MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d137e14a9bf33737becc9548027c26f12567d015cacd5d83e99602e54e625d74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d137e14a9bf33737becc9548027c26f12567d015cacd5d83e99602e54e625d74
SHA3-384 hash: 06778c5fad1035364645514027824d8d7bfa0201c38a7d465d7d1933a92b5a4d4ec1c03dde956cecd2ee9d28a6bceb76
SHA1 hash: 013e4c3f7ca607fa3ca6e3de06c7d47e36eda21c
MD5 hash: 83da4569d69266fc6ab372b9c25481fb
humanhash: charlie-apart-hot-nitrogen
File name:D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe
Download: download sample
Signature Stop
Create hunting rule
File size:816'640 bytes
First seen:2022-09-16 19:15:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 85c43f57fe7b94b298d18af0e5ec84e5 (1 x Stop)
ssdeep 24576:dPdrfa8zVLjWNlElZqPVKnJEADLdzikmAk:jpjWMlZMVKmAndPr
Threatray 1'865 similar samples on MalwareBazaar
TLSH T1DF050100BBA0D035F9B716F45C7A93A8752E7A929B6440CF63D52AFE52746E4EC3034B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://195.201.253.5/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://195.201.253.5/ https://threatfox.abuse.ch/ioc/850075/

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 19:19:33 UTC
Tags:
trojan loader ransomware stop stealer
Link:
https://app.any.run/tasks/c7961d61-4311-427a-a0e3-babf7f0744b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310663/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Malware.Crypterx-9962719-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Searching for synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37953/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6324cb9cb564f001cc8efba9/reports/9f5d1eef-d2bf-4c53-af65-6be427bbc3a2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3994ff01-465e-43a7-9bc0-9d3d3da20cfa
Result
Threat name:
Babuk, Clipboard Hijacker, Djvu, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1071947
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 704490 Sample: D137E14A9BF33737BECC9548027... Startdate: 16/09/2022 Architecture: WINDOWS Score: 100 108 Snort IDS alert for network traffic 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for URL or domain 2->112 114 13 other signatures 2->114 12 D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe 2->12         started        15 D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe 2->15         started        17 D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe 2->17         started        19 2 other processes 2->19 process3 signatures4 126 Writes many files with high entropy 12->126 128 Injects a PE file into a foreign processes 12->128 21 D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe 1 16 12->21         started        25 D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe 15->25         started        130 Sample uses process hollowing technique 17->130 28 D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe 17->28         started        30 backgroundTaskHost.exe 17->30         started        132 Antivirus detection for dropped file 19->132 134 Multi AV Scanner detection for dropped file 19->134 32 D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe 12 19->32         started        34 schtasks.exe 19->34         started        process5 dnsIp6 86 api.2ip.ua 162.0.217.254, 443, 49717, 49719 ACPCA Canada 21->86 72 D137E14A9BF33737BE...exe:Zone.Identifier, ASCII 21->72 dropped 74 D137E14A9BF33737BE...F12567D015CACD5.exe, MS-DOS 21->74 dropped 36 D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe 21->36         started        39 icacls.exe 21->39         started        76 C:\Users\user\Desktop\...\SNIPGPPREP.png, data 25->76 dropped 124 Modifies existing user documents (likely ransomware behavior) 25->124 88 192.168.2.1 unknown unknown 28->88 41 conhost.exe 34->41         started        file7 signatures8 process9 signatures10 116 Injects a PE file into a foreign processes 36->116 43 D137E14A9BF33737BECC9548027C26F12567D015CACD5.exe 1 25 36->43         started        process11 dnsIp12 94 rgyui.top 109.98.58.98, 49720, 80 RTDBucharestRomaniaRO Romania 43->94 96 acacaca.org 211.53.230.67, 49721, 49722, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 43->96 98 api.2ip.ua 43->98 78 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 43->78 dropped 80 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 43->80 dropped 82 C:\Users\user\AppData\Local\...\build2.exe, PE32 43->82 dropped 84 42 other files (37 malicious) 43->84 dropped 136 Modifies existing user documents (likely ransomware behavior) 43->136 48 build2.exe 43->48         started        51 build3.exe 43->51         started        file13 signatures14 process15 file16 100 Multi AV Scanner detection for dropped file 48->100 102 Machine Learning detection for dropped file 48->102 104 Injects a PE file into a foreign processes 48->104 54 build2.exe 48->54         started        70 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 51->70 dropped 106 Uses schtasks.exe or at.exe to add and modify task schedules 51->106 58 schtasks.exe 51->58         started        signatures17 process18 dnsIp19 90 t.me 149.154.167.99, 443, 49727 TELEGRAMRU United Kingdom 54->90 92 195.201.253.5, 49728, 80 HETZNER-ASDE Germany 54->92 118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 54->118 120 Tries to harvest and steal browser information (history, passwords, etc) 54->120 122 Tries to steal Crypto Currency Wallets 54->122 60 cmd.exe 54->60         started        62 conhost.exe 58->62         started        signatures20 process21 process22 64 conhost.exe 60->64         started        66 taskkill.exe 60->66         started        68 timeout.exe 60->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d137e14a9bf33737becc9548027c26f12567d015cacd5d83e99602e54e625d74/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-08-08 20:31:37 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2e36csu36m3tppwmsveae7bg6eswpuavzlgv3a7jsybokttclv2a._file
Verdict:
malicious
Similar samples:
3d8b8a024b1f873e44ab747be8886f3040e81a3a685426c4a1a08ed10f25e653
Stop
455c7bd1a80b407b43b1d1d278958ffcac4ac4d3cfc9a9e54f54f1d5debd2b13
Stop
678dfbd3e2b09d2d78bca1ae07099a1e547f48ad9caee38fd068d9c7ceaec7f8
Stop
85cdfe1207633307e4af6c7c6dd900dc7f521e140419373a2838be5b2405e40b
Stop
adf087ee8a2e87e4f6e9bb9ab1a6a2a21bb8948c1431fd31c468052f2f46dd54
Stop
bee4bd2acbef63779e2da4595800179bc928461130940caa2a98761aa44fc51f
Stop
d83e3f7a65229291df7be6cc58a922081ee7d66fee59c514a1863e05b2a6ee04
Stop
d98d97f0fed4a9687c62c6554a1ed506e6a2d27fbf76078c0cb67850d05806f5
Stop
f7975bb947cffda4d31aa860546f2708c947f8963991e4ae83871d28f51559b1
Stop
+ 1'855 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220916-xyssvsccal/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://acacaca.org/lancer/get.php
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d7701eee-6f1d-4114-8f30-4bc9a26fc99f
Unpacked files
SH256 hash:
f5dff2a7372e83b8d2eb927d83ed41bcff4721551e9bd5c6d54477c40e9be84b
MD5 hash:
84b4a399b6efc20f4f58db3bef61232a
SHA1 hash:
59dbfc555bf9e1e57468cbbc41adfe423a42c26a
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/2316a693-8397-4d6f-86b5-36b239da821e/
SH256 hash:
d137e14a9bf33737becc9548027c26f12567d015cacd5d83e99602e54e625d74
MD5 hash:
83da4569d69266fc6ab372b9c25481fb
SHA1 hash:
013e4c3f7ca607fa3ca6e3de06c7d47e36eda21c
Link:
https://www.unpac.me/results/2316a693-8397-4d6f-86b5-36b239da821e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d137e14a9bf33737becc9548027c26f12567d015cacd5d83e99602e54e625d74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310663/

Comments