MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0c85caaf9a9bc7a346836461a0420bdac364fe06a9ea70af7e03f2aeb8fb061. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0c85caaf9a9bc7a346836461a0420bdac364fe06a9ea70af7e03f2aeb8fb061
SHA3-384 hash: a25913449a118fb22f3b6d43ead09a76d5ee655adba605c2dfdad84ecedcb5cacc8222243c8761db835e2f7d57c4d9f7
SHA1 hash: 07d06429899d501b5b0cd668d001f8c39168c821
MD5 hash: 41d9569c9402d5af5881981c2bc0d820
humanhash: hamper-pip-juliet-quiet
File name:41d9569c9402d5af5881981c2bc0d820.exe
Download: download sample
Signature Stop
Create hunting rule
File size:812'032 bytes
First seen:2022-09-06 08:53:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ff0efa7e8c86069b68428d60a3a2b035 (14 x Smoke Loader, 3 x RedLineStealer, 2 x Stop)
ssdeep 24576:eKcj83WN61x9BvBsllUAfZXAnpAVn170c+E:eKYE1x7vBglJfdApG0c+E
TLSH T1610501107BD0C035E1B712F0587A93B9B9397DB1972861CFA2E546EE66386E4ED3034B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e0d8c8c8e0e4a099 (12 x Smoke Loader, 7 x RedLineStealer, 7 x Amadey)
Reporter abuse_ch
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
41d9569c9402d5af5881981c2bc0d820.exe
Verdict:
Malicious activity
Analysis date:
2022-09-06 09:00:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f21a4053-19e5-4253-b77b-5c159bde1df9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308111/
Detection(s):
Win.Packed.Pwsx-9965190-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36770/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63170af47ab07f2f4ec7716d/reports/b8d4cbc0-0ec4-4689-b9aa-48f036bd5a17/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3c490e5-7d82-4443-8777-762e995d0c29
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1065489
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 698017 Sample: n237afPouc.exe Startdate: 06/09/2022 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 6 other signatures 2->62 8 n237afPouc.exe 2->8         started        11 n237afPouc.exe 2->11         started        13 n237afPouc.exe 2->13         started        15 n237afPouc.exe 2->15         started        process3 signatures4 66 Machine Learning detection for dropped file 8->66 68 Injects a PE file into a foreign processes 8->68 17 n237afPouc.exe 1 18 8->17         started        70 Contains functionality to inject code into remote processes 11->70 22 n237afPouc.exe 1 18 11->22         started        24 backgroundTaskHost.exe 11->24         started        26 n237afPouc.exe 12 13->26         started        28 n237afPouc.exe 12 15->28         started        process5 dnsIp6 50 acacaca.org 189.153.246.166, 49725, 80 UninetSAdeCVMX Mexico 17->50 38 C:\Users\user\...\n237afPouc.exe.oopu (copy), MS-DOS 17->38 dropped 40 C:\Users\user\Desktop\n237afPouc.exe, MS-DOS 17->40 dropped 42 C:\Users\user\Desktop\ZTGJILHXQB.jpg, data 17->42 dropped 48 3 other malicious files 17->48 dropped 64 Modifies existing user documents (likely ransomware behavior) 17->64 52 api.2ip.ua 162.0.217.254, 443, 49714, 49718 ACPCA Canada 22->52 44 C:\Users\user\AppData\...\n237afPouc.exe, PE32 22->44 dropped 46 C:\Users\...\n237afPouc.exe:Zone.Identifier, ASCII 22->46 dropped 30 n237afPouc.exe 22->30         started        33 icacls.exe 22->33         started        file7 signatures8 process9 signatures10 72 Injects a PE file into a foreign processes 30->72 35 n237afPouc.exe 12 30->35         started        process11 dnsIp12 54 api.2ip.ua 35->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0c85caaf9a9bc7a346836461a0420bdac364fe06a9ea70af7e03f2aeb8fb061/
Threat name:
Win32.Trojan.RealProtectPENG
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 08:54:08 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6defzkxzvg6hundigzdbubbaxwwdmt7ankpkocxx4a7sv24pwbqq._file
Verdict:
malicious
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220906-ktwmqsabd7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://acacaca.org/test1/get.php
Unpacked files
SH256 hash:
85695273b917fdac31f790ee22b084f2d7d24430a7c514e363b7a901cadcfef1
MD5 hash:
6ba4c0e6e6fa4822300c028a09219049
SHA1 hash:
e3fe100fdb3778d7fd7c3cefbdbcaf4aff2bb0a7
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d7c9eba-0a81-4122-8bc9-fe2c67e2cd89/
Parent samples :
f0c85caaf9a9bc7a346836461a0420bdac364fe06a9ea70af7e03f2aeb8fb061
459f87dce80d42334ec603305dd3625d019a7bf76670096cae08a57eb51bbb68
66c0de6a8d1dcbf550055bafa1ba909a3a0fc48c832b77b27469aa9fa900ce0a
SH256 hash:
f0c85caaf9a9bc7a346836461a0420bdac364fe06a9ea70af7e03f2aeb8fb061
MD5 hash:
41d9569c9402d5af5881981c2bc0d820
SHA1 hash:
07d06429899d501b5b0cd668d001f8c39168c821
Link:
https://www.unpac.me/results/4d7c9eba-0a81-4122-8bc9-fe2c67e2cd89/
Malware family:
Djvu
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0c85caaf9a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0c85caaf9a9bc7a346836461a0420bdac364fe06a9ea70af7e03f2aeb8fb061

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stop

Executable exe f0c85caaf9a9bc7a346836461a0420bdac364fe06a9ea70af7e03f2aeb8fb061

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2261244/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/308111/

Comments