MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbc5ce28b1925b070284c6cb443ef9197ed6d78d3d8b891189e7d103003cf8c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbc5ce28b1925b070284c6cb443ef9197ed6d78d3d8b891189e7d103003cf8c0
SHA3-384 hash: 52977476c90da9980a36ece9b4acdc8bcc35bbb3a59c7a35d1709679f68aee6ed6eeb54fdffc3bedf8ba8e1b52dc25b9
SHA1 hash: ded1c0a04f4e8097ae3f075ddb216ea54d1c3bdd
MD5 hash: f82f912af9e8977168720c1145a09e77
humanhash: nebraska-bakerloo-tennis-red
File name:1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe
Download: download sample
Signature Stop
Create hunting rule
File size:809'472 bytes
First seen:2024-07-24 11:34:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a09809e2f82aed7962ea0c7c3c640d3 (3 x Stop, 2 x RedLineStealer, 1 x Loki)
ssdeep 12288:MzQh1cG6b40zotvxo6x5BC0bh9aU0glNGlcsu9G3+Hwm1e9tsS/0:MEh1cJkNxp5DaUPnLz89D/0
TLSH T18A0523167B70E472C0A634322417C77212FF67318B66A887F70A1E9A0FB17D1F9B9685
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter Anonymous
Tags:exe Stop


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a0e6eba97e13ad9de7ab20
Tags:
Execution Generic Infostealer Network Ransomware Static Stealth Stop
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a TCP request to an infection source
Modifying an executable file
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a0e6eadfa8b2fced4df6a4/reports/a9b72945-f433-4359-b7dc-83a2c95cba64/overview
Verdict:
Malicious
Labled as:
Wapomi.BA virus
Link:
https://www.hybrid-analysis.com/sample/cbc5ce28b1925b070284c6cb443ef9197ed6d78d3d8b891189e7d103003cf8c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/817da4bc-73ee-4509-a2ba-d16b3f324dc0
Result
Threat name:
Babuk, Bdaejec, Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1479980
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Sample uses process hollowing technique
Uses known network protocols on non-standard ports
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Bdaejec
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479980 Sample: 1631E2571D7E0EBF784A263FE72... Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 72 zerit.top 2->72 74 fuyt.org 2->74 76 2 other IPs or domains 2->76 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for URL or domain 2->88 90 14 other signatures 2->90 9 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 1 2->9         started        13 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 2->13         started        15 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 62 C:\Users\user\AppData\Local\...\MEeoRLI.exe, PE32 9->62 dropped 102 Detected unpacking (changes PE section rights) 9->102 104 Detected unpacking (overwrites its own PE header) 9->104 106 Writes a notice file (html or txt) to demand a ransom 9->106 118 2 other signatures 9->118 19 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 1 17 9->19         started        23 MEeoRLI.exe 13 9->23         started        108 Antivirus detection for dropped file 13->108 110 Multi AV Scanner detection for dropped file 13->110 112 Machine Learning detection for dropped file 13->112 26 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 13->26         started        114 Sample uses process hollowing technique 15->114 116 Injects a PE file into a foreign processes 15->116 28 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 15->28         started        30 MEeoRLI.exe 17->30         started        32 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 17->32         started        34 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 17->34         started        signatures6 process7 dnsIp8 78 api.2ip.ua 188.114.97.3, 