MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af
SHA3-384 hash:	4f66b2d656e8c744fad722874096d71763a1537c4ed6e9147763c33da8df61b6bcb81204ef15e262431c7b730217cf2d
SHA1 hash:	f956d1a0f9c9e0434de63d31a8678427602a02a5
MD5 hash:	8ca55c7e275ec62a7f00573fb3bd7d47
humanhash:	jupiter-three-oscar-alpha
File name:	ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af
Download:	download sample
Signature	Stop Create hunting rule
File size:	817'152 bytes
First seen:	2021-09-03 09:04:17 UTC
Last seen:	2021-09-03 09:04:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	72021c954fb2224cd9089a2e04035b9f (3 x Stop, 1 x RaccoonStealer)
ssdeep	24576:oS1mthSC0G1MQogTsR3VJu65/bvA7uo2A1:oS1mtcC0GHTsR3VY65I/2
Threatray	463 similar samples on MalwareBazaar
TLSH	T16305122F3691843FE9910B308CA5E7F98435BD5959E2D14B71E93A5F2EF0390932237A
dhash icon	fcfcf4f4d4dcd8c0 (26 x RaccoonStealer, 11 x RedLineStealer, 9 x Stop)
Reporter	JAMESWT_WT
Tags:	exe Stop

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af

Verdict:

Suspicious activity

Analysis date:

2021-09-03 09:46:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f7918e4b-d2b6-4e59-90a0-ee050e7d4736

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/185089/

Detection(s):

Win.Packed.Filerepmalware-9890038-0

Win.Packed.Fragtor-9890049-0

Win.Packed.Fragtor-9890050-0

Win.Packed.Generic-9890077-0

Win.Packed.Fragtor-9890080-0

Win.Packed.Generic-9890092-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Connection attempt

Sending a custom TCP request

Creating a file

Launching a process

Creating a process with a hidden window

Adding an access-denied ACE

Deleting a recently created file

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7bd33260-4758-42a0-bda0-b9ebffd4f5d9

Result

Threat name:

Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/844768

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-01 03:41:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 43 (69.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5o3ftzkkj6rst4va6q5d4s35jnhn2sm5v7x72usld3ept3wh42xq._file

Verdict:

malicious

Stop

08f290d886e67c9aaa4cf058fa166e50efc8181901773373c2123e5290edab71

Stop

0d5034e4f4a4c3a189b3f916c98dbfdc69b1318262fde1878042a5cc9e8f7366

Stop

302c818ff4e207e4ecd8e66ae38fb7368c39b99a883f61dca027dff6d2b996da

Stop

7674f1f7b2b53467fec308bdcaf89c80b4d25eb683ac0ad105084b3dd5cc0cc8

Stop

cc2d59e5fe1823c860fa7b4996f8b5be24bbc4da15b757ea477ef3864031fac1

Stop

d6353ac6a08f1e678698f658274332bcc27588c14e75e029e761dd6af0b4ef41

Stop

+ 453 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar botnet:517 discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/210903-k17nkscgh7/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Detected Djvu ransomeware

Djvu Ransomware

Vidar

Malware Config

C2 Extraction:

https://romkaxarit.tumblr.com/

Unpacked files

SH256 hash:

160aa84363640ef0e569e00640cda85b766b67c1ff71b0fd949a3ce2e6e40a9c

MD5 hash:

dc4e9cdb6ae0ce6841be15657634ad11

SHA1 hash:

585d350e71c55988c029423eec6b67737a520fa0

Detections:

win_stop_auto

Link:

https://www.unpac.me/results/4fa8bea6-37cf-4fc0-9af1-181495cb6ba4/

Parent samples :

ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af
2db346799c65a4fc59e3063f0c749ac70e160ddcd4f719e897463d6de53621c1
a4656e6277f4a2474916019682ad674c7988a3b30a72ebc34d16089cb3e22453
341adff3ec7c3cf9ec58b939d8c1104d8e6d228653055d6656348d421852d368
7674f1f7b2b53467fec308bdcaf89c80b4d25eb683ac0ad105084b3dd5cc0cc8
857fd1017141f401e9a263e477a80f000d9d064b891a1087b9a51220924a017c
d7bf9c3f9a679bd9c80e455608ef51ea9e91a84031a173c12bb3946050076411
9915b1b61a0eee3b29c2c7238f5f3198137e3b6479689224c3381a155d7b53fe
0d4704002980d141dc8ca282a4cb6ec338a6bbe0d95316cfad6a47b940b4e664
9a9f3b0dbf3655264bdabd0e02127d74b341522c669d3eb11b22b2e2da97867f
68638ad366d915c1df35046302109dac675ce9f800935f377a718389479d433f
a4ac450123dc6794e5ed2fb846d74d70f95be897931fa43983665e8287176a23
da7263588f95278e91f5ddb2898d18735d6c6abfa1e872d1358aafa4e044adca
076ea240e131689495e71d09589d2f3c1bbc43bee4f15938ef59191cd75e049c
15dd9d8533066e0b099af7258e5db6ed2f24edd712040b2ad0d3d1f8fecb2c5a
acc3b48cd0873ffa9a1777f269ff514af019b538386306738e90fefaa18d3827
7551d65fbd92fec28a83f696a49d771bfea37c7050099c3e010d9ec1f4fbc1e6
95dbc0c60bcc0a5f72eb528358b866dd0b4933fe7fc1e68e921615729fe569cf
9eeb3c37031477470fe1afa167ad3e32b7c270084eaac2b11da208e6ebce6eaa
d5b3a05a83dac1fde11c26bb358f513ddf0cb57853a141fecccda0446c842f81

SH256 hash:

ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af

MD5 hash:

8ca55c7e275ec62a7f00573fb3bd7d47

SHA1 hash:

f956d1a0f9c9e0434de63d31a8678427602a02a5

Link:

https://www.unpac.me/results/4fa8bea6-37cf-4fc0-9af1-181495cb6ba4/

Malware family:

Djvu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ebb659e54a4f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ebb659e54a4fa329f2a0f43a3e4b7d4b4edd499dafeffd524b1ec8f9eec7e6af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185089/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample