MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411
SHA3-384 hash: 3cbb406f91c6807f9043aa804becd7c365a71812824d4971d2dd6bd47a4a6df03851fb0b89d0df43a12944c9b5af0d45
SHA1 hash: e4c97d88bfad4589d2c3a7f268e59c249caa7dfa
MD5 hash: 9fc52180cee96c5480d441498db0d593
humanhash: lactose-michigan-sierra-foxtrot
File name:d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411
Download: download sample
Signature Stop
Create hunting rule
File size:838'656 bytes
First seen:2021-09-03 09:04:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f536c766660697a0f33f0299d3f205dd (7 x RaccoonStealer, 2 x Stop, 1 x DanaBot)
ssdeep 24576:QWvzfbE89I6G3EqmrRFbZ3Ni28Eoq2D1iaEnX78:Noq3G3+dZZ3Ni2yZPE
Threatray 465 similar samples on MalwareBazaar
TLSH T17E05F1306690DC3DE4E212F465B6827CE729BEB0576050CBB2D63AEE1B306E1AD31757
dhash icon d824e7d0c4e72158 (6 x RaccoonStealer, 5 x Stop, 2 x ArkeiStealer)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411
Verdict:
Suspicious activity
Analysis date:
2021-09-03 09:06:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb7567b1-ba6e-40d8-8c31-c566e6ff3f0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185092/
Detection(s):
Win.Dropper.Raccoon-9889988-0
Create hunting rule

Win.Malware.Generic-9890031-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Sending an HTTP GET request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f02995eb-51db-4a29-a181-77c20cae93ab
Result
Threat name:
Clipboard Hijacker Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844762
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Clipboard Hijacker
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477194 Sample: yO8nAS1G8B Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 115 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->115 117 Antivirus detection for URL or domain 2->117 119 Multi AV Scanner detection for submitted file 2->119 121 7 other signatures 2->121 12 yO8nAS1G8B.exe 2->12         started        15 yO8nAS1G8B.exe 2->15         started        17 yO8nAS1G8B.exe 2->17         started        19 3 other processes 2->19 process3 signatures4 131 Detected unpacking (changes PE section rights) 12->131 133 Contains functionality to inject code into remote processes 12->133 135 Writes many files with high entropy 12->135 21 yO8nAS1G8B.exe 1 16 12->21         started        137 Injects a PE file into a foreign processes 15->137 25 yO8nAS1G8B.exe 12 15->25         started        27 yO8nAS1G8B.exe 17->27         started        29 yO8nAS1G8B.exe 19->29         started        31 mstsca.exe 19->31         started        33 mstsca.exe 19->33         started        process5 dnsIp6 93 api.2ip.ua 77.123.139.190, 443, 49706, 49707 VOLIA-ASUA Ukraine 21->93 73 C:\Users\...\yO8nAS1G8B.exe:Zone.Identifier, ASCII 21->73 dropped 35 yO8nAS1G8B.exe 21->35         started        38 icacls.exe 21->38         started        95 192.168.2.1 unknown unknown 27->95 40 schtasks.exe 31->40         started        file7 process8 signatures9 123 Injects a PE file into a foreign processes 35->123 42 yO8nAS1G8B.exe 1 24 35->42         started        47 conhost.exe 40->47         started        process10 dnsIp11 101 tbpws.top 189.165.83.252, 49710, 49714, 80 UninetSAdeCVMX Mexico 42->101 103 securebiz.org 211.59.14.90, 49708, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 42->103 105 api.2ip.ua 42->105 85 MLASeventhEditionO...ine.xsl.lqqw (copy), DOS 42->85 dropped 87 C:\...\MLASeventhEditionOfficeOnline.xsl, DOS 42->87 dropped 89 C:\Users\user\...