MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb98e1a383024c9c13dadeab0b3b162b4e4c718b17cb5e3c7d08c1a547245ee1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb98e1a383024c9c13dadeab0b3b162b4e4c718b17cb5e3c7d08c1a547245ee1
SHA3-384 hash: 0ef8216331603a6f4fdaf64eabc285170acdfa8f8bd4344c0775f6c68eaca85c4874271a68ea8f99a772d9f52a857416
SHA1 hash: 386297f04adb997c989ac4160a953bec35747fd2
MD5 hash: fed7f6897324c0ca20ae8315e74ca432
humanhash: december-pluto-fish-sodium
File name:bb98e1a383024c9c13dadeab0b3b162b4e4c718b17cb5e3c7d08c1a547245ee1
Download: download sample
Signature Stop
Create hunting rule
File size:868'864 bytes
First seen:2022-03-28 06:16:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ed673bb78007b5e69407cd48f247d0f7 (2 x Stop, 1 x RedLineStealer)
ssdeep 24576:um7mnrkoIbPpA5y6n5G5KDn/fiCh50ueaSb:uHHIbRg5Ge/6CD0u5Sb
Threatray 974 similar samples on MalwareBazaar
TLSH T12E05F1506BA0D039E1F716F43976C3BCA52EBDA1AB2454CB62D53ADE46346D0ECB430B
File icon (PE):PE icon
dhash icon 2dac1370399b9b91 (45 x RedLineStealer, 35 x Smoke Loader, 19 x Amadey)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258392/
Detection(s):
Win.Packed.Filerepmalware-9938531-0
Create hunting rule

Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11712/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/624152e99253b276b78c8858/reports/3aa5c1a3-61ae-430a-9233-b5d5b9e131a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba44edad-27ad-4e49-b314-a13acea6bcd5
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965555
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 598037 Sample: 0zWVBzeo9B Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 98 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->98 100 Multi AV Scanner detection for domain / URL 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 10 other signatures 2->104 12 0zWVBzeo9B.exe 2->12         started        15 0zWVBzeo9B.exe 2->15         started        17 0zWVBzeo9B.exe 2->17         started        19 0zWVBzeo9B.exe 2->19         started        process3 signatures4 116 Contains functionality to inject code into remote processes 12->116 118 Writes many files with high entropy 12->118 120 Injects a PE file into a foreign processes 12->120 21 0zWVBzeo9B.exe 1 16 12->21         started        25 0zWVBzeo9B.exe 15->25         started        28 0zWVBzeo9B.exe 12 17->28         started        30 0zWVBzeo9B.exe 12 19->30         started        process5 dnsIp6 84 api.2ip.ua 162.0.218.244, 443, 49747, 49748 ACPCA Canada 21->84 58 C:\Users\...\0zWVBzeo9B.exe:Zone.Identifier, ASCII 21->58 dropped 60 C:\Users\user\AppData\...\0zWVBzeo9B.exe, MS-DOS 21->60 dropped 32 0zWVBzeo9B.exe 21->32         started        35 icacls.exe 21->35         started        62 C:\Users\user\Desktop\...\PALRGUCVEH.xlsx, data 25->62 dropped 64 C:\Users\user\Desktop\...behaviorgraphIGIYTFFYT.png, data 25->64 dropped 66 C:\Users\user\Desktop\...FOYFBOLXA.docx, data 25->66 dropped 108 Modifies existing user documents (likely ransomware behavior) 25->108 file7 signatures8 process9 signatures10 96 Injects a PE file into a foreign processes 32->96 37 0zWVBzeo9B.exe 1 22 32->37         started        process11 dnsIp12 86 fuyt.org 211.169.6.249, 49749, 49751, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 37->86 88 zerit.top 211.171.233.126, 49750, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 37->88 90 api.2ip.ua 37->90 68 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 37->68 dropped 70 C:\Users\user\AppData\Local\...\build2.exe, PE32 37->70 dropped 72 C:\_readme.txt, ASCII 37->72 dropped 74 35 other files (34 malicious) 37->74 dropped 106 Infects executable files (exe, dll, sys, html) 37->106 42 build2.exe 37->42         started        file13 signatures14 process15 signatures16 110 Multi AV Scanner detection for dropped file 42->110 112 Machine Learning detection for dropped file 42->112 114 Injects a PE file into a foreign processes 42->114 45 build2.exe 42->45         started        process17 dnsIp18 92 5.252.21.17, 49761, 80 FIRSTDC-ASRU Russian Federation 45->92 94 192.168.2.1 unknown unknown 45->94 76 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 45->76 dropped 78 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 45->78 dropped 80 C:\Users\user\AppData\...\freebl3[1].dll, PE32 45->80 dropped 82 9 other files (none is malicious) 45->82 dropped 122 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->122 124 Tries to steal Mail credentials (via file / registry access) 45->124 126 Tries to harvest and steal browser information (history, passwords, etc) 45->126 128 Tries to steal Crypto Currency Wallets 45->128 50 cmd.exe 45->50         started        file19 signatures20 process21 process22 52 conhost.exe 50->52         started        54 taskkill.exe 50->54         started        56 timeout.exe 50->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb98e1a383024c9c13dadeab0b3b162b4e4c718b17cb5e3c7d08c1a547245ee1/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 21:54:23 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
36 of 42 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xomodi4dajgjye6232vqwoywfnhey4mlc7fv4pd5bda2krzel3qq._file
Verdict:
malicious
Similar samples:
2a06da1f6bb8f01f932093ed9ae5f1ca2ff7b53b89dfd46a0102200cf3ebaead
Stop
2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527
Stop
30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6
Stop
37c73441b4721b0231c8794d6d4fde63de828dbf59c18f64a52c7fc2e456fa80
Stop
56a34b76ba7c81e554eeb1dcfe93a6d0f61103536f9a0387fb220768bd2149df
Stop
80cdfc120b7824e7cb5b34fc9ab1b6b43b84dfb435fd8f3e681ad4ae0ebd41de
Stop
de1bec11380a046d35656cb592a399445a6deb5934a2892dcd5dac3d0f61c55e
Stop
+ 964 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu ransomware
Link:
https://tria.ge/reports/220328-g12ksachcj/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/fhsgtsspen6/get.php
Unpacked files
SH256 hash:
7fbd583f59d5b4e90f2b769051a59618fccfa0e8b89b10480e4b69ff96926552
MD5 hash:
36cb08837ec0ef96e200793e251a2efc
SHA1 hash:
1249a2b56aeb05bf676b143932cd61eb7c0cd24b
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/0247f3b3-e5bf-436c-9691-59df43227082/
Parent samples :
44bb21303dd6b48eb9f2a1a12e2eddbc3fd13b42ef4ed111c85091979ed3f07e
bb98e1a383024c9c13dadeab0b3b162b4e4c718b17cb5e3c7d08c1a547245ee1
SH256 hash:
bb98e1a383024c9c13dadeab0b3b162b4e4c718b17cb5e3c7d08c1a547245ee1
MD5 hash:
fed7f6897324c0ca20ae8315e74ca432
SHA1 hash:
386297f04adb997c989ac4160a953bec35747fd2
Link:
https://www.unpac.me/results/0247f3b3-e5bf-436c-9691-59df43227082/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb98e1a383024c9c13dadeab0b3b162b4e4c718b17cb5e3c7d08c1a547245ee1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258392/

Comments