MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b137ebe8bdaa826c6cae0c3805ee7546c49b064a679f6c793acea316c7e45985. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b137ebe8bdaa826c6cae0c3805ee7546c49b064a679f6c793acea316c7e45985
SHA3-384 hash: 9652afec0b0915eee14f49ea13c9fa03ab4cf58b6ea7edd72c14e5427cd164fc5599e14ec6a6501d76c403c72acc1b0b
SHA1 hash: 3f9fd75135874b33e9841937b57ae08a965dfa50
MD5 hash: 6b25c98c9cd58ffb78aa9113926b1b3c
humanhash: london-cup-zebra-sad
File name:b137ebe8bdaa826c6cae0c3805ee7546c49b064a679f6c793acea316c7e45985
Download: download sample
Signature Stop
Create hunting rule
File size:710'656 bytes
First seen:2021-09-09 11:59:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 988a7268419d4b719ababe776a869c01 (2 x Stop, 1 x ArkeiStealer)
ssdeep 12288:WbHqcPD1uiUvBhQHSb3so97f7H/qtPBlDLU5b387/f7s0IfdOt4Sv:WbHq2D1crGi7fqZBl3UNkfx6dF
Threatray 593 similar samples on MalwareBazaar
TLSH T1D0E412123DB3D533CE5B657098B4C5F10A393A32BA72598B735A177D8E70E805B3638A
dhash icon 1072c093b0381906 (22 x RedLineStealer, 22 x RaccoonStealer, 20 x Stop)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b137ebe8bdaa826c6cae0c3805ee7546c49b064a679f6c793acea316c7e45985
Verdict:
Suspicious activity
Analysis date:
2021-09-09 12:02:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c72c6cc0-b79d-48e3-9bfb-737e24bfda62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186652/
Detection(s):
Win.Malware.Fragtor-9891492-0
Create hunting rule

Win.Packed.Generic-9891538-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Sending a UDP request
Deleting a recently created file
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c363ea2d-87e6-4edf-a60f-c7cf6701b280
Result
Threat name:
Clipboard Hijacker Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848069
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 480500 Sample: giR4HDNcVE Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 38 gheorghip.tumblr.com 74.114.154.22, 443, 49745 AUTOMATTICUS Canada 2->38 40 162.55.179.90, 49746, 80 ACPCA United States 2->40 42 api.2ip.ua 2->42 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 9 other signatures 2->60 9 giR4HDNcVE.exe 2->9         started        12 giR4HDNcVE.exe 2->12         started        signatures3 process4 signatures5 62 Detected unpacking (changes PE section rights) 9->62 64 Contains functionality to inject code into remote processes 9->64 66 Writes many files with high entropy 9->66 14 giR4HDNcVE.exe 1 16 9->14         started        68 Injects a PE file into a foreign processes 12->68 process6 dnsIp7 50 api.2ip.ua 77.123.139.190, 443, 49734, 49735 VOLIA-ASUA Ukraine 14->50 36 C:\Users\...\giR4HDNcVE.exe:Zone.Identifier, ASCII 14->36 dropped 18 giR4HDNcVE.exe 14->18         started        21 icacls.exe 14->21         started        file8 process9 signatures10 52 Injects a PE file into a foreign processes 18->52 23 giR4HDNcVE.exe 1 24 18->23         started        process11 dnsIp12 44 securebiz.org 118.221.132.200, 49737, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 23->44 46 tbpws.top 116.121.62.237, 49736, 49742, 80 CJNET-ASCheiljedangCoIncKR Korea Republic of 23->46 48 2 other IPs or domains 23->48 28 C:\Users\user\...\setup.exe.efdc (copy), DOS 23->28 dropped 30 Uninstall-PerUser_...60c.log.efdc (copy), COM 23->30 dropped 32 C:\Users\user\Desktop\...EGWXUHVUG.xlsx, DOS 23->32 dropped 34 363 other files (347 malicious) 23->34 dropped 70 Infects executable files (exe, dll, sys, html) 23->70 72 Modifies existing user documents (likely ransomware behavior) 23->72 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b137ebe8bdaa826c6cae0c3805ee7546c49b064a679f6c793acea316c7e45985/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2021-09-08 23:48:48 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=we36x2f5vkbgy3fobq4al3tvi3cjwbskm6pwy6j2z2rrnr7elgcq._file
Verdict:
malicious
Similar samples:
20ebe8ff1da6f2023a43b3e3cbe14479961699f9dec0324f72070fa2b275eaae
Stop
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
Stop
9634e7bbda11d42ed7eda4f7cc1965dea16ab45877cb425d322e830cf63a0657
Stop
9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9
Stop
b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944
Stop
bfbf6bb9393e511a06e90d432e7538059ae75f9f1525f0f503d1d0bec0d32124
Stop
e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be
Stop
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
Stop
ff9e059a789e94573fb32a918657d5c5c59b5395fab873cbcec7b1543435fe93
Stop
+ 583 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/210909-n5r1gabcer/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomeware
Djvu Ransomware
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
Unpacked files
SH256 hash:
cfe7346df9e62e1ca55be5d4bc854a04cfe447f69f00f92cdd19c1df832b80f4
MD5 hash:
9a676f292f85e2d7467692f56ba9d922
SHA1 hash:
ab4f8e6a99474b0d3f0b43a4299ba6a99cf7f58f
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/21085c3d-5e97-41d4-8b1a-30cc616b1c54/
Parent samples :
27e60038e1d8c7a418a277378feb45cb034fd285d14b5bf638acb367cea4cf5f
254f6d21b489ca00f699bcffe82c5fe02a94f9b39e8b038c6c943c82d1a39cf5
ff203304aa7c6a409238e18665fb19c26acebaaff5ad0c246f23abecd5aa17c8
7cd05eb00a646ce3204f09637a2f5219a50406d020dfed1c60e189f132b3b1fb
96b71515cdcecab1e0ba69bfc967794c82167c253072c81a5cd511f0a1e61443
f9e36e03d92cb9fa74986db0cd7e7665bbd165fd2c292868e1539f60372d9cc5
836e78fe7e248eefb1bb87f8d98630ccd1e24a83f8bc34dfb94857879fd41098
a9b730ea319a374ce01c93e2dd435ad87dfd9e0beb8e1379c19c6daa01bba79f
433492d3ae0221ec9543dbadb3990175f7c04e69f5a304bbd83450e9e2cc1c7d
52f60950276f33a1b27298e9b7916e4b2fb3f93f261b1ea1f26bd6453e8a883a
a8701b8d256bbccb00be92735e6b98f258d79efb875d8839e1c0ce09d16c3733
fa3edd0ffd6308148fb00337024762ee3f1692a8bd7fc02dff44d71c1ed1da34
3a1fa41566c5d26c42718978a1287f414a290d5b1df1e5518d084a6464c42d33
fd612a0596e6a91fef17aa89f0561aa07ba73f830c940d8c0855a3c8f744e934
a1bd67800eda430217169a3230aca603d538f3cdba5e52f44a3d65651195f4a3
b7afd75c82576ddbcccf3ee67e0b8a78c980b85d0379194bfa6ada19e0aba37c
fa2b0b360a3fc8b8fc8057cf66d48a22bc2b346d95bff0c39638aae52596938c
de65d69fb3afa9a5d384fc694bafd5fd3b14296c65646414998652a993e54076
feff37faaf670aaf88f8140e2347f26d42ce9442fbb8ddcb2ae1d88f2c033a9e
d156fe39dd633d34a759759905c0259e1d699b3ef1c5522d2dcecd8fdb1d6115
ce8a0ec398f3a04930ca2bb41b40b0cb49f96d93a9a77f5363074f6102f2764b
fb2c6fec5db844413c6c2f3b0cad79c75aadf31d18c82c7e40768a11788df362
d6d3cda6d7778841bec0477532e215df718ab4f6a2b500b0d4ea512507f4f448
acf33d449c9dc3d0f34097252c11af83c038ddffbfa00259eb2a686057ca980c
a38c6fda8d3625616250f110358cf846118cffc7d347cdbdae146f62570137f5
d581ddc0cd78802c6931c6fe27694d67365324f25b3a42dce779870b917fc2d5
b137ebe8bdaa826c6cae0c3805ee7546c49b064a679f6c793acea316c7e45985
5bc838edcac0cfade3b1c5d4544d42ec77435f57a1e880d434259bad2a75f0be
cc142808277aba63344ba07c84a3014afb33864158a5e4b31a2e5925cc6d892a
9b09da1293fd58901866a3883260951da71aa815d84ca70608627c21b457c3f6
b6369bb805941d59d629f30712cf10f5b34f1ec0d502fadd0d0c8851e4f7b086
