MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e95994ec57e99d352ba46ae70a33e7b2f496d4b1f40f43f47843afc8155ebee8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	e95994ec57e99d352ba46ae70a33e7b2f496d4b1f40f43f47843afc8155ebee8
SHA3-384 hash:	9dbe88fe7f61c9155b0e736e36fc5c48437e1d7c9cfe0d4b8c700e3cae685df33fea0025e4245ff5e93aae40d61baa4f
SHA1 hash:	e4b210cf7c6624e9eb6682a8364d960e66f30901
MD5 hash:	ada984f5a87551e7f2ffb2db513410bc
humanhash:	thirteen-jupiter-football-failed
File name:	ada984f5a87551e7f2ffb2db513410bc.exe
Download:	download sample
Signature	Stop Create hunting rule
File size:	709'632 bytes
First seen:	2023-02-15 13:40:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4e0db68663e7214680ba4f7cafdd65a1 (19 x Smoke Loader, 13 x RedLineStealer, 2 x Stop)
ssdeep	12288:/3J7UrHNy+OicZtWn9hCVXze8EDQZIoi623XNq3+/MciW:x7Ur+yhCpezd9tCN
Threatray	3'645 similar samples on MalwareBazaar
TLSH	T15CE42221B1B0D038D1675879D672E6909D36B9B23B7A4193370C0A4E7FA0FE1AB2F355
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	3270713264686870 (1 x Stop)
Reporter	abuse_ch
Tags:	exe Ransomware Stop

Intelligence

File Origin

# of uploads :

# of downloads :

755

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

stop

ID:

File name:

ada984f5a87551e7f2ffb2db513410bc.exe

Verdict:

Malicious activity

Analysis date:

2023-02-15 14:22:52 UTC

Tags:

trojan ransomware stop stealer vidar loader

Link:

https://app.any.run/tasks/5dd41a7b-189a-41ab-a9c2-a0a2d51bb597

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/366619/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request

Creating a file

Launching a process

Creating a process with a hidden window

Adding an access-denied ACE

Сreating synchronization primitives

Deleting a recently created file

DNS request

Searching for synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

anti-vm greyware packed

Link:

https://www.filescan.io/uploads/63ece0f145632f5c85b35870/reports/c10844a7-78b6-4fb1-8c00-76e71dc557be/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/e95994ec57e99d352ba46ae70a33e7b2f496d4b1f40f43f47843afc8155ebee8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bf8e9aed-2d74-4696-8f73-15c149a1e1ee

Result

Threat name:

Babuk, Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1175744

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e95994ec57e99d352ba46ae70a33e7b2f496d4b1f40f43f47843afc8155ebee8/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2023-02-15 07:44:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5fmzj3cx5gotkk5enltqum7hwl2jnvfr6qhuh5dyiox4qfk6x3ua._file

Verdict:

malicious

Stop

2831300675369e6ac5d928446186f83bedc4027fe6db617039e5b224258ed0b6

Stop

6a455892dc6b808ff4f012010f20ad4bbf16b881b9c235d98c85565591289012

Stop

83c4c80adbeb1d8411e49c1d14a886af6a26c9fb9827d8852d4e45e4a5f09b17

Stop

b299675e7e4654beadcaa2c38a96bf8324bbde96904ede17fdd88ebb7fdf2748

Stop

d46fec4abba46efe6663f19c2d9963a612f4ff25023c0dc6fc5bb559f106859d

Stop

+ 3'635 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar botnet:19 discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/230215-qy7tfsbg3v/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Detected Djvu ransomware

Djvu Ransomware

Vidar

Malware Config

C2 Extraction:

http://bihsy.com/test2/get.php

Unpacked files

SH256 hash:

6a6e4e951914879eac0db4301dbac4e709e9966cd8aae36c9d76e52c0935879c

MD5 hash:

539fa8d17d501c19adfa9b9f49d79310

SHA1 hash:

f91a106a7156967a2b0b9e21ac7f72de15826f3d

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/51a09523-6b64-42d0-8462-750796b5bf21/

Parent samples :

7c49006f7f3884f9c9b05d53bbfbee2160610f2310e97cbb66c4aa827089ee75
3c3ad1fd2a9083af9ffd64714e7b3dd7cc629c06f59eb52e03bfacd2ef2a2553
5df73e74b4b3cece459f28d8226fd08d829c6a54d1be36d2560d8799eafb8981
92d2a910eeb880d90dc4613d4baddaf3389a4de2956fd9ff61d1aba5c1f314d0
629dbc5c16adae69b1bde7af737e336d833892d8de46f52de3fb592e5d4cb46c
e95994ec57e99d352ba46ae70a33e7b2f496d4b1f40f43f47843afc8155ebee8

SH256 hash:

e95994ec57e99d352ba46ae70a33e7b2f496d4b1f40f43f47843afc8155ebee8

MD5 hash:

ada984f5a87551e7f2ffb2db513410bc

SHA1 hash:

e4b210cf7c6624e9eb6682a8364d960e66f30901

Link:

https://www.unpac.me/results/51a09523-6b64-42d0-8462-750796b5bf21/

Malware family:

Djvu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e95994ec57e9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e95994ec57e99d352ba46ae70a33e7b2f496d4b1f40f43f47843afc8155ebee8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Windows_Ransomware_Stop_1e8d48ff Create hunting rule
Author:	Elastic Security

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/366619/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample