MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347
SHA3-384 hash: 1c6989589b8856b11b429350f3ea48b3348df23587f3d0bc33715b2ff2cbb91d7e281a5a8c0dc7dfb15182adfbcbe41a
SHA1 hash: 2f24cf7616a4cd214260bed8db677fd6496a15dd
MD5 hash: 6e8a587335b9596e0b16ef2536369c94
humanhash: black-saturn-paris-jupiter
File name:6e8a587335b9596e0b16ef2536369c94.exe
Download: download sample
Signature Stop
Create hunting rule
File size:712'704 bytes
First seen:2022-07-31 14:50:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e0c800659a243c7f8c8dcb4fa6607236 (4 x Stop)
ssdeep 12288:Lp6yNJc660N+cEltm97ALT8jbqYbyj7Lfm7WNRsCN+btJuiyYupRu:Lp6yNacEA7ALT8bbg/MR9yhU
TLSH T1B0E4122032E4C432E5EB0A3054BBD5F665BEB963163C898B6744676E3FF16C12A713C6
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 38b078eccacccc43 (88 x Smoke Loader, 38 x Stop, 33 x RedLineStealer)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://116.202.178.170/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.178.170/ https://threatfox.abuse.ch/ioc/840574/

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295378/
Detection(s):
Win.Malware.Pwsx-9958630-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27910/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e696e50d534e60816bb234/reports/84551545-7772-4d15-a20f-35194bc882a0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2cff26a7-f014-4aff-8908-542d1e037241
Result
Threat name:
Djvu, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043802
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676296 Sample: 8fdqRFpq2z.exe Startdate: 31/07/2022 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 8 other signatures 2->90 12 8fdqRFpq2z.exe 2->12         started        15 8fdqRFpq2z.exe 2->15         started        17 8fdqRFpq2z.exe 2->17         started        19 8fdqRFpq2z.exe 2->19         started        process3 signatures4 98 Writes many files with high entropy 12->98 100 Injects a PE file into a foreign processes 12->100 21 8fdqRFpq2z.exe 1 16 12->21         started        25 8fdqRFpq2z.exe 12 15->25         started        27 8fdqRFpq2z.exe 12 17->27         started        29 8fdqRFpq2z.exe 19->29         started        process5 dnsIp6 76 api.2ip.ua 162.0.217.254, 443, 49758, 49765 ACPCA Canada 21->76 66 C:\Users\...\8fdqRFpq2z.exe:Zone.Identifier, ASCII 21->66 dropped 68 C:\Users\user\AppData\...\8fdqRFpq2z.exe, MS-DOS 21->68 dropped 31 8fdqRFpq2z.exe 21->31         started        34 icacls.exe 21->34         started        78 192.168.2.1 unknown unknown 27->78 file7 process8 signatures9 108 Injects a PE file into a foreign processes 31->108 36 8fdqRFpq2z.exe 1 22 31->36         started        process10 dnsIp11 70 acacaca.org 46.195.219.190, 49767, 49768, 80 TELENOR-NEXTELTelenorNorgeASNO Sweden 36->70 72 rgyui.top 210.92.250.133, 49766, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 36->72 74 api.2ip.ua 36->74 58 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 36->58 dropped 60 C:\_readme.txt, ASCII 36->60 dropped 62 C:\Users\user\...\8fdqRFpq2z.exe.vveo (copy), MS-DOS 36->62 dropped 64 27 other files (22 malicious) 36->64 dropped 92 Modifies existing user documents (likely ransomware behavior) 36->92 41 build2.exe 36->41         started        file12 signatures13 process14 signatures15 94 Detected unpacking (creates a PE file in dynamic memory) 41->94 96 Injects a PE file into a foreign processes 41->96 44 build2.exe 41->44         started        process16 dnsIp17 80 t.me 149.154.167.99, 443, 49771 TELEGRAMRU United Kingdom 44->80 82 116.202.178.170, 49772, 80 HETZNER-ASDE Germany 44->82 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->102 104 Tries to harvest and steal browser information (history, passwords, etc) 44->104 106 Tries to steal Crypto Currency Wallets 44->106 48 cmd.exe 44->48         started        50 WerFault.exe 44->50         started        signatures18 process19 process20 52 conhost.exe 48->52         started        54 taskkill.exe 48->54         started        56 timeout.exe 48->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-07-31 14:51:09 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zf4qoo33h66wgslfcuny53zhuqjtmbsgrp6tlcwcdpbe7ldcwndq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220731-r75wwsheam/
