MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbeb7eeb2ba0e370efa87676217c68f0de0067a465d4d0b422d78ddb3168ec1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 18


Intelligence 18 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbeb7eeb2ba0e370efa87676217c68f0de0067a465d4d0b422d78ddb3168ec1e
SHA3-384 hash: c36c71e5f959b64b271caf44cc7697cf5a6a48332cb1bbb5d83689c6d32099702b0e1edd511452203cc2008362ae9a44
SHA1 hash: 94c4e81a6d6ed0bc98ed7448cf60c3d2142ef32e
MD5 hash: 5230bc2f8f129c1cdcaa87821ef38b6d
humanhash: pasta-mango-six-arizona
File name:567ed29376b1cdfc820544d6d8e38d58187476a0b911226d5cb8e95f69dcba6f_dump.exe
Download: download sample
Signature Stop
Create hunting rule
File size:1'150'976 bytes
First seen:2024-06-16 00:49:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c756c849bc7b459f78f7a5ce46cd4a7 (14 x Stop)
ssdeep 24576:ZBUIKn/vwOXGUXAjCymYZiVtElVIBT2roqnTSSxWeT/dRPOO8WWQHUq7:F0dwAYZt6C31WeTVRPOhW7Uq7
Threatray 1'752 similar samples on MalwareBazaar
TLSH T17D35AE02BB819171E5D341BA0DFE977E883AA9A0933A95C3D7E91C568E306D0673F3C5
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter ukycircle
Tags:exe Stop watz

Intelligence

File Origin
# of uploads :
1
# of downloads :
531
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
cbeb7eeb2ba0e370efa87676217c68f0de0067a465d4d0b422d78ddb3168ec1e.exe
Verdict:
Malicious activity
Analysis date:
2024-06-16 00:50:09 UTC
Tags:
evasion ransomware stop djvu
Link:
https://app.any.run/tasks/4efd7739-273e-4b4d-8d6d-f58212760c7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Ransomware.Bandook-9859375-1
Create hunting rule

