MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3
SHA3-384 hash: bf7ad0f495759bc5742ef5985e6785c0057074ec1fb9cfbd08afc3cef240fad495a06af3a80d885469e5b92d42ed4003
SHA1 hash: 33626c43f90a2f0ff4fd8fb05ed9ff4eb7d90711
MD5 hash: d09ae1e8fcbf74bbed3ae6b78f88774e
humanhash: mexico-wyoming-uncle-lactose
File name:a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3
Download: download sample
Signature Stop
Create hunting rule
File size:780'800 bytes
First seen:2021-05-03 01:15:12 UTC
Last seen:2021-05-03 02:01:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6fc938eed88df72e2acc9fa15082e527 (1 x Stop)
ssdeep 12288:D9PXCLhUh2MuYWzMBmn/ZvO7xh0EFK9Mw5JeTxuw+zadl5hAysooohm1DBsI:JPS1UVowm/ZvO7j0EFK9LJoGWiKgDBs
Threatray 48 similar samples on MalwareBazaar
TLSH EAF4011032BDC4B3C1921C729425C6B5BE7B78B78922098B7AC83B7D0F747D1A62675E
Reporter fbgwls245
Tags:.wrui djvu Ransomware Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148050/
Detection(s):
SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Sending an HTTP GET request
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/706812
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402326 Sample: 5jHZqgYHCZ Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Antivirus detection for URL or domain 2->95 97 5 other signatures 2->97 10 5jHZqgYHCZ.exe 1 18 2->10         started        15 5jHZqgYHCZ.exe 12 2->15         started        17 5jHZqgYHCZ.exe 12 2->17         started        19 5jHZqgYHCZ.exe 2->19         started        process3 dnsIp4 85 api.2ip.ua 77.123.139.190, 443, 49717, 49719 VOLIA-ASUA Ukraine 10->85 67 C:\Users\user\AppData\...\5jHZqgYHCZ.exe, PE32 10->67 dropped 69 C:\Users\...\5jHZqgYHCZ.exe:Zone.Identifier, ASCII 10->69 dropped 103 Detected unpacking (changes PE section rights) 10->103 105 Detected unpacking (overwrites its own PE header) 10->105 107 Writes many files with high entropy 10->107 21 5jHZqgYHCZ.exe 1 26 10->21         started        26 icacls.exe 10->26         started        109 Multi AV Scanner detection for dropped file 15->109 111 Machine Learning detection for dropped file 15->111 file5 signatures6 process7 dnsIp8 81 jfes.top 31.40.251.99, 49721, 49722, 49724 ITLDC-NLUA Russian Federation 21->81 83 api.2ip.ua 21->83 57 C:\Users\user\AppData\Local\...\Apps.index, DOS 21->57 dropped 59 C:\...\FileSync.LocalizedResources.dll.mui, COM 21->59 dropped 61 C:\...\FileSync.LocalizedResources.dll.mui, DOS 21->61 dropped 63 316 other files (307 malicious) 21->63 dropped 99 Modifies existing user documents (likely ransomware behavior) 21->99 28 5.exe 21->28         started        33 updatewin1.exe 2 21->33         started        35 updatewin2.exe 21->35         started        file9 signatures10 process11 dnsIp12 87 188.34.193.205, 49731, 80 HETZNER-ASDE Germany 28->87 89 api.faceit.com 104.17.63.50, 443, 49730 CLOUDFLARENETUS United States 28->89 71 C:\Users\user\AppData\...\softokn3[1].dll, PE32 28->71 dropped 73 C:\Users\user\AppData\...\freebl3[1].dll, PE32 28->73 dropped 75 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 28->75 dropped 79 9 other files (none is malicious) 28->79 dropped 113 Detected unpacking (changes PE section rights) 28->113 115 Detected unpacking (overwrites its own PE header) 28->115 117 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->117 131 5 other signatures 28->131 37 cmd.exe 28->37         started        119 Antivirus detection for dropped file 33->119 121 Multi AV Scanner detection for dropped file 33->121 123 Suspicious powershell command line found 33->123 125 Bypasses PowerShell execution policy 33->125 39 updatewin1.exe 33->39         started        77 C:\Windows\System32\drivers\etc\hosts, ASCII 35->77 dropped 127 Mutes Antivirus updates and installments via hosts file black listing 35->127 129 Modifies the hosts file 35->129 file13 signatures14 process15 file16 43 conhost.exe 37->43         started        45 taskkill.exe 37->45         started        47 timeout.exe 37->47         started        65 C:\Users\user\AppData\Local\script.ps1, ASCII 39->65 dropped 101 Suspicious powershell command line found 39->101 49 powershell.exe 39->49         started        51 powershell.exe 39->51         started        signatures17 process18 process19 53 conhost.exe 49->53         started        55 conhost.exe 51->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3/
Threat name:
Win32.Trojan.Hynamer
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 01:16:10 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udrsma4hnqydlv3kpdrv2x4jk5w62jdviunu2j7bsmy37htkx7bq._file
Verdict:
malicious
Similar samples:
0552149181395fb0685b2dfa9b123334cb598173a13fbedf458f8c3613f8ff81
Stop
0aae86fc0351f1ea0999b86cfe8c6ab1b22d16697ba4753e465c5a31fe7746bb
Stop
12750a545215e41d452a16e1c451f0e0682a5330078813313b67cd09499ac674
Stop
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
Stop
68516622ba1e5d57863f74ace36e02e400b92640281507f3c89ecbc8dacbd9fa
Stop
6ed8e078433a7e7938f2084f83a640d707708ac99a246b31736bd22327664668
Stop
a3c074948f5e3d2b89f0035bbf7bd74b1a3ec0525dc1496b4463f55ef15f3521
Stop
e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
Stop
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
Stop
fdf29de5bc715feaa80709bdddd59b8293aa538d257ba9dd6a287d065ecb68a8
Stop
+ 38 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar discovery evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210503-xcsqnygewx/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Djvu Ransomware
Vidar
Unpacked files
SH256 hash:
b58165bb5a4f9040d187791e870f691c449e59d3f5fa8312ba7655864236328f
MD5 hash:
5fe929b15555feeb7e4ef768211d8caa
SHA1 hash:
49f52ac9a44d3259167dbf20e7328fdaf287ac7f
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebffa94-6b86-43c1-9aad-ace67a3da98c/
Parent samples :
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
1da3193c52b5ec3a14b36acbc9c92266a2a531399e33c1e3a209e828eda7a0a5
7c9bc6a878b6cb355bb2a5c70170aa48b1e8f369dd64ee47df3ac9ea9e213b02
9ded335a6f346de4aafbc4f8c08e90dce1f064820b13d6580f01731c9837d7a8
a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3
c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103
e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913
SH256 hash:
a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3
MD5 hash:
d09ae1e8fcbf74bbed3ae6b78f88774e
SHA1 hash:
33626c43f90a2f0ff4fd8fb05ed9ff4eb7d90711
Link:
https://www.unpac.me/results/eebffa94-6b86-43c1-9aad-ace67a3da98c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148050/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 02:07:27 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0049] File System Micro-objective::Get File Attributes
7) [C0052] File System Micro-objective::Writes File
8) [C0007] Memory Micro-objective::Allocate Memory
9) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
10) [C0040] Process Micro-objective::Allocate Thread Local Storage
11) [C0042] Process Micro-objective::Create Mutex
12) [C0041] Process Micro-objective::Set Thread Local Storage Value
13) [C0018] Process Micro-objective::Terminate Process
14) [C0039] Process Micro-objective::Terminate Thread