443, 49701, 49704 CLOUDFLARENETUS European Union 19->78 52 1631E2571D7E0EBF78...37492DFCB55F2D5.exe, PE32 19->52 dropped 54 1631E2571D7E0EBF78...exe:Zone.Identifier, ASCII 19->54 dropped 36 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 19->36         started        39 icacls.exe 19->39         started        80 ddos.dnsnb8.net 44.221.84.105, 49699, 49700, 49725 AMAZON-AESUS United States 23->80 56 C:\Program Files\7-Zip\Uninstall.exe, PE32 23->56 dropped 58 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 23->58 dropped 60 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 23->60 dropped 94 Antivirus detection for dropped file 23->94 96 Multi AV Scanner detection for dropped file 23->96 98 Detected unpacking (changes PE section rights) 23->98 100 2 other signatures 23->100 41 WerFault.exe 21 16 23->41         started        43 cmd.exe 30->43         started        file9 signatures10 process11 signatures12 92 Injects a PE file into a foreign processes 36->92 45 1631E2571D7E0EBF784A263FE72777450189800806D145C4937492DFCB55F2D5.exe 21 36->45         started        50 conhost.exe 43->50         started        process13 dnsIp14 82 zerit.top 92.246.89.93, 49707, 49708, 49715 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 45->82 64 C:\_readme.txt, ASCII 45->64 dropped 66 C:\Users\user\_readme.txt, ASCII 45->66 dropped 68 C:\Users\user\...\wctDE6E.tmp.kkia (copy), MS-DOS 45->68 dropped 70 60 other malicious files 45->70 dropped 120 Infects executable files (exe, dll, sys, html) 45->120 122 Modifies existing user documents (likely ransomware behavior) 45->122 file15 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cbc5ce28b1925b070284c6cb443ef9197ed6d78d3d8b891189e7d103003cf8c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbc5ce28b1925b070284c6cb443ef9197ed6d78d3d8b891189e7d103003cf8c0/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 11:35:06 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpc44kfrsjnqoauey3fuipxzdf7nnv4nhwfysemj47iqgab47daa._file
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu aspackv2 discovery persistence ransomware
Link:
https://tria.ge/reports/240724-np1yfathnq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/test1/get.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c162386a-1c66-4202-8db9-742041550456
Unpacked files
SH256 hash:
abcf7d30cc3d111d0b472db7829aad9186623fea0a4eb2d009364a3badd036f7
MD5 hash:
5671aa66c7c6dd564040040af56613f5
SHA1 hash:
3acd65229fb3e9b95c0de6b15a4601f2a8ed1304
Detections:
djvu_ransomware
Create hunting rule
win_stop_auto
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/0c668a01-c524-4f11-adac-e7e1129cdc09/
Parent samples :
635a5c00275d4f354e8f38c646c9210440bacc46088c45907132d82b11877783
2ec22ff642ea83f3ebccca4b3e339e489862f19734cdb412fb45f19861e87dca
7a4023b282b7224de166066ae699391f13d915f86b2d0b40c2a5b0fe1a9718cd
45af7d799a8e6cd7b9427908e7bdba67693f63402b0b32316982656bf7d17462
d43db3b64f29b961752c284a490ea67f6d50ff514120fcf30fd5c613eb1ae1f4
48ddbcd8f3032a8fdc0a3d4a9d8aeda6c308f483086e1225fdddc4aa7427efe4
538cec6a5804462e03a8ed88b60f42b86ec186d1d0b13035481fdf914cbdec58
923d2af76cd47509cd42c94e47b6198321b16c2123b09bb39aa26b8c3daf9647
929b053934a3572ebc7c94b4c52999586abeccc2c8dc90dbe0e49464c866fbeb
43063ca44a4aa0295b67ef271fe75da47885ca435478d748db142bf70b1aa536
b35685146d30d976ea7a856d4f6011e2433d8a40244c320be021d40ed33f0ee0
aa214ec9d85ba13d56a8bee47e408b5e4f3a4b88343cbcc1a24bf40e15b829d2
ae058994900610eeff5d5a9cdd8c0bc6ecaf25e94e3b51d31b836f88e1c345c2
0bb327c21f967f2f0a4d1c7baf7fbbd0d608379dcb5437326132406241672090
9d17aa2b72c65fb399bf814b75dc2d81fcb224ffe14025f6172a899f78ad4b1d
16c2af1b62a1e35ec8a6ac6d70ab1a37c5f396bb0828ef929a48d34f9e8e85ee
