MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6353ac6a08f1e678698f658274332bcc27588c14e75e029e761dd6af0b4ef41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6353ac6a08f1e678698f658274332bcc27588c14e75e029e761dd6af0b4ef41
SHA3-384 hash: 72eeef87f2e15d736707e92cf96cc7444fd495153f3e1c5d26e82dddc01ff5374dd5cc598da89351adf50f1d5762f49e
SHA1 hash: d641d795181f0255558757ba88cefa809c9e2e77
MD5 hash: 9c21fa308bc59e6498923679945461e1
humanhash: floor-harry-aspen-tennessee
File name:9c21fa308bc59e6498923679945461e1.exe
Download: download sample
Signature Stop
Create hunting rule
File size:878'592 bytes
First seen:2021-07-29 16:10:10 UTC
Last seen:2021-07-29 16:49:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c27a98a29b21693846ec47ce91a249f1 (2 x RaccoonStealer, 2 x Smoke Loader, 2 x GCleaner)
ssdeep 24576:s/NK2O3djwoSPwdwc2D4HgXDfbQD8UfxYzpXSJ:XNjwoSgzHcbQD8UfV
Threatray 402 similar samples on MalwareBazaar
TLSH T15D150230A690C035E4F716F845BA93BC792D7EA25B2450CBA2E53AEE1335AE4DC30757
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:exe Ransomware.Stop Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9c21fa308bc59e6498923679945461e1.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-29 16:15:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1ad9e4a9-7fd8-4655-991c-f532c991ed30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175102/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.985.16278.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32f31584-d6f4-494d-9fb7-a7636735ce20
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823996
Signature
Contains functionality to inject code into remote processes
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456408 Sample: EpLr3m6ArC.exe Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for domain / URL 2->56 58 Found ransom note / readme 2->58 60 Yara detected Djvu Ransomware 2->60 62 Machine Learning detection for sample 2->62 8 EpLr3m6ArC.exe 2->8         started        11 EpLr3m6ArC.exe 2->11         started        13 EpLr3m6ArC.exe 2->13         started        15 EpLr3m6ArC.exe 2->15         started        process3 signatures4 66 Injects a PE file into a foreign processes 8->66 17 EpLr3m6ArC.exe 1 19 8->17         started        68 Detected unpacking (overwrites its own PE header) 11->68 70 Contains functionality to inject code into remote processes 11->70 22 EpLr3m6ArC.exe 1 16 11->22         started        72 Multi AV Scanner detection for dropped file 13->72 74 Machine Learning detection for dropped file 13->74 24 EpLr3m6ArC.exe 12 13->24         started        26 EpLr3m6ArC.exe 12 15->26         started        process5 dnsIp6 48 astdg.top 138.36.3.134, 49724, 80 TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR Brazil 17->48 36 C:\_readme.txt, ASCII 17->36 dropped 38 C:\Users\user\Desktop\...behaviorgraphAOBCVIQIJ.mp3, data 17->38 dropped 40 C:\Users\user\Desktop\SFPUSAFIOL.docx, data 17->40 dropped 46 3 other malicious files 17->46 dropped 64 Modifies existing user documents (likely ransomware behavior) 17->64 50 api.2ip.ua 77.123.139.190, 443, 49704, 49710 VOLIA-ASUA Ukraine 22->50 52 192.168.2.1 unknown unknown 22->52 42 C:\Users\user\AppData\...pLr3m6ArC.exe, PE32 22->42 dropped 44 C:\Users\...pLr3m6ArC.exe:Zone.Identifier, ASCII 22->44 dropped 28 EpLr3m6ArC.exe 22->28         started        31 icacls.exe 22->31         started        file7 signatures8 process9 signatures10 76 Injects a PE file into a foreign processes 28->76 33 EpLr3m6ArC.exe 12 28->33         started        process11 dnsIp12 54 api.2ip.ua 33->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6353ac6a08f1e678698f658274332bcc27588c14e75e029e761dd6af0b4ef41/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 16:11:09 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2y2tvrvar4pgpbuy6zmcoqzsxtbhlcgbjz26akphmhowv4fu55aq._file
Verdict:
malicious
Similar samples:
2027503755cd5d8fad6af24071640dd5cfa7925c980f22dd23ab2ca5b1b24391
Stop
804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72
Stop
954cc32be4e5b358fe9be2b82ff954d5fec236c89c4487293af062b0f9992407
Stop
a55632167d72b88cf7a2d5449a9a1badf9e7030ffaff386324405f0813f99d39
Stop
bd81a9361b8715dd584205fd2fca8f3c8d6fc3178ed8548674fcbd315b95a0a4
Stop
d56681bb83bd1e54372061cf2e24017106e1fc6a26a86388c907db320e105060
Stop
e9dda7fbf6815a714cac3c369a5c7f137db0c53b09a804db968612d17bed855b
Stop
f5a484d6db0cfca71151e5870cde7b1711cbfa8dc0175140aee2c47c24595d27
Stop
+ 392 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:517 discovery persistence spyware stealer suricata
Link:
https://tria.ge/reports/210729-wgp5aykamn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
2cd837d72548690e27d2cedf0972f20194287a7e8ef4a9deab0f3408c7af491a
MD5 hash:
175af0e46f784deb1923add6ee173067
SHA1 hash:
e52df61d6276fd4a017cc780789fdd59c1c134ac
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/4ee76fbd-87bd-4a5f-978b-6a9339d40bbc/
Parent samples :
d6353ac6a08f1e678698f658274332bcc27588c14e75e029e761dd6af0b4ef41
0474887c2361109c3e0d8d0a8ee4967d96c5e48f3e159d68afe5dd83b3ef44a0
SH256 hash:
d6353ac6a08f1e678698f658274332bcc27588c14e75e029e761dd6af0b4ef41
MD5 hash:
9c21fa308bc59e6498923679945461e1
SHA1 hash:
d641d795181f0255558757ba88cefa809c9e2e77
Link:
https://www.unpac.me/results/4ee76fbd-87bd-4a5f-978b-6a9339d40bbc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6353ac6a08f1e678698f658274332bcc27588c14e75e029e761dd6af0b4ef41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe d6353ac6a08f1e678698f658274332bcc27588c14e75e029e761dd6af0b4ef41

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1463721/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175102/

Comments