Behaviour
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Vidar
Malware Config
C2 Extraction:
http://acacaca.org/fhsgtsspen6/get.php
https://t.me/cheaptrains
https://mastodon.social/@ffolegg94
Unpacked files
SH256 hash:
2d993966223f9e5e54104da1a4432796cb404ec5aa0c80c6f59053a19432909c
MD5 hash:
e039ac840b5dcebc6d241eb5d6fcbf92
SHA1 hash:
d9ca97d692b6df8063dad7b952a0e031fe3899e8
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/8edd62d5-c91e-47b8-918d-0c025c577f0a/
Parent samples :
125f585eab3177c154ed5fe243f4417a51e0ca2c3793a17c5c78d96297a3178c
fee2107bea8cccba3a5ee33cc7ab66c0c4494f19211d829483e50713326da4d3
5b65c5510322530f4abfe6446edda29609d8989ad53614c75634bb1c2c9af395
520a51268d301ee757d97b617758c1110a6cc91d1e1387d57abd4c3f7131b336
17ed810d90f3bb088e2522fb72ae260be6c51da60e6181f166e24a10eb796c97
8c2e9284e983ceef11b73b585ec1def479fe4861685ae4ba17c9ce0367796f94
c888e619328ea2038b36269f3e04edf1ddfd8abb5c5354b85ca1efdeb6a09665
abbacb7399152ab2d433b53f1a267c928be0723a72d00e7592d95335f973e6df
a482097fd8842a2c06a53b65671a520c894858ecf98d0a2a28b1a2d6203f40be
e2b3da8d14d014deeb7e5060d84b325949f38d2c97943f948f2c6cc27ea549c3
c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347
4415e5241c3772536b77ba46a6ebd25996929976392353066a0242450a7e1769
835432a2d3e090695bd3c5a33dbad4fea2812574d14b7a35824d2da0c9b1d1e0
68ebbccc69f5a723a9e6b043e0635a9faa2b152869dcf91cb25b3178cc7605a0
af0993f99a960d8ba4b2cbea959c4ab4ca83bc3c13f7d8da3560a118b253f1eb
198c71bdd5274a68b4d0b4a6de12cf3a4e942b7fe6dfca74c8d2231734b11a76
4677ed8abd40be0dfb0a619a941361436cf8fbf3f1720fd3d93624f4cd97d31f
8bc73215171bdb3ebc39873e2a2e085a5ab2dabd6616fcdf79beba118d00e97d
cad1e059313d17cdfa5c63ef4e99f8f7e38e2741aab0947a2075b86f345fef68
8488228e9da15a7468ce9469ad159c41ff2021525b3c0ab47a8f2e5b5bd90670
4def6a06acbd299ccb45aa12992c846c5ca8e352c215065d169db818f44d4557
0233c12c35fab930d9dd2905bd9e1c379ac1d04d0a46bd6a079ba891ff9612af
bba3f787ad9e52f3964d51190ee889a590ab81bcf341eeabe5f226cf2f3eb3e2
bfacecf810b14187b30c9ee86f066dff0f3675b8b1bcf4c05f13af88ef1fbf51
58b70f07241065a3febcfb419e7b1a3a4c0e63d0d4d978bbd3ba329092d737b5
d8195ca0091f9d86ecb281a497456ef0d084ecad4f8f1a8caef6b570d5abdc14
d06f5d3657996e3b3a342d96e3b859ba3bbaa1dd3e59d6a3f88f385317ab7d45
298595ed376152c56fa4ba8ee453be7f12fac8175f6b64bd0dcd8ef7641d784c
897afcd11e6b3d400943267334bb66a460bf58c2e035f1367fcf57fd60989bd7
f409d0e94acc4c29dac55fc1196d9d9ad4f5a47223e3381003731fac147c651a
80d5c6f6ce20885e243eaa54cc71d0d9890c98f4458e2c4c9a2b69019499076e
6718c35947bf87c571c55debaf8e71aa017162ac6e3b9126f670ac94817f390e
38cbd610f38e27ae9927d723806923926d206f9552f4d5b38891f1c7ea422f37
688af7fad79c9afe7b00646aaaee46d2328a8c5d10a71865d11447b98af905f5
248ee491268455c00f934e8867fbef87e4b756c8a0004a9e580d575c5793f6b3
b065240e43335f44f4d113f0566093bb40f3dcabc37bc52ee6155ee002f76d86
3887028a0090bfa67d9c9ead0a6e30b0fd41a0ab974e2cdf4fb4fffc0f505f3d
36bf00125e0982c8037f04ad0dd3a354b5e8c95fe899c3083344730d0f4c2682
a4f6fc8c12b08c7957bd3c76abbfa82157ab298c89a769c0ed06e14a5b830bcb
ebe9d795ebe7b5b98a4d4eb27bcdfaee9d9567424a563cc74ffb4fd2fa712744
SH256 hash:
c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347
MD5 hash:
6e8a587335b9596e0b16ef2536369c94
SHA1 hash:
2f24cf7616a4cd214260bed8db677fd6496a15dd
Link:
https://www.unpac.me/results/8edd62d5-c91e-47b8-918d-0c025c577f0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe c979073b7b3fbd634965151b8eef27a4133606468bfd358ac21bc24fac62b347

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2261263/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/295378/

Comments