ditekSHen.MALWARE.Win.Ransomware.STOP.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666e378c89a0563951f67892win7simulatehigh_evasion
Tags:
Banker Execution Generic Network Ransomware Static Stealth Stop
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a TCP request to an infection source
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Restart of the analyzed sample
Deleting a recently created file
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto epmicrosoft_visual_cc expand explorer fingerprint lolbin microsoft_visual_cc obfuscated shell32
Link:
https://www.filescan.io/uploads/666e36bdea679c2da918688d/reports/3ab5e4fd-a8f0-4259-b942-7841c040eea7/overview
Verdict:
Malicious
Labled as:
Trojan.Encoder
Link:
https://www.hybrid-analysis.com/sample/cbeb7eeb2ba0e370efa87676217c68f0de0067a465d4d0b422d78ddb3168ec1e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5942a792-a571-400e-ba0f-f886c9747ee2
Result
Threat name:
Babuk, Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1457915
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found ransom note / readme
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May modify the system service descriptor table (often done to hook functions)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1457915 Sample: 567ed29376b1cdfc820544d6d8e... Startdate: 16/06/2024 Architecture: WINDOWS Score: 100 36 cajgtus.com 2->36 38 api.2ip.ua 2->38 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 11 other signatures 2->50 7 567ed29376b1cdfc820544d6d8e38d58187476a0b911226d5cb8e95f69dcba6f_dump.exe 1 17 2->7         started        12 567ed29376b1cdfc820544d6d8e38d58187476a0b911226d5cb8e95f69dcba6f_dump.exe 13 2->12         started        14 567ed29376b1cdfc820544d6d8e38d58187476a0b911226d5cb8e95f69dcba6f_dump.exe 2->14         started        16 567ed29376b1cdfc820544d6d8e38d58187476a0b911226d5cb8e95f69dcba6f_dump.exe 2->16         started        signatures3 process4 dnsIp5 40 api.2ip.ua 188.114.97.3, 443, 49731, 49732 CLOUDFLARENETUS European Union 7->40 32 567ed29376b1cdfc82...5f69dcba6f_dump.exe, PE32 7->32 dropped 34 567ed29376b1cdfc82...exe:Zone.Identifier, ASCII 7->34 dropped 58 Found stalling execution ending in API Sleep call 7->58 60 Writes a notice file (html or txt) to demand a ransom 7->60 62 Writes many files with high entropy 7->62 18 567ed29376b1cdfc820544d6d8e38d58187476a0b911226d5cb8e95f69dcba6f_dump.exe 1 19 7->18         started        22 icacls.exe 7->22         started        42 cajgtus.com 189.61.54.32, 49734, 49735, 49736 CLAROSABR Brazil 12->42 64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 file6 signatures7 process8 file9 24 C:\_readme.txt, ASCII 18->24 dropped 26 C:\Users\user\...\wctF86A.tmp.watz (copy), MS-DOS 18->26 dropped 28 C:\Users\user\...\wctF411.tmp.watz (copy), data 18->28 dropped 30 42 other malicious files 18->30 dropped 52 Tries to harvest and steal browser information (history, passwords, etc) 18->52 54 Infects executable files (exe, dll, sys, html) 18->54 56 Modifies existing user documents (likely ransomware behavior) 18->56 signatures10
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cbeb7eeb2ba0e370efa87676217c68f0de0067a465d4d0b422d78ddb3168ec1e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbeb7eeb2ba0e370efa87676217c68f0de0067a465d4d0b422d78ddb3168ec1e/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2024-06-16 00:50:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpvx52zludrxb35ioz3cc7di6dpaaz5emxknbnbc26g5wmli5qpa._file
Verdict:
malicious
Similar samples:
02a87215da30b1e27f605464c85f8098db4f3a811de81ee9984050501c0ab779
Stop
2e9fcbdd6718795f322263283b544144d79b0cfd6b855cff8d74658737715548
Stop
5fd628901f00dc6a963eb149d432194b8ba17c5338a8cb85fc2494afa2538750
Stop
651b658ae3680460305dc22f982cf8cb1f105fd0bad8ea7cbbeec962ef497dad
Stop
66bcf0f385276b3f47ac0e8ed8c12b063a29e9873bbc09b9707d063d6238a08f
Stop
6b1f30c4699f3eaa120cdcbf4cf358407f5ac08560abf0200981f9804d1a214a
Stop
9d9c65f52f4284b3ac29a884d0bc6fc780f8a520c02cde84031f7d15b277577c
Stop
c3d4eee86b30d1a1454f77d5dc506a4d1c81880a997b35bab8c5fcae2dbb2a3e
Stop
ec93ce8cce6f314e3df3ff7e7bed1e2acbe48e6871584c7ec4ef49a5febd4aa9
Stop
+ 1'742 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu discovery persistence ransomware
Link:
https://tria.ge/reports/240616-a6x18ascjh/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Modifies file permissions
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://cajgtus.com/test1/get.php
Unpacked files
SH256 hash:
cbeb7eeb2ba0e370efa87676217c68f0de0067a465d4d0b422d78ddb3168ec1e
MD5 hash:
5230bc2f8f129c1cdcaa87821ef38b6d
SHA1 hash:
94c4e81a6d6ed0bc98ed7448cf60c3d2142ef32e
Detections:
djvu_ransomware
Create hunting rule
win_stop_auto
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
MALWARE_Win_STOP
Create hunting rule
Link:
https://www.unpac.me/results/6f38c03e-38a1-4034-a07d-c945547a19d9/
Parent samples :
567ed29376b1cdfc820544d6d8e38d58187476a0b911226d5cb8e95f69dcba6f
cbeb7eeb2ba0e370efa87676217c68f0de0067a465d4d0b422d78ddb3168ec1e
8cf61c66b1cde95afdc402040152b3ca0022fceb866b84be297572708b08cb5b
4bb311ba0e479264b1d3c7deab5bfb44b0c1fb100d82aa7d605369b0ac938981
f874d2ec768aac73111ccc280352a8769b03d1789327b0b3e9674c55e0de1c01
3b8d07693e296aee36e7607c71503d981396a21b367e169146afdd052cdcf4d1
d343ea857cdf97aa0ccfd14970425c6888bd216d36ad7f6255a044bed36a4b2a
2a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbeb7eeb2ba0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbeb7eeb2ba0e370efa87676217c68f0de0067a465d4d0b422d78ddb3168ec1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Windows_Ransomware_Stop_1e8d48ff
Create hunting rule
Author:Elastic Security
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
DNS_APIPerforms DNS callsDNSAPI.dll::DnsQuery_W
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcStringFreeW
RPCRT4.dll::RpcStringFreeA
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
WININET.dll::InternetCloseHandle
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FlushConsoleInputBuffer
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::PeekConsoleInputA
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::ReadConsoleInputA
KERNEL32.dll::SetConsoleCtrlHandler
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
KERNEL32.dll::DeleteFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptEncrypt
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
ADVAPI32.dll::CryptImportKey
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetEnumResourceW
MPR.dll::WNetOpenEnumW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceStatus
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments