MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11
SHA3-384 hash: aca8258c02cf14859f630be50af2d0f7f9ea4b520cbcbfc41528fcf1b05b2465c202cce8319a3454e42c0d23ad45b6ca
SHA1 hash: ee31cac794e6fdd200f36629bbe8c556c52ae61b
MD5 hash: 91db4a17206eda8936d0ce1e12eb51a8
humanhash: uniform-jupiter-lima-freddie
File name:91db4a17206eda8936d0ce1e12eb51a8.exe
Download: download sample
Signature Stop
Create hunting rule
File size:829'952 bytes
First seen:2021-10-19 13:31:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f937f2af706dbcbf43ed87b459c473ae (2 x Stop, 1 x Loki, 1 x Smoke Loader)
ssdeep 12288:fS4LATxlJk/NKXKUoKIDSJZf/DfAU5zrU2XZl6wdL5UWI6BdFhi33JwZGEX8cA0U:6pjJ4N2K9Yx/DFzrz8wZ0ci33ysEv
Threatray 791 similar samples on MalwareBazaar
TLSH T13B0502B1AE718433CA7645314838CAA57939BC45D620F49B33F8EB2E1E712C896F175E
File icon (PE):PE icon
dhash icon fcfcb4f4d4dcd8c0 (7 x RedLineStealer, 4 x RaccoonStealer, 3 x Smoke Loader)
Reporter abuse_ch
Tags:exe Ransomware Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198509/
Detection(s):
SecuriteInfo.com.Packed-GDV91DB4A17206E.30883.12689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616ec8d49a5a1e91c5c67590/reports/2756efa8-581f-42cd-92d2-bec512b86e5d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3fe5a61-0e34-49d2-8bb9-4ed7dfceefd7
Result
Threat name:
Clipboard Hijacker Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873142
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505570 Sample: BEPyekPmPg.exe Startdate: 19/10/2021 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 4 other signatures 2->79 12 BEPyekPmPg.exe 2->12         started        15 BEPyekPmPg.exe 2->15         started        17 mstsca.exe 2->17         started        19 2 other processes 2->19 process3 signatures4 91 Detected unpacking (changes PE section rights) 12->91 93 Detected unpacking (overwrites its own PE header) 12->93 95 Contains functionality to inject code into remote processes 12->95 97 Writes many files with high entropy 12->97 21 BEPyekPmPg.exe 1 17 12->21         started        99 Injects a PE file into a foreign processes 15->99 25 BEPyekPmPg.exe 13 15->25         started        101 Multi AV Scanner detection for dropped file 17->101 103 Machine Learning detection for dropped file 17->103 27 BEPyekPmPg.exe 13 19->27         started        29 BEPyekPmPg.exe 19->29         started        process5 dnsIp6 69 api.2ip.ua 77.123.139.190, 443, 49741, 49751 VOLIA-ASUA Ukraine 21->69 59 C:\Users\...\BEPyekPmPg.exe:Zone.Identifier, ASCII 21->59 dropped 31 BEPyekPmPg.exe 21->31         started        34 icacls.exe 21->34         started        71 192.168.2.1 unknown unknown 29->71 file7 process8 signatures9 105 Injects a PE file into a foreign processes 31->105 36 BEPyekPmPg.exe 1 23 31->36         started        process10 dnsIp11 63 rlrz.org 61.255.185.201, 49752, 49753, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 36->63 65 znpst.top 36->65 67 api.2ip.ua 36->67 51 C:\_readme.txt, ASCII 36->51 dropped 53 C:\Users\user\...\BEPyekPmPg.exe.vtua (copy), MS-DOS 36->53 dropped 55 C:\Users\...\SmartScreenCache.dat.vtua (copy), data 36->55 dropped 57 41 other files (38 malicious) 36->57 dropped 81 Modifies existing user documents (likely ransomware behavior) 36->81 41 build3.exe 36->41         started        file12 signatures13 process14 signatures15 83 Detected unpacking (changes PE section rights) 41->83 85 Detected unpacking (overwrites its own PE header) 41->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 41->87 89 Injects a PE file into a foreign processes 41->89 44 build3.exe 41->44         started        process16 file17 61 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 44->61 dropped 47 schtasks.exe 44->47         started        process18 process19 49 conhost.exe 47->49         started       
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 23:32:35 UTC
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vllcsqqhyl5m727uid5f2uuaiqro3p44t2nnwst2v7ydccy4luiq._file
Verdict:
malicious
Similar samples:
0d701159969acd5fb9bbf6b526fcf8cbf8fd05b48ba0ad4c01af41b8b5b45f72
Stop
26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1
Stop
28987da061d42bee399b3cafd876c34826eea824758ae23ead826fe971cb978f
Stop
43b31ea75f3c0666523aefc13e216a651e8e93feaeff1165cb35ed374365cdd6
Stop
44f6676314c6c50f2807f34a33335abd58ca254f95c213496205825257f7b4d6
Stop
55e262d517e470787760c984868f07d582f8d8efd9ff98db0870c48c9a51c23d
Stop
65de8f856c797623ad2fd66f9e1dcce4a74b969334964b535cc0176eb588af95
Stop
804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72
Stop
9afa91c839d958185548eccf40690eb7db7859a852ac06f3870a6165c287d6ba
Stop
f15e2ae6168ce22adfb50ee1838cfda69a046b13dc8a5a751379a71ceb76b650
Stop
+ 781 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/211019-qsyzcsggcm/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://mas.to/@oleg98
http://rlrz.org/lancer
Unpacked files
SH256 hash:
e58c1b9788a7e1f15a484e99c7c45493d501c61a376c598617da0742975b6faa
MD5 hash:
bf5fbe667db11ae9665b0c96dea2382f
SHA1 hash:
4362cbf4e1332f94f8afeda50334671d977aa253
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/ca17e915-8786-41ad-bc6a-ecf8c1e857bd/
Parent samples :
43b31ea75f3c0666523aefc13e216a651e8e93feaeff1165cb35ed374365cdd6
aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11
4b3e6a191ab050a87aeeb8a650290c4e217e9508971beeb929417d13d89292e2
SH256 hash:
aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11
MD5 hash:
91db4a17206eda8936d0ce1e12eb51a8
SHA1 hash:
ee31cac794e6fdd200f36629bbe8c556c52ae61b
Link:
https://www.unpac.me/results/ca17e915-8786-41ad-bc6a-ecf8c1e857bd/
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/aad6294207c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aad6294207c2facfebf440fa5d52804422edbf9c9e9adb4a7aaff0310b1c5d11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198509/

Comments