MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa
SHA3-384 hash: 0ecafc9384326dfdbfa7375ba708b7b69498e52151c0b4743c03dd9c26e1582a27ab2bd955ad7d69d3d7d97ea2f52631
SHA1 hash: 39e05a87b1a88a88299b28bde5215efee126a0d3
MD5 hash: cb2bf6a0df379cdab305c08f09259097
humanhash: happy-chicken-nevada-pizza
File name:9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa
Download: download sample
Signature Stop
Create hunting rule
File size:743'936 bytes
First seen:2021-09-13 06:33:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2bb955c2e0013cafc5696a8a4b50b66d (2 x RaccoonStealer, 1 x Stop)
ssdeep 12288:oac8iUQqoPWAeJ2WWfEOhQ0RNmsoR8QA9aMQbRd5hL9J9D3ttOdaCZ:ZSqo+j2WWfEOhRNmJxAMMW1L1ttOj
Threatray 617 similar samples on MalwareBazaar
TLSH T165F4121FB9A0EC33D6A611315875CFB0593AB87F9560D08B3A883B6E1FF25819F26351
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa
Verdict:
Suspicious activity
Analysis date:
2021-09-13 06:34:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f2925a1e-f88f-49af-b3c5-bc7e7b2a4736

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187220/
Detection(s):
Win.Packed.Filerepmalware-9890038-0
Create hunting rule

Win.Packed.Fragtor-9890049-0
Create hunting rule

Win.Packed.Fragtor-9890050-0
Create hunting rule

Win.Packed.Generic-9890077-0
Create hunting rule

Win.Packed.Fragtor-9890080-0
Create hunting rule

Win.Packed.Generic-9890092-0
Create hunting rule

Win.Packed.Generic-9890955-0
Create hunting rule

Win.Dropper.Fragtor-9890982-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6174fabea9d585e6d5370591/reports/f6a5e63c-d11b-4ab7-999e-d27295ebe9d2/overview
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e513af99-62ea-4d03-9a3b-8ce8b7f23e92
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850013
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found malware configuration
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482447 Sample: GBUNFa2vpY Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 4 other signatures 2->62 8 GBUNFa2vpY.exe 2->8         started        11 GBUNFa2vpY.exe 2->11         started        13 GBUNFa2vpY.exe 2->13         started        15 GBUNFa2vpY.exe 2->15         started        process3 signatures4 66 Injects a PE file into a foreign processes 8->66 17 GBUNFa2vpY.exe 1 18 8->17         started        68 Detected unpacking (changes PE section rights) 11->68 70 Contains functionality to inject code into remote processes 11->70 22 GBUNFa2vpY.exe 1 16 11->22         started        72 Multi AV Scanner detection for dropped file 13->72 74 Machine Learning detection for dropped file 13->74 24 GBUNFa2vpY.exe 12 13->24         started        26 GBUNFa2vpY.exe 15->26         started        process5 dnsIp6 48 tbpws.top 190.141.222.206, 49704, 80 CableOndaPA Panama 17->48 36 C:\_readme.txt, ASCII 17->36 dropped 38 C:\Users\user\Desktop\ZTGJILHXQB.docx, data 17->38 dropped 40 C:\Users\user\Desktop40EBFQQYWPS.pdf, data 17->40 dropped 46 5 other files (3 malicious) 17->46 dropped 64 Modifies existing user documents (likely ransomware behavior) 17->64 50 api.2ip.ua 77.123.139.190, 443, 49700, 49701 VOLIA-ASUA Ukraine 22->50 42 C:\Users\user\AppData\...behaviorgraphBUNFa2vpY.exe, PE32 22->42 dropped 44 C:\Users\...behaviorgraphBUNFa2vpY.exe:Zone.Identifier, ASCII 22->44 dropped 28 GBUNFa2vpY.exe 22->28         started        31 icacls.exe 22->31         started        52 192.168.2.1 unknown unknown 26->52 file7 signatures8 process9 signatures10 76 Injects a PE file into a foreign processes 28->76 33 GBUNFa2vpY.exe 12 28->33         started        process11 dnsIp12 54 api.2ip.ua 33->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 19:07:43 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3vtynydcr3uod7bv6qwplj6gk34e4aij2vmfmi5uieon26on2va._file
Verdict:
malicious
Similar samples:
26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1
Stop
44f6676314c6c50f2807f34a33335abd58ca254f95c213496205825257f7b4d6
Stop
47d6022eaad843e702e839fd027870f7089bd19ba6548e36bf5e82b5c70a2f23
Stop
63c696185eacdb5998d82e02e8cc0afd09db991ece9f72f5e99007e2aa36f4c3
Stop
65de8f856c797623ad2fd66f9e1dcce4a74b969334964b535cc0176eb588af95
Stop
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
Stop
804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72
Stop
99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2
Stop
a3c074948f5e3d2b89f0035bbf7bd74b1a3ec0525dc1496b4463f55ef15f3521
Stop
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
Stop
+ 607 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/210913-hbs3sagahm/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
Unpacked files
SH256 hash:
160aa84363640ef0e569e00640cda85b766b67c1ff71b0fd949a3ce2e6e40a9c
MD5 hash:
dc4e9cdb6ae0ce6841be15657634ad11
SHA1 hash:
585d350e71c55988c029423eec6b67737a520fa0
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/678bf746-57a8-4cfa-abe7-e784d93f05d5/
Parent samples :
ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af
2db346799c65a4fc59e3063f0c749ac70e160ddcd4f719e897463d6de53621c1
a4656e6277f4a2474916019682ad674c7988a3b30a72ebc34d16089cb3e22453
341adff3ec7c3cf9ec58b939d8c1104d8e6d228653055d6656348d421852d368
7674f1f7b2b53467fec308bdcaf89c80b4d25eb683ac0ad105084b3dd5cc0cc8
857fd1017141f401e9a263e477a80f000d9d064b891a1087b9a51220924a017c
d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411
9915b1b61a0eee3b29c2c7238f5f3198137e3b6479689224c3381a155d7b53fe
0d4704002980d141dc8ca282a4cb6ec338a6bbe0d95316cfad6a47b940b4e664
9a9f3b0dbf3655264bdabd0e02127d74b341522c669d3eb11b22b2e2da97867f
68638ad366d915c1df35046302109dac675ce9f800935f377a718389479d433f
a4ac450123dc6794e5ed2fb846d74d70f95be897931fa43983665e8287176a23
da7263588f95278e91f5ddb2898d18735d6c6abfa1e872d1358aafa4e044adca
076ea240e131689495e71d09589d2f3c1bbc43bee4f15938ef59191cd75e049c
15dd9d8533066e0b099af7258e5db6ed2f24edd712040b2ad0d3d1f8fecb2c5a
acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827
7551d65fbd92fec28a83f696a49d771bfea37c7050099c3e010d9ec1f4fbc1e6
95dbc0c60bcc0a5f72eb528358b866dd0b4933fe7fc1e68e921615729fe569cf
9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa
d5b3a05a83dac1fde11c26bb358f513ddf0cb57853a141fecccda0446c842f81
SH256 hash:
9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa
MD5 hash:
cb2bf6a0df379cdab305c08f09259097
SHA1 hash:
39e05a87b1a88a88299b28bde5215efee126a0d3
Link:
https://www.unpac.me/results/678bf746-57a8-4cfa-abe7-e784d93f05d5/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9eeb3c370314/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187220/

Comments