MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
SHA3-384 hash: 2b1e1fe0e67ec66042d02e5f602386807dba30b2881f83d3eca0ff1002337c02fd4ef4f0931508ae8a1d91b28904c4f1
SHA1 hash: b32a197fcd7cf7872e7d6fad1ebef7c4a0069be4
MD5 hash: 22bee07f12f16ba1baa242c5aea482a7
humanhash: fix-sixteen-video-rugby
File name:e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
Download: download sample
Signature Stop
Create hunting rule
File size:767'488 bytes
First seen:2021-05-03 01:15:52 UTC
Last seen:2021-05-03 02:00:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ed15c1224fd33ba1eeca9dd246bc116e (2 x CryptBot, 1 x Amadey, 1 x Stop)
ssdeep 12288:jo4fW8Ar+/ZO8LrFwbXkiNZiB+g2WDPVp7YIEBgXasT4nWtNp147h:/+8ArGZO/7kKg2WDPVSIOVnW3mh
Threatray 47 similar samples on MalwareBazaar
TLSH E3F42236F580E431C51A97B14DA0EB6A9AB8F9315B650487B3C81B6D7E75EE03B3130E
Reporter fbgwls245
Tags:.wrui djvu Ransomware Stop

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://188.34.193.205/ https://threatfox.abuse.ch/ioc/28011/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'242
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148053/
Detection(s):
Win.Malware.Generic-9857167-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Sending an HTTP GET request
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/706817
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402331 Sample: z3LOkpYy4s Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for submitted file 2->40 42 Found ransom note / readme 2->42 44 Yara detected Djvu Ransomware 2->44 46 Machine Learning detection for sample 2->46 6 z3LOkpYy4s.exe 1 19 2->6         started        11 z3LOkpYy4s.exe 12 2->11         started        13 z3LOkpYy4s.exe 1 16 2->13         started        15 z3LOkpYy4s.exe 12 2->15         started        process3 dnsIp4 36 jfes.top 31.40.251.99, 49725, 80 ITLDC-NLUA Russian Federation 6->36 22 C:\_readme.txt, ASCII 6->22 dropped 24 C:\Users\user\Desktop\z3LOkpYy4s.exe, data 6->24 dropped 26 C:\Users\user\Desktop\...\QNCYCDFIJJ.docx, data 6->26 dropped 32 4 other files (2 malicious) 6->32 dropped 48 Modifies existing user documents (likely ransomware behavior) 6->48 50 Multi AV Scanner detection for dropped file 11->50 52 Detected unpacking (changes PE section rights) 11->52 54 Detected unpacking (overwrites its own PE header) 11->54 56 Machine Learning detection for dropped file 11->56 38 api.2ip.ua 77.123.139.190, 443, 49718, 49722 VOLIA-ASUA Ukraine 13->38 28 C:\Users\user\AppData\...\z3LOkpYy4s.exe, PE32 13->28 dropped 30 C:\Users\...\z3LOkpYy4s.exe:Zone.Identifier, ASCII 13->30 dropped 17 z3LOkpYy4s.exe 12 13->17         started        20 icacls.exe 13->20         started        file5 signatures6 process7 dnsIp8 34 api.2ip.ua 17->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d/
Threat name:
Win32.Trojan.Ranumbot
Create hunting rule
Status:
Malicious
First seen:
2021-05-01 01:10:39 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5az3p7cl6fcsp3nredxe42i2myfsd6j3d3bcx4kyqg645zgfxogq._file
Verdict:
malicious
Similar samples:
02d61f5f80a30ae80912d6ffcaf78e85fe6871b1bba5633a78a41c9f1ad13d1a
Stop
0552149181395fb0685b2dfa9b123334cb598173a13fbedf458f8c3613f8ff81
Stop
12750a545215e41d452a16e1c451f0e0682a5330078813313b67cd09499ac674
Stop
5b24309c73efe765123f586a6b3c522a3a2438ddc372819ab9035cc2eaff1257
Stop
6ed8e078433a7e7938f2084f83a640d707708ac99a246b31736bd22327664668
Stop
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2
Stop
b526a2e743700e05396f10f6b2e9f1b1a8a74670a7b6969cf4471bdb25a77802
Stop
b6b15523787e5db710afc32c541a3844e476192150899926bc15aba8dfd16ff0
Stop
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
Stop
fdf29de5bc715feaa80709bdddd59b8293aa538d257ba9dd6a287d065ecb68a8
Stop
+ 37 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar discovery evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210503-spszd9aats/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Djvu Ransomware
Vidar
Unpacked files
SH256 hash:
b58165bb5a4f9040d187791e870f691c449e59d3f5fa8312ba7655864236328f
MD5 hash:
5fe929b15555feeb7e4ef768211d8caa
SHA1 hash:
49f52ac9a44d3259167dbf20e7328fdaf287ac7f
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/8e3e2d91-3758-4936-93c4-8ede2fd052d8/
Parent samples :
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
1da3193c52b5ec3a14b36acbc9c92266a2a531399e33c1e3a209e828eda7a0a5
7c9bc6a878b6cb355bb2a5c70170aa48b1e8f369dd64ee47df3ac9ea9e213b02
9ded335a6f346de4aafbc4f8c08e90dce1f064820b13d6580f01731c9837d7a8
a0e32603876c3035d76a78e35d5f89576ded2475451b4d27e19331bf9e6abfc3
c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103
e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913
SH256 hash:
e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d
MD5 hash:
22bee07f12f16ba1baa242c5aea482a7
SHA1 hash:
b32a197fcd7cf7872e7d6fad1ebef7c4a0069be4
Link:
https://www.unpac.me/results/8e3e2d91-3758-4936-93c4-8ede2fd052d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e833b7fc4bf14527edb120ee4e691a660b21f93b1ec22bf15881bdcee4c5bb8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148053/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 02:04:40 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [C0007] Memory Micro-objective::Allocate Memory
11) [C0033] Operating System Micro-objective::Console
12) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
13) [C0040] Process Micro-objective::Allocate Thread Local Storage
14) [C0043] Process Micro-objective::Check Mutex
15) [C0042] Process Micro-objective::Create Mutex
16) [C0041] Process Micro-objective::Set Thread Local Storage Value
17) [C0018] Process Micro-objective::Terminate Process