70d1c2b0ef9851cdaa3930c9281b66a36c19be11fa22abb48f2a9b22a3a8b2ab
927eb77870eec687543f74894047efc68cad08c584da6b2e1c40c6581383fba0
3428d97c2e4b6847ef7f475ec2e0ad81822c18316aed26167e7dca854ba6d558
16133d7ddaca6879a788f0907cec69b2a2617320584d221298d7bcc588ebf318
52422d05aae55225fb5983fe567d620c32729fb30c5988396a4e5d0590897d78
548824b5b105eab5762d911049d55f931a2fc16cfeb6765376e46a200f93d38b
314273490c0e5ef5ff18f8d21ae624d260512a1a94aa4c8e7781a2643c129572
a6263ad79b7abeec91b82eeea57f3a439810e8ca894b13e74f1bc42968fc5de5
b64aa8f8680b708f1cd34d360ba85b4bfcbc37a6bcb1961dc9541045ec6b9289
fca203f38621ebabe5dca56eabdab5f6a7abe87cf585fa9d0f8a6bf8aa1915e5
ab20fb1bc76f2c56b1f7a70814f3e40c509f39e679594fa60e4cefc2c06ecfa1
b1077f9ca5014fff1ed0858d7af7353bf8c84c0e0c73afe206ce341fd4effa21
e97d63183f13032ab19f9766b24a141235e3873d40332929e65d7ba2d129325a
c9451bc19c0bc4b61d1873a8fa25a206fd3755fc50d61cc896cca8e9cec94486
e0b91e4a4f6c1e92719658f83cc4d4644f72ccdcc00a737b066dbb9b2b9ff772
ed871e17c502520e4084692bd2b4d902be1b3f556879af50b8aeccfed89f3ffe
f787a845e85d35f2ef189d51df495cb9e4dcfaba444c418c931c93d179f64210
8e3dd78c8d7690816bef14a1be4811adff826dabcbf72adf26502b7dd0f57bd2
1631e2571d7e0ebf784a263fe72777450189800806d145c4937492dfcb55f2d5
d3ca0ef14e8dc45497faba304acf842bb2f2913ca2108600ee2771f9e9a24f9c
e9e758383c0f518c4dbd1204a824762f5fac37375d8c5695c749ad1c36c0f108
b6b6783ceb1f14e70d6a9a22e1d9f133f65f9c7e700de82fc7621a2926e3a4b7
ab3bfacf38d1544dceacfe2ecd4dc8501182979913adbc56402e874e6d53a315
da0e4fadc9227bec63e5bfd562eefe9682c2131e4dfb8ba2a1a0eca7c699bb99
737952d5a6f4f8c7ef21795e0a9bea82081007dd7b8514df0a6d299d31f94748
7a8036c61f22b8f9a4ace433b65d393b271dede1a2be1a688c70c3838fbca5ff
8bacf2edda6b201539cda649b9a1668374a5bbeb9bfec05ed250c83cef65b6f6
63aa078445137e619fd3f1497eac18ee28a64796ae5e22a651bc4c3b48da6b72
38184b7ce38e838ee66079a498ec93128332e3a3d6dd55d779d8896c92b423a7
3940962cfc57b2aefd05cf6963fa66310487469c9034d749e9e46e259d7f9960
ad6a09d69bd7b57c329336a6ea486acd2c7c275e2a6a9703d95a93fd5fc0070b
6ba4e925a60367af40aa1eeccbc544b0ed2b6ea73f13112de046b9bb85533dea
baa36a93088b6dc0c08ff2c877f92ecd7a84314c5f9515b1108f13bc116ef1ab
be4a4943231d5aa88e6be315fc823b755c0a818eebbd3380d8165d0a6527eca8
b878b121123a08d96b205e2883f04cd75f6acd88d7e52a77e5bac139dbd067b8
bcc5f2c69c785eb5b8cec1447d741ae718ecd3dc59da3b767b1f4834c804f7b4
cbc5ce28b1925b070284c6cb443ef9197ed6d78d3d8b891189e7d103003cf8c0
6b263d1547dea150f2a1acc00b1b8f8ef30d400c31fe207e9f38a3a33e6461ee
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db
e61a99a0c183923e18d2fbad7188e4dd52157bbaf087423adfd16e9a77c6208b
2e47721a4fb2c1e36520d287b3251a9ea2b688de1f36541e8bc06c169c2b410a
c1d38432a5040db8be37ca31b025d1edd42be37799bfd254b3c6e7c4e37937b8
a77599bea195b9f858ce2d25943da1eb6552ceb843ec8af67a41ef2c7e17e7db
SH256 hash:
cafa8b231d7606ca3ddfd0f04727694d74be50981b65566f8bf8142e9f78b269
MD5 hash:
f7b78fbbbce67c4d8c4d4b214844b033
SHA1 hash:
c0d313cdfe6a9a279427b7caa00f1b87c6e83b46
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/0c668a01-c524-4f11-adac-e7e1129cdc09/
SH256 hash:
cbc5ce28b1925b070284c6cb443ef9197ed6d78d3d8b891189e7d103003cf8c0
MD5 hash:
f82f912af9e8977168720c1145a09e77
SHA1 hash:
ded1c0a04f4e8097ae3f075ddb216ea54d1c3bdd
Link:
https://www.unpac.me/results/0c668a01-c524-4f11-adac-e7e1129cdc09/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Stop

Executable exe cbc5ce28b1925b070284c6cb443ef9197ed6d78d3d8b891189e7d103003cf8c0

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryExA
KERNEL32.dll::CreateDirectoryExW
KERNEL32.dll::CreateFileA
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileA
KERNEL32.dll::ReplaceFileA

Comments