MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0f977ae27df7a111ae322b49b8227ff2fd951461a649ea8fab8c5bec6efb47b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0f977ae27df7a111ae322b49b8227ff2fd951461a649ea8fab8c5bec6efb47b
SHA3-384 hash: 82f15b2aa5c2f16aa94ebe941a9d4299f8ca78ba48bfc7e2634d5d7d0edca515ce684e07bc8659c4cf778bff3dd648cc
SHA1 hash: 0e8ee000b4834b3493f12277e12a6f794d086cf3
MD5 hash: c75b892763984559d785740c7b0f68bd
humanhash: fifteen-pennsylvania-oven-three
File name:f0f977ae27df7a111ae322b49b8227ff2fd951461a649ea8fab8c5bec6efb47b
Download: download sample
Signature Stop
Create hunting rule
File size:807'424 bytes
First seen:2021-09-24 06:08:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d0a8c3f24685503ba25bd76f34c13b9e (8 x RedLineStealer, 3 x RaccoonStealer, 2 x DanaBot)
ssdeep 24576:acKRrcd3Qg2FT0c5OBXWSGQDWCVxsVgVcrRw:jVQg2FQmOsaW21VcR
Threatray 706 similar samples on MalwareBazaar
TLSH T194050220AAA0C034E5B702F5567A93A8A83D7E71EB6450CF53F626EA25343E4FD31357
File icon (PE):PE icon
dhash icon 9824e7d0c4672158 (1 x Stop, 1 x DanaBot)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f0f977ae27df7a111ae322b49b8227ff2fd951461a649ea8fab8c5bec6efb47b
Verdict:
Suspicious activity
Analysis date:
2021-09-24 06:31:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2324ff6-5691-4c4b-bc6f-69b6fa1fadf9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190987/
Detection(s):
Win.Malware.Generic-9895371-0
Create hunting rule

Win.Malware.Generic-9895401-0
Create hunting rule

Win.Malware.Generic-9895402-0
Create hunting rule

Win.Packed.Generic-9895599-0
Create hunting rule

Win.Malware.Fragtor-9895683-0
Create hunting rule

Win.Packed.Fragtor-9895692-0
Create hunting rule

Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a90231e-0f36-44f3-bdc3-d3e6221014e2
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857258
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489706 Sample: HVHU71yzzA Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 62 api.2ip.ua 2->62 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Multi AV Scanner detection for domain / URL 2->82 84 Antivirus detection for URL or domain 2->84 86 7 other signatures 2->86 11 HVHU71yzzA.exe 2->11         started        14 HVHU71yzzA.exe 2->14         started        16 HVHU71yzzA.exe 2->16         started        signatures3 process4 signatures5 104 Detected unpacking (overwrites its own PE header) 11->104 106 Contains functionality to inject code into remote processes 11->106 108 Writes many files with high entropy 11->108 18 HVHU71yzzA.exe 1 16 11->18         started        110 Injects a PE file into a foreign processes 14->110 22 HVHU71yzzA.exe 12 14->22         started        24 HVHU71yzzA.exe 16->24         started        process6 dnsIp7 64 api.2ip.ua 77.123.139.190, 443, 49736, 49737 VOLIA-ASUA Ukraine 18->64 66 192.168.2.1 unknown unknown 18->66 52 C:\Users\...\HVHU71yzzA.exe:Zone.Identifier, ASCII 18->52 dropped 26 HVHU71yzzA.exe 18->26         started        29 icacls.exe 18->29         started        file8 process9 signatures10 102 Injects a PE file into a foreign processes 26->102 31 HVHU71yzzA.exe 1 20 26->31         started        process11 dnsIp12 72 securebiz.org 123.215.94.239, 49739, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 31->72 74 tbpws.top 31->74 76 api.2ip.ua 31->76 44 C:\Users\user\...\HVHU71yzzA.exe.koom (copy), COM 31->44 dropped 46 C:\...\FileSync.LocalizedResources.dll.mui, DOS 31->46 dropped 48 C:\Users\user\AppData\...\HVHU71yzzA.exe, COM 31->48 dropped 50 425 other files (415 malicious) 31->50 dropped 78 Modifies existing user documents (likely ransomware behavior) 31->78 36 build2.exe 31->36         started        file13 signatures14 process15 signatures16 88 Multi AV Scanner detection for dropped file 36->88 90 Detected unpacking (changes PE section rights) 36->90 92 Detected unpacking (overwrites its own PE header) 36->92 94 2 other signatures 36->94 39 build2.exe 36->39         started        process17 dnsIp18 68 159.69.203.58, 49746, 80 HETZNER-ASDE Germany 39->68 70 mas.to 88.99.75.82, 443, 49745 HETZNER-ASDE Germany 39->70 54 C:\Users\user\AppData\...\softokn3[1].dll, PE32 39->54 dropped 56 C:\Users\user\AppData\...\mozglue[1].dll, PE32 39->56 dropped 58 C:\Users\user\AppData\...\freebl3[1].dll, PE32 39->58 dropped 60 9 other files (none is malicious) 39->60 dropped 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->96 98 Tries to harvest and steal browser information (history, passwords, etc) 39->98 100 Tries to steal Crypto Currency Wallets 39->100 file19 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0f977ae27df7a111ae322b49b8227ff2fd951461a649ea8fab8c5bec6efb47b/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 18:56:26 UTC
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6d4xplrh355bcgxdek2jxarh74x5sukgdjsj5kh2xdc35rxpwr5q._file
Verdict:
malicious
Similar samples:
037e3a20ff7b6e369c768c95e9ea976b1e2fe80a5d4625c569a3bb98aa467a35
Stop
0a644c28fba57280abf3226ace12e8aa12f284f78485423b7c358ed29f515167
Stop
26967c1b5ff6848501ddf70985408b7736835286f788f663e086f34aecd6bfb1
Stop
35be1a97d304ab4b045cb2e608c22dd2c7efb4df1e86cdd4e0b780bdf1c21838
Stop
47d6022eaad843e702e839fd027870f7089bd19ba6548e36bf5e82b5c70a2f23
Stop
804b9c87f98a32101b51f26c221e589bc80350b69c163abfab2de64f7e9b3e72
Stop
99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2
Stop
c3ade1984ff9031d528776a359b03e496cecb26c332bd826465eef2da60f41b1
Stop
da7263588f95278e91f5ddb2898d18735d6c6abfa1e872d1358aafa4e044adca
Stop
e5a536df45ce59beb16c30352f72f0d84af2f478b3fb1e090ff53741f946dfdc
Stop
+ 696 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar discovery persistence ransomware spyware stealer suricata
Link:
https://tria.ge/reports/210924-gwgptagabp/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Unpacked files
SH256 hash:
e3a758405e0871107c905ba5cf211ec30bd7fb9345950a9a0b3def7f14c9e87c
MD5 hash:
2590861b15fd552297b400342732e746
SHA1 hash:
0663677bd8ef8ded4f9d97de3038ccab7fccadab
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/b294d149-d9dd-4c33-bd48-bb4b29e08d9d/
Parent samples :
4cc8bff20f9320c5ad0a543d3a7d97f05b4b6ad83de1dab439e25ec06671efbb
a941e90ff8f1750aadb4763c366b930ae9e6af28036e7ccd790c6c83c7163bff
16ab0466f24ceac741c81e152831d103d97087fe06ad52cdf40c0af437feaf07
a15f72a2d96072229513aa1cf5d8b8747282b5edcb3781a16cba7f1511ddaebb
c83075a8214e1b1631c4090ec9bb3b98e27bedc042c972bd780b054aedbe6c26
2640e5c56cf421eba34ddfd83cf01e243d2cb69a2291863f9f650efecf56318b
325df09a1d1478a0be19a6112b0753714fb0e3b6308b263c0bfe8c65a0708c05
aed0d2debb077e84fb10fce79e0bdd1aa2b1d85163f0bfeb4c7c345a649e61c5
8a7a5384394e62b20745f2a786a8184b26e88afc9cc0e96b2a3d2a6acb13ea7f
8824c8925e085ca11ef0ce41f6cf0d2fed532a0785113f5f34e89164ab4022bd
3c71f2d4d000810aeeaa5378811e1955947b9cdf3e8bc858159199d583a22825
24e01f6ef65d42467608a1db86f06cdbeb114ba6b6da744d5133c7d933adaaad
2f960d8ed44f6c4a4dc31187794e9605fa281f88ed3e2984287cbdd212965ee2
04830b32044eed19c43dce1d544c530532d60114d64970fafb7dcfb0f37f58c9
f8ad6344537c95c3421926b12bfe0de0931676b94c9f624744249343d84bf4de
00da27fd6c2199b83130478b8d22f90c8617a50703ec0dee60672ef2f9462d8a
8bc9f093f57c88b4aaad4f32acf87b89e24b00a28b51eabae5737af7c3567e0d
e5cceee07167bcac472b4d7286bd6afe892ad5241f36e7eec85e70ce16aaeadf
478195a740b83147fea1b6d9fe3b9b98411e99fd369fd34dc6f94a8fe6981ae9
334aaca9cc8d70cd876830bbc3c2a6100161d72f2de771e524bbad31834d7186
4254f97bcd155b5a248f841f4d152bcfd8a0c8bec63186e7f204e449e0e011bd
f0f977ae27df7a111ae322b49b8227ff2fd951461a649ea8fab8c5bec6efb47b
61fc32f8c793924084254b066bc5576480079942866f09ab188763007c40e81a
85fb4ff6108ebf0f167b448775ffa9b03c92f6d075b2da9dea6cb328b8b5aaaf
ca60ed97fc35897fdb89daf1b39d312391137eefc93bfd96fd8f8264ab2b12a1
6386e8a1f4537c6e541be6e04bfbf81ad4d42312f6ad244b415d090d063c25c8
SH256 hash:
f0f977ae27df7a111ae322b49b8227ff2fd951461a649ea8fab8c5bec6efb47b
MD5 hash:
c75b892763984559d785740c7b0f68bd
SHA1 hash:
0e8ee000b4834b3493f12277e12a6f794d086cf3
Link:
https://www.unpac.me/results/b294d149-d9dd-4c33-bd48-bb4b29e08d9d/
Malware family:
STOP
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f0f977ae27df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0f977ae27df7a111ae322b49b8227ff2fd951461a649ea8fab8c5bec6efb47b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190987/

Comments