MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9265a7c39599d92c7e8a44fc5004cb90b4a5d6828091b0a2835b944c24efad0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9265a7c39599d92c7e8a44fc5004cb90b4a5d6828091b0a2835b944c24efad0
SHA3-384 hash: 3c9fa53ebd15cbc3e62bc1f5d89055d172cc8a18e3df9c2c26d4d7ce29290285d8d1bd7fea7de38ff38d4ae35cd67bfa
SHA1 hash: 6983faf74093cdebd435ee43db228505a16c1d27
MD5 hash: 4dce2818b8f65d6752c17df2ac1382ff
humanhash: massachusetts-white-fillet-fish
File name:4dce2818b8f65d6752c17df2ac1382ff.exe
Download: download sample
Signature Stop
Create hunting rule
File size:679'424 bytes
First seen:2022-10-01 15:10:26 UTC
Last seen:2022-10-01 16:08:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 412fada77f7764a4288155d699251cd2 (11 x Smoke Loader, 9 x GCleaner, 6 x RedLineStealer)
ssdeep 12288:mCANS9uBJiUU5Ji1WiOzR0GD/Cu4TWdGaT5b0hgBiwVXw:mCANS9RUU5JkWj0w/b5Vd0awQg
Threatray 2'352 similar samples on MalwareBazaar
TLSH T177E4233535E1C773CC911E720834D664E87BA44346BA1A4FEBD84B5F8B409D52B2F3AA
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter abuse_ch
Tags:exe Stop


Avatar
abuse_ch
Stop C2:
http://116.202.5.121/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.5.121/ https://threatfox.abuse.ch/ioc/865816/

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315526/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.20679.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware packed yakes
Link:
https://www.filescan.io/uploads/6338588649c58ce767c47acc/reports/0f4e0a60-61d3-4edb-bb64-54b423de7ae9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f31e970b-ad8d-4f3d-8282-d5afbf42146c
Result
Threat name:
Babuk, Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081588
Signature
C2 URLs / IPs found in malware configuration
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 714142 Sample: QYMpemjCP6.exe Startdate: 01/10/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 6 other signatures 2->67 9 QYMpemjCP6.exe 2->9         started        12 QYMpemjCP6.exe 2->12         started        14 QYMpemjCP6.exe 2->14         started        process3 signatures4 71 Machine Learning detection for dropped file 9->71 73 Injects a PE file into a foreign processes 9->73 16 QYMpemjCP6.exe 1 19 9->16         started        21 QYMpemjCP6.exe 1 16 12->21         started        23 QYMpemjCP6.exe 12 14->23         started        process5 dnsIp6 51 winnlinne.com 115.88.24.202, 49707, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 16->51 53 192.168.2.1 unknown unknown 16->53 39 C:\Users\user\...\QYMpemjCP6.exe.adlg (copy), MS-DOS 16->39 dropped 41 C:\Users\user\Desktop\QYMpemjCP6.exe, MS-DOS 16->41 dropped 43 C:\Users\user\Desktop\...43YMMPCEIMA.docx, data 16->43 dropped 49 3 other malicious files 16->49 dropped 69 Modifies existing user documents (likely ransomware behavior) 16->69 55 api.2ip.ua 162.0.217.254, 443, 49694, 49695 ACPCA Canada 21->55 45 C:\Users\user\AppData\...\QYMpemjCP6.exe, PE32 21->45 dropped 47 C:\Users\...\QYMpemjCP6.exe:Zone.Identifier, ASCII 21->47 dropped 25 QYMpemjCP6.exe 21->25         started        28 icacls.exe 21->28         started        file7 signatures8 process9 signatures10 75 Injects a PE file into a foreign processes 25->75 30 QYMpemjCP6.exe 25->30         started        33 QYMpemjCP6.exe 12 25->33         started        process11 dnsIp12 77 Injects a PE file into a foreign processes 30->77 36 QYMpemjCP6.exe 30->36         started        57 api.2ip.ua 33->57 signatures13 process14 dnsIp15 59 api.2ip.ua 36->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9265a7c39599d92c7e8a44fc5004cb90b4a5d6828091b0a2835b944c24efad0/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-10-01 15:11:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5etfu7bzlgozfr7iurh4kacmxefuuxlifaerwcrigw4ujqso7lia._file
Verdict:
malicious
Similar samples:
2eead7300ef128f57b8d581d8c77af8306791628c54f0f3d61758f896cb2d9d2
Stop
4d06c8d3c4fdf4deeea0a286fb758e3478de2b4969b7a21da686efe224a8536f
Stop
53273f74d14d08f30b348131249213ed89cb9b9ec260245d2d5e6098a1f425ff
Stop
5718efcc7fbdfdc203bcdc098b56aaeba9131f7fe59fe2f1f78685a899840ac8
Stop
5fd628901f00dc6a963eb149d432194b8ba17c5338a8cb85fc2494afa2538750
Stop
757f224af2011afcf0cf966da9a88fa0c6c465a581832e82c15a96f8c7e06bb9
Stop
87a4e09cd09cdee5b196d6a137868ecd979ae1e69ec188ff39459327b68bd402
Stop
ec93ce8cce6f314e3df3ff7e7bed1e2acbe48e6871584c7ec4ef49a5febd4aa9
Stop
+ 2'342 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/221001-skk4msgbg7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Vidar
Malware Config
C2 Extraction:
http://winnlinne.com/test1/get.php
https://t.me/trampapanam
https://nerdculture.de/@yoxhyp
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a9233ee4-8468-4945-924d-a934f4e612c7
Unpacked files
SH256 hash:
1d18b56af68dc83bd5fe61d057f69312082bef894386508cd0f64be3dc3b6e9a
MD5 hash:
3154e4e1340503915350e6a9f1b814a1
SHA1 hash:
1e7db3c7e9bb20dd4972d2da804a3e6936b7f0ad
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/3f87e498-c74a-469b-a4e4-5175d900b794/
Parent samples :
e9265a7c39599d92c7e8a44fc5004cb90b4a5d6828091b0a2835b944c24efad0
4642c5bc794aed8a3c6280bb9565a346588e4e35f054332553bc581b2cb5d489
SH256 hash:
e9265a7c39599d92c7e8a44fc5004cb90b4a5d6828091b0a2835b944c24efad0
MD5 hash:
4dce2818b8f65d6752c17df2ac1382ff
SHA1 hash:
6983faf74093cdebd435ee43db228505a16c1d27
Link:
https://www.unpac.me/results/3f87e498-c74a-469b-a4e4-5175d900b794/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e9265a7c3959/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9265a7c39599d92c7e8a44fc5004cb90b4a5d6828091b0a2835b944c24efad0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe e9265a7c39599d92c7e8a44fc5004cb90b4a5d6828091b0a2835b944c24efad0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2261244/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/315526/

Comments