9cf67bc4b59abc56e29302a6f2dad74cfa780bdd7d1993374df1f32f71311855
a2b6a184395cff380b74911557bd0a7eaa6d0132096b7aee3cac4a54a13fa8c5
1ec49c27f100729fd69a17fe1b8da2cdfc62f218f4e64cf4b900b1982c1523b7
5f6ce6791ff0509b6ffc7a1f771eb9e203e9df6d29fc611633a0693e3f891d99
52a00c5e6ff80dc195cc5c3491b4edbcb0d894c09d3ebbe08bb967863aaa572e
bc148626287d97e3dd04e56f77198a8a6bb1963a011eb2e901afcbde60072dcc
7207a9129afd49abd6906077eb100b2c177191041bb74877b959e703ee831216
bfa110eba471eb17d8b2dbc5fd4e737765abda29cc7056767d395ef79d0bca49
e473380efef224e3acb1a61d9c7dd49cd9c00a7dba8bef96cc376ae891da8e38
a53d86321996fabcaaf20609a8ffc06dc0442224182d5ac2aaea0e7d5656a368
9887ce51dcc62c79f06f92e7f04c4ade448d32361b040a51069c15ee583ed102
1802723efc00ee08f03e5c6ad951705d24aa8cd4b764d9f4dcc9a1dcd0c65b5d
ade30f792b463762fe44fb34def5ab38f4c06d3300d6ca9725fe609b31c3a4ad
a64d72d6e69fc929b0ee6405f62266c21ceb2e2da416bf65b1f1414f36ea1090
7d48dc5fdf282bb63f315b60c50773207649174fe7ef65ae016286cdd612c89e
e5148db97ba2ab4e5c9ddd9ee11be6c00f887420a4f5d3d251a4790e315793f4
766795cb9bba01b3f2ad0700ebc7b60f909f548e34e5aef9e159ae461e91ced9
3c877d77be5392372965a095f715c33903d1d7f64078fc3d7cd5b3f591025170
403e6808633a9d2138b2df08177253ea3fe28ee9995e0257ac28642e94a47113
389a081d992915bebcba9ac8b1cc33022f3e7b281f626ad1febe425d7193391b
67989ab5009aae7c812ea8d0fb59fb21688d54b25388ddb1117789749fb3df6d
39aa8658441c94715fbefba3c8f3b17e44c6870e60f266880faeb238c8e0c7a6
16f184893f5cad1f575b19615fdd46e6674c207980fa3d83a55f3dadab6ac022
39ac8efb74103997319e049d3fb24c0a89b241558077a9728601c891e5602b37
680f79b61eff2ac81b7fb13c3ccdf8323752b40c94d4d3a7a25bb776b2a08405
fd9842238da90428e16ae7954f2ad0f2bda6cfed2bde5f8383a546f7b257f350
3c2dd4c88ac04d7737fe5faec0c9b8a6761d262452496f0fad37d2f3cc585e19
80e3b81b5f8d92cb6c576e1bafc843ef0bb6a7262010eeaa712cdbaae260e0d4
81c0393dc28ea34ee7485423cc9c0f8b48d74284e9c54859720972c2545a08a1
034614a6797c48197ff2bcd6e539a7c1c0dd46d15de75ee43ca739f6bbf15258
e7b8438a25f481121a079b224d9a3c164ddfa576250818bbfbb6ab93aaa18af6
15d3d0304b1ea8516af33d8b1ae3e48874550be1e81b8302dda3925a5c50c5cb
469017951eec682bea313ac5984afb0b647317cc39670c2f51af15d7ce9a8313
a55150bb6fe4336aaf6ba17fa232005235c81881cf5a07763c368161f06f850b
8f832c3312ae8baf2e05024d0ed62d29903b7ee0ed08329a06d3cfdc9982594c
92d6fa17884329b71c2e6e9dc455465b6f0a8f7989592b56739f053f8b4a2a00
2cd6d3a1fbc27a5adc32e3e3a22f9f75f86e25d91a197b7ccc060a913e4217f2
0bb1bb35ac005983362f66e71e0213a98efb8f97955b10c280ba4ec854fe2876
f7f86f44bb6a5957b2bf9170c2de4650e0a9c974055a3769d4993d0ee644338d
040088959686c4a4c06c72fa178e55a732557e2b40501f4f7d13b28928d40809
52989434515532345e8a5b0cd332c44f1650ef4771b38a84d0e6e526e2d761b4
6df4065a2ec47c34f6c6c2642fb8bd12ba7e3c229de8fe6fa07be4aa7321a7f5
a072847596034ddfc75948c2deecd679ab13bb1d703897895008949180eed7a5
263352ab19048e67914339ac9319e8d12f6f9ee28c1ca2809ec114ddff30e861
f88b91af3f278d1a83a1485e11c16c18daff5ace13219fcec8522fa10fdc07bb
15a2dcc58e6fcb0f9c3aaf4f02039a05cb3575c0960bfada8ffbc5f93a8bf420
SH256 hash:
b137ebe8bdaa826c6cae0c3805ee7546c49b064a679f6c793acea316c7e45985
MD5 hash:
6b25c98c9cd58ffb78aa9113926b1b3c
SHA1 hash:
3f9fd75135874b33e9841937b57ae08a965dfa50
Link:
https://www.unpac.me/results/21085c3d-5e97-41d4-8b1a-30cc616b1c54/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b137ebe8bdaa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b137ebe8bdaa826c6cae0c3805ee7546c49b064a679f6c793acea316c7e45985

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186652/

Comments