bf01508d2035b97cc186b71e1291cd26dfec6a9949a736f128bf5ac4
0ed05a8007ceaeff0fe90839871072ffdf22bfe1792c5db28674c66144cff525
cc2c935220634bdbab53ba36f411e882859e88e86a86f768769561b6929c509a
11b50a72b92088693c236ee689690b8c9510a38a51bddc41c40e22186c948745
50b8cd897266758e38f8c6419df0ea95484f26745e07ee45268455cd41c15a2c
8cfb0888083949812a02ea8557a86b98969b88c7976a66eae17d493fee7f4436
c425fdbc1a11a24768fce96c757b62e9666b5304642f9047b28bf4d3f35ba020
b2c14eaeb6a575095e493fca5f5949edd7bde13be5e70fabed09a0b8e99c2f41
4304b0ef20facff0ee35283b974fbae32edacf7a8117254fb1a95560dd2a49e6
0a1c9c7ebc6754b1c815ed5f2ba39a212b0f899456cb0d28fbfeafe109b88c04
eb8444e6d256a2383c2b942e408769c6791479197fb03d736e6ae66538251e52
810337996b4f287b6936a21533733fb5427803f255329a73c0e9e81b4c96367c
e008b3b61d0625feaaa80cc6ed0bf86e7d392490c4b67244ce4d2b59cad44521
ce9398957a4f2d577967e6c2af8319c07d0c628fbe9d7530f1a6d53fe1e09ee2
b951f1f122fd93b6473f076192a2cd48b3e875df347b7d58e5471756e6d4b513
276e1dff0dd8ceedd5ebb1be0fa4727caedfba8ef0293573e140c72bc7b1c345
bebf3064e366d052d6594d3e23ed074a410a0bee3007545110c2cd10b2954f07
fae85f9f8092c35c0a2d2057f231f4e4886163679ecbf0fe43c2d232414efa82
548fbdc91fdab245ad38f40ab00e08bf15fcec469b0fe9879c0b30c6954d940c
f5568dbc0f8640a105c3a7c4243e627fbf8218df12c9f331a38cf11e93f58358
0f307e93c8748420970921cd14a83a4a6e01d8cc9b87aa0d978b7277877ccc06
dc93dc6e3f38d8e8a8961ecb9366572adc01cac682c3649714b94bbd6e8b10c1
f225dfd553d16fe8a79192bab77ddda192572a0bca4a8d9c0e6144268c8f605c
56193e0153f7965612b8ab1313fca8fb0b9c6d7e0ba8f6b09e835f1add424e4a
0d5f0a554acb1636e485ec722d6a0b4dedbfcd894fc8a5f35d9b32f873de891c
f463d93311b1db92d9ece5b9588a41b37ff3799741609de05d52f0c03c91bd98
9ac2de0fd32ea12ead3ad5a491e7d47d611b04d63f5ceeb93146c10c7399e85d
cad0bd3e89c5f5068e476052ea238068c73584d0569ad13fa4ae10752f7d1245
b023f3403fb515c7c5ab9df5aee75eb7b1ae3f9bd4c46abc3e4d6a7fc806f6e3
c6c817ed9bad54f4c1b151451232cc19315a0ff923166a7864c3a5a1367913b0
83a8555eba21e03e6a209b19ccd39f982a87e47baa428b5a24ef85c07578d801
64ac7c0e7932e2f05e7ac9cc7be1a28a6851c5e15bcee112ae85a1a87fea471c
eb04fd8cc7a8426d235b764cd0c999730dd20a5af66f1bbd6d68dd4ba7c2ff69
dfbef115e54ce80addae308aa6486b0831af5bd749578166c958abcfebaea40c
df03446a7935255e535ac0db6e92da530ef948780a213a20dbde2af3703f6254
b68538b100ee150e781073702a255243ae98011f491f4bde3a4746da9ed46c88
SH256 hash:
9c252ebf30585544502edd6120ab215df5278133819172d63ae8ec18403168db
MD5 hash:
6f7348e2178c51cd438962c397f1ba90
SHA1 hash:
3d5f586e1f18a2ee123cf5c692d8784dc26a9fe6
Malware family:
STOP
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | MALWARE_Win_STOP |
|---|---|
| Author: | ditekSHen |
| Description: | Detects STOP ransomware |
| Rule name: | pdb_YARAify |
|---|---|
| Author: | @wowabiy314 |
| Description: | PDB |
| Rule name: | SUSP_XORed_URL_in_EXE |
|---|---|
| Author: | Florian Roth |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | SUSP_XORed_URL_in_EXE_RID2E46 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | win_stop_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.stop. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.