MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e19a2db727b539378d7fcad6516fc9e02522a6f4747279ff599d1f30bbaa1e10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e19a2db727b539378d7fcad6516fc9e02522a6f4747279ff599d1f30bbaa1e10
SHA3-384 hash: 91769fec760ab8ceacfbc52c0a5f33cb299cc18c27d09f3dc83a218a7589132494665e6c2d55d1c2018d2a3333a4fef8
SHA1 hash: 99a41f6c0a0887119316752ad95b1b5cd432b899
MD5 hash: e1300a10aa52c28310cbe122170af3fc
humanhash: louisiana-wolfram-stream-white
File name:e1300a10aa52c28310cbe122170af3fc.exe
Download: download sample
Signature Stop
Create hunting rule
File size:815'616 bytes
First seen:2022-02-20 12:02:04 UTC
Last seen:2022-02-20 14:03:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 33938a802f507119482b353a78cb5352 (1 x Stop, 1 x ArkeiStealer)
ssdeep 12288:LN8V2Yhv2tHbVvPsCcjfIstwbNg0LBQaaObKqilfSkSKAqG7B9wufD:LbpHCjTtwbnHPildShZ9wufD
Threatray 850 similar samples on MalwareBazaar
TLSH T1280512057EB2D432D76365319931D6B44E7E38B1B972DA8337C9263E9F72C829B21381
File icon (PE):PE icon
dhash icon 327e7c7f767e6e66 (4 x ArkeiStealer, 2 x RedLineStealer, 1 x Stop)
Reporter abuse_ch
Tags:exe Ransomware Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
411
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
en-install62116F9694C8C-en86-64x.zip
Verdict:
Malicious activity
Analysis date:
2022-02-20 06:09:08 UTC
Tags:
trojan stealer vidar phishing loader evasion ransomware stop
Link:
https://app.any.run/tasks/1c111b71-7d70-443d-a312-78c26674b6c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242761/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.6471.2405.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6769/overview
Behaviour
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet exploit greyware packed smokeloader ursnif
Link:
https://www.filescan.io/uploads/62122dbe875593a3ccf39663/reports/12dcf6e4-4ad3-4bef-b50e-efd0d4ee6491/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39ed9bad-2509-4b12-8469-9deb032f84ad
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942820
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 575294 Sample: NWM1TBrwfP.exe Startdate: 20/02/2022 Architecture: WINDOWS Score: 100 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 10 other signatures 2->97 12 NWM1TBrwfP.exe 2->12         started        15 NWM1TBrwfP.exe 2->15         started        17 NWM1TBrwfP.exe 2->17         started        19 NWM1TBrwfP.exe 2->19         started        process3 signatures4 109 Contains functionality to inject code into remote processes 12->109 111 Writes many files with high entropy 12->111 113 Injects a PE file into a foreign processes 12->113 21 NWM1TBrwfP.exe 1 17 12->21         started        25 NWM1TBrwfP.exe 13 15->25         started        27 NWM1TBrwfP.exe 13 17->27         started        29 NWM1TBrwfP.exe 19->29         started        process5 dnsIp6 83 api.2ip.ua 77.123.139.190, 443, 49763, 49764 VOLIA-ASUA Ukraine 21->83 65 C:\Users\...65WM1TBrwfP.exe:Zone.Identifier, ASCII 21->65 dropped 67 C:\Users\user\AppData\...67WM1TBrwfP.exe, MS-DOS 21->67 dropped 31 NWM1TBrwfP.exe 21->31         started        34 icacls.exe 21->34         started        85 192.168.2.1 unknown unknown 27->85 file7 process8 signatures9 123 Injects a PE file into a foreign processes 31->123 36 NWM1TBrwfP.exe 1 23 31->36         started        process10 dnsIp11 77 zerit.top 110.14.121.123, 49765, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 36->77 79 fuyt.org 115.88.24.202, 49766, 49768, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 36->79 81 api.2ip.ua 36->81 57 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 36->57 dropped 59 C:\Users\user\AppData\Local\...\build2.exe, PE32 36->59 dropped 61 C:\Users\user\_readme.txt, ASCII 36->61 dropped 63 22 other files (21 malicious) 36->63 dropped 99 Infects executable files (exe, dll, sys, html) 36->99 101 Modifies existing user documents (likely ransomware behavior) 36->101 41 build2.exe 36->41         started        file12 signatures13 process14 signatures15 103 Multi AV Scanner detection for dropped file 41->103 105 Machine Learning detection for dropped file 41->105 107 Injects a PE file into a foreign processes 41->107 44 build2.exe 41->44         started        process16 dnsIp17 87 95.216.147.143, 49773, 80 HETZNER-ASDE Germany 44->87 89 mastodon.online 95.216.4.252, 443, 49770 HETZNER-ASDE Germany 44->89 69 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 44->69 dropped 71 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 44->71 dropped 73 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 44->73 dropped 75 9 other files (none is malicious) 44->75 dropped 115 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->115 117 Tries to steal Mail credentials (via file / registry access) 44->117 119 Tries to harvest and steal browser information (history, passwords, etc) 44->119 121 Tries to steal Crypto Currency Wallets 44->121 49 cmd.exe 44->49         started        file18 signatures19 process20 process21 51 conhost.exe 49->51         started        53 taskkill.exe 49->53         started        55 timeout.exe 49->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e19a2db727b539378d7fcad6516fc9e02522a6f4747279ff599d1f30bbaa1e10/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-02-20 03:14:23 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gnc3nzhwu4tpdl7zllfc36j4assfjxuorzht72ztuptbo5kdyia._file
Verdict:
malicious
Similar samples:
35be1a97d304ab4b045cb2e608c22dd2c7efb4df1e86cdd4e0b780bdf1c21838
Stop
3e7ccc99be60620bd1ed12ac34f2bb76dfba737ec91fc88199a20cfc2f320139
Stop
486ab4d9e0a524b8f734a9e45821538c31e18c7632af8e0765dc417b9a87c64d
Stop
68638ad366d915c1df35046302109dac675ce9f800935f377a718389479d433f
Stop
9dfe173d27af62da7c78754527de5dd892bab94b7cd1658e087c7e64f86211ba
Stop
a3f3ecdc47707e721e469b9ef8ebdd3f53148dad6a6148f2410efc0a2e2dab58
Stop
+ 840 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/220220-n7gbracecr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Malware Config
C2 Extraction:
http://fuyt.org/test2/get.php
https://mastodon.online@k1llerniax
https://koyu.space/@k1llerni2x
Unpacked files
SH256 hash:
4793b2e94b5c9dfe2552d2bae8ba9a29faeb398ef90a3637def314ec78564da1
MD5 hash:
31a2f98eb1d8c404eb9af199f4618996
SHA1 hash:
189803cb750d2bed2005ef6dc5fa8101f70b2391
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/2d708a07-eb83-49f2-9cb5-257bd92944cf/
SH256 hash:
e19a2db727b539378d7fcad6516fc9e02522a6f4747279ff599d1f30bbaa1e10
MD5 hash:
e1300a10aa52c28310cbe122170af3fc
SHA1 hash:
99a41f6c0a0887119316752ad95b1b5cd432b899
Link:
https://www.unpac.me/results/2d708a07-eb83-49f2-9cb5-257bd92944cf/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e19a2db727b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e19a2db727b539378d7fcad6516fc9e02522a6f4747279ff599d1f30bbaa1e10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242761/

Comments