\mirroring_hangouts.js, COM 42->89 dropped 91 329 other files (313 malicious) 42->91 dropped 139 Modifies existing user documents (likely ransomware behavior) 42->139 49 build2.exe 42->49         started        52 build3.exe 42->52         started        file12 signatures13 process14 signatures15 107 Detected unpacking (changes PE section rights) 49->107 109 Machine Learning detection for dropped file 49->109 111 Injects a PE file into a foreign processes 49->111 54 build2.exe 49->54         started        113 Uses schtasks.exe or at.exe to add and modify task schedules 52->113 59 build3.exe 52->59         started        process16 dnsIp17 97 49.12.198.69, 49717, 80 HETZNER-ASDE Germany 54->97 99 romkaxarit.tumblr.com 74.114.154.22, 443, 49716 AUTOMATTICUS Canada 54->99 75 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 54->75 dropped 77 C:\Users\user\AppData\...\freebl3[1].dll, PE32 54->77 dropped 79 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 54->79 dropped 83 9 other files (none is malicious) 54->83 dropped 125 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 54->125 127 Tries to harvest and steal browser information (history, passwords, etc) 54->127 129 Tries to steal Crypto Currency Wallets 54->129 61 cmd.exe 54->61         started        81 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 59->81 dropped 63 schtasks.exe 59->63         started        file18 signatures19 process20 process21 65 conhost.exe 61->65         started        67 taskkill.exe 61->67         started        69 timeout.exe 61->69         started        71 conhost.exe 63->71         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 22:35:43 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=267zyp42m6n5tsaoivlar32r5kpjdkcaggqxhqjlwokgauahmqiq._file
Verdict:
malicious
Similar samples:
0c1571e0f22ecc1c3ed2b80ee90df329d820e287ac0be834aa905726ea96887e
Stop
341adff3ec7c3cf9ec58b939d8c1104d8e6d228653055d6656348d421852d368
Stop
5651c726a433d942eb9cdbe74c6631178fa3e243e0953e0a55f54f1752e05682
Stop
5d232ce70bfdc3344ad9c117da898e5d72ea5a5ff0704933735abb186714c9f4
Stop
adc2c80f4a9f969a641f2674c94bd576420b34d338b12ba5b4cab09e6c51a466
Stop
dc6f024b81983ce22d883ccc346b3888d984e360196b3e472c1cce3f79b70fa0
Stop
+ 455 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/210903-k17nksgabl/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomeware
Djvu Ransomware
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
160aa84363640ef0e569e00640cda85b766b67c1ff71b0fd949a3ce2e6e40a9c
MD5 hash:
dc4e9cdb6ae0ce6841be15657634ad11
SHA1 hash:
585d350e71c55988c029423eec6b67737a520fa0
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/28b29123-61d2-46ff-9185-6fc54d23a2ed/
Parent samples :
ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af
2db346799c65a4fc59e3063f0c749ac70e160ddcd4f719e897463d6de53621c1
a4656e6277f4a2474916019682ad674c7988a3b30a72ebc34d16089cb3e22453
341adff3ec7c3cf9ec58b939d8c1104d8e6d228653055d6656348d421852d368
7674f1f7b2b53467fec308bdcaf89c80b4d25eb683ac0ad105084b3dd5cc0cc8
857fd1017141f401e9a263e477a80f000d9d064b891a1087b9a51220924a017c
d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411
9915b1b61a0eee3b29c2c7238f5f3198137e3b6479689224c3381a155d7b53fe
0d4704002980d141dc8ca282a4cb6ec338a6bbe0d95316cfad6a47b940b4e664
9a9f3b0dbf3655264bdabd0e02127d74b341522c669d3eb11b22b2e2da97867f
68638ad366d915c1df35046302109dac675ce9f800935f377a718389479d433f
a4ac450123dc6794e5ed2fb846d74d70f95be897931fa43983665e8287176a23
da7263588f95278e91f5ddb2898d18735d6c6abfa1e872d1358aafa4e044adca
076ea240e131689495e71d09589d2f3c1bbc43bee4f15938ef59191cd75e049c
15dd9d8533066e0b099af7258e5db6ed2f24edd712040b2ad0d3d1f8fecb2c5a
acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827
7551d65fbd92fec28a83f696a49d771bfea37c7050099c3e010d9ec1f4fbc1e6
95dbc0c60bcc0a5f72eb528358b866dd0b4933fe7fc1e68e921615729fe569cf
9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa
d5b3a05a83dac1fde11c26bb358f513ddf0cb57853a141fecccda0446c842f81
SH256 hash:
d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411
MD5 hash:
9fc52180cee96c5480d441498db0d593
SHA1 hash:
e4c97d88bfad4589d2c3a7f268e59c249caa7dfa
Link:
https://www.unpac.me/results/28b29123-61d2-46ff-9185-6fc54d23a2ed/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d7bf9c3f9a67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185092/

Comments