MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 17

Intelligence 17 IOCs YARA 12 File information Comments

SHA256 hash:	c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400
SHA3-384 hash:	0b9f07b5e0a19ca65032cb2b7b2ae19efd8a2d3e98600ff403896a1dac70a3b0d79c560ffc1279406f2a9a30f8314f56
SHA1 hash:	41b8851bc57462502b0113ee1f2579dff5d94f4f
MD5 hash:	5cacd6f1b5cec25f3f0b0b3c4d5807d3
humanhash:	idaho-mobile-cat-shade
File name:	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Download:	download sample
Signature	Stop Create hunting rule
File size:	1'150'976 bytes
First seen:	2024-01-26 00:34:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0c756c849bc7b459f78f7a5ce46cd4a7 (14 x Stop)
ssdeep	24576:ZBUIKn/vwOXGUXAjCymYZiVtElVIBT2roqnTSSxWeT/dRPOO82WQHUq7:F0dwAYZt6C31WeTVRPOh27Uq7
TLSH	T12435AE02BB819171E5D341BA0DFE977E883AA9A0933A95C3D7E91C568E306D0673F3C5
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	ukycircle
Tags:	exe Stop

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

Vendor Threat Intelligence

Malware family:

stop

ID:

File name:

c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400.exe

Verdict:

Malicious activity

Analysis date:

2024-01-26 00:36:02 UTC

Tags:

loader vodkagats ransomware stop

Link:

https://app.any.run/tasks/df98353f-5340-46d5-b3a0-dee3860a9f8d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/472968/

Detection(s):

Win.Ransomware.Bandook-9859375-1

ditekSHen.MALWARE.Win.Ransomware.STOP.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP GET request

Creating a file

Launching a process

Creating a process with a hidden window

Adding an access-denied ACE

Сreating synchronization primitives

Restart of the analyzed sample

Deleting a recently created file

Creating a window

Searching for synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypto fingerprint obfuscated

Link:

https://www.filescan.io/uploads/65b2fe391dcf0cd54472d4c1/reports/6b676e38-576a-42c8-8f10-d2368a1c23ec/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/550c9514-9494-457e-9a9f-fdb7440de3cf

Result

Threat name:

Babuk, Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1381448

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Yara detected Babuk Ransomware

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2024-01-26 00:35:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 38 (86.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y46lsowzvvwqao2qltrlsygxkrt22yjhq3qflhdu3sqyijx3sqaa._file

Verdict:

malicious

Result

Malware family:

djvu

Score:

10/10

Tags:

family:djvu discovery persistence ransomware

Link:

https://tria.ge/reports/240126-axb3dsbegl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Modifies file permissions

Detected Djvu ransomware

Djvu Ransomware

Malware Config

C2 Extraction:

http://zexeq.com/raud/get.php

Unpacked files

SH256 hash:

c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400

MD5 hash:

5cacd6f1b5cec25f3f0b0b3c4d5807d3

SHA1 hash:

41b8851bc57462502b0113ee1f2579dff5d94f4f

Detections:

djvu_ransomware

win_stop_auto

SUSP_XORed_URL_In_EXE

MALWARE_Win_STOP

Link:

https://www.unpac.me/results/bd6bc95e-34d5-4614-a2f0-a2d8398d54fe/

Parent samples :

39cde430a42f8db826a22030fe3501c56d793b630974c951b95bf9524f9f5e86
ae66efca8cc87504c37693456936d0cd1b51a6ea7a9725f9bdbf872f5ae01f6e
3a7a5677e028001086397a06a1bcbcb964a43c9ef768eedd4f1211bc11b19817
4de2d00f758ece9e388f390616b66ca6581376cc674a6c2448f1bd9301246e8b
d6f37a028d5209e0bce8c5e56da2c394562eb35f7b1e45488a800a95ebc4e2ac
321a9603f5358e2226a1af459316e3d9623d9f79868c500476fa8b6a2d75b850
e621d09e48b7c35f82619704e5b8e79b73ae5f4ea4f898f39b0d02bffcae9022
981a5ceff09b61572b39e277ca8909681eb055bff5ac0d91d346d0c4387dc27b
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b
c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400

Malware family:

Djvu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c73cb93ad9ad/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Windows_Ransomware_Stop_1e8d48ff Create hunting rule
Author:	Elastic Security

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/472968/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample