MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4105f470480c034963d8b4ffcd671a7b1db1edc478c9e216477dff24099e0b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4105f470480c034963d8b4ffcd671a7b1db1edc478c9e216477dff24099e0b3
SHA3-384 hash: 62f334f9aecd8be2af06c4c898debeed87f33d90c80b9980213360ce24cb60c6c0a5a28dccdf56a46247bcf5aea5e216
SHA1 hash: d4b1bf6edf3ca5aae399da755b8f799441a0b8d4
MD5 hash: 6ac8320b05bd495020885e837e6c6285
humanhash: mirror-moon-tennis-purple
File name:f4105f470480c034963d8b4ffcd671a7b1db1edc478c9e216477dff24099e0b3
Download: download sample
Signature Stop
Create hunting rule
File size:797'184 bytes
First seen:2022-04-04 06:23:30 UTC
Last seen:2022-04-04 06:55:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f13d3005e6e565a1364782e0e3c75a05 (6 x Stop)
ssdeep 24576:4+ZgEKsnIyndN7uUgUmwiLiCn3FD8g7A:44IWdHgDfVgg0
Threatray 1'103 similar samples on MalwareBazaar
TLSH T1BE050210B7A0D035F6B763F059BA93E8B93A7DA04B3551CB22D55AEE4A346E4EC30317
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter JAMESWT_WT
Tags:exe Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260367/
Detection(s):
Win.Packed.Ransomx-9942692-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12503/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/624a8f0d40ce5db9f4ffc4ff/reports/9a9c2e99-ca18-4c6c-9a54-d63a98c2e66e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d085810-b2c9-44c1-a7b7-eb75c3da0a89
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/969714
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Possible FUD Crypter (malicious underground PE packer) detected
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4105f470480c034963d8b4ffcd671a7b1db1edc478c9e216477dff24099e0b3/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-31 04:23:06 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qif6ryeqdadjfr5rnh7zvtru6y5whw4i6gj4ileo7p7eqez4czq._file
Verdict:
malicious
Similar samples:
104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb
Stop
17a21c03cda1d7443ca4bef3a410bc88b544b55e28088a3ae550aebc517bea35
Stop
5a1fb27924ab99541f08d3a46321b88fa4ce52a2346ebd92dc8da423c907cde3
Stop
63d7b37217bad05463192bd2f5e39a4ac23ff21c52cd27bf541780d29cf77c7f
Stop
886a9594355a0fce24f001f602bc6cae7bf2df2deeef18698cfe773e3c926f61
Stop
8e59e609d766b97d507b0bc9947d0a4b45431a3e3a2f3ade98a14a51cfb96fd0
Stop
ad6a09d69bd7b57c329336a6ea486acd2c7c275e2a6a9703d95a93fd5fc0070b
Stop
bf4dcafe30c748d3ae356dacaee3c6d33d949e6a6c53dec1f5fd4ea12d77b505
Stop
d3ca0ef14e8dc45497faba304acf842bb2f2913ca2108600ee2771f9e9a24f9c
Stop
f8db10513db12a4bb861d7b1f52e56f5de5f5dba7614fdee3db67b191fee85c6
Stop
+ 1'093 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu ransomware
Link:
https://tria.ge/reports/220404-g53cwaccb9/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/lancer/get.php
Unpacked files
SH256 hash:
14412d70202c15f5da2041354d2def54417298a682dd89326ca03d8a0bd8552b
MD5 hash:
745712ead4a703cd05e3faa1cba9e4cc
SHA1 hash:
9e963558ab90de3c95ab743e15a1d1618fb43858
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf2441fc-c007-422f-b00c-046582d0e92c/
Parent samples :
8f9ed33c79f36b350c493bb1fef27bf458110de1870092d1babee3ac6053735b
3423c85e9bc7eddc8b4525fc565665a992231e8d01c8159b03f5dc5c303ad4db
98dc8c7a341d23a417b681dcef70c286b55b7548de153ce7e43041e3129513b1
72cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d
f4105f470480c034963d8b4ffcd671a7b1db1edc478c9e216477dff24099e0b3
SH256 hash:
f4105f470480c034963d8b4ffcd671a7b1db1edc478c9e216477dff24099e0b3
MD5 hash:
6ac8320b05bd495020885e837e6c6285
SHA1 hash:
d4b1bf6edf3ca5aae399da755b8f799441a0b8d4
Link:
https://www.unpac.me/results/bf2441fc-c007-422f-b00c-046582d0e92c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4105f470480c034963d8b4ffcd671a7b1db1edc478c9e216477dff24099e0b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_stop_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stop.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260367/

Comments