MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4f1a59fb2ff044fa64232b1714b5c59b8390faa65a05a031949b2549c888f12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stop

Vendor detections: 16

Intelligence 16 IOCs YARA 22 File information Comments

SHA256 hash:	f4f1a59fb2ff044fa64232b1714b5c59b8390faa65a05a031949b2549c888f12
SHA3-384 hash:	dc95b24b98ce8531e2d1c6b4fc6d66ed4293111ff02e1a9564a58b9763a48c8c2ad660217fe8746cfa6cbdfad592b9ed
SHA1 hash:	b09326b08b34a37e019ae1ed2443a1d68b73d60d
MD5 hash:	4e5e22711345cdff9d935523e2340023
humanhash:	echo-hamper-red-enemy
File name:	file
Download:	download sample
Signature	Stop Create hunting rule
File size:	860'160 bytes
First seen:	2023-08-29 23:30:52 UTC
Last seen:	2023-08-30 00:38:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	23ea2e8bb62a07ac4b8dc6d0f34a02ee (2 x Stop)
ssdeep	12288:qtdlPKCw75H6npi8Yqi6O15eKHzn8Ps/aAB1KMOcd44Fa3foDqbRPKJ:qVijF6nYCiQuz8PEaAnd44FaP/kJ
Threatray	2'285 similar samples on MalwareBazaar
TLSH	T1B605E0039291BC61E9264B729F1FC2F8761DF170BE897B6633189B6F05701B2DA63711
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0010008020100800 (1 x Stop)
Reporter	andretavare5
Tags:	exe Stop

andretavare5

Sample downloaded from https://vk.com/doc44017378_668590266?hash=sBf1QNaUDRlSfOaVaFnjS5TzOZE1TAAfAiyVTAZgF5g&dl=pQmK4HaFuQ7wWqfN9kbWaC7nynaWDecSivn82JaZrY0&api=1&no_preview=1#test3

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

Vendor Threat Intelligence

Malware family:

stop

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-08-29 23:33:24 UTC

Tags:

ransomware stop stealer vidar trojan arkei loader raccoonclipper

Link:

https://app.any.run/tasks/019444c0-a648-4813-9a1a-ed24b115eea2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

STOP

Link:

https://www.capesandbox.com/analysis/445162/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64ee7fb87444d2eb09f31d8c/reports/3a1b83a0-10c1-4f10-9e29-93a0c962a705/overview

Verdict:

Malicious

Labled as:

Mint.Titirez.Generic

Link:

https://www.hybrid-analysis.com/sample/f4f1a59fb2ff044fa64232b1714b5c59b8390faa65a05a031949b2549c888f12

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

STOP Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a430d03e-fa35-417d-94cc-57b79210263d

Result

Threat name:

Babuk, Djvu

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1299995

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes a notice file (html or txt) to demand a ransom

Yara detected Babuk Ransomware

Yara detected Djvu Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f4f1a59fb2ff044fa64232b1714b5c59b8390faa65a05a031949b2549c888f12/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-08-29 17:45:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ty2lh5s74ce7jscgkyxcs24lg4dsd5kmwqfuayzjgzfjheir4ja._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:vidar botnet:25f5344bfcb62e75b7946c3a681aec54 discovery persistence ransomware spyware stealer

Link:

https://tria.ge/reports/230829-3hpn6agf99/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Downloads MZ/PE file

Detected Djvu ransomware

Djvu Ransomware

Vidar

Malware Config

C2 Extraction:

http://zexeq.com/test3/get.php
https://t.me/vogogor
https://steamcommunity.com/profiles/76561199545993403

Unpacked files

SH256 hash:

56e29ba9c0d6c9440a2ed16117e3e7b92c6c48bfe8a820ca55e1e5321e5f5413

MD5 hash:

0c54c0fdbb975f25e037955009f3347f

SHA1 hash:

bd76a30e1e8a9cbd701e45089918cfcc924669df

Detections:

djvu_ransomware

win_stop_auto

Link:

https://www.unpac.me/results/bbec84fc-6713-405b-8a8c-9f9d0ef52fe1/

SH256 hash:

f4f1a59fb2ff044fa64232b1714b5c59b8390faa65a05a031949b2549c888f12

MD5 hash:

4e5e22711345cdff9d935523e2340023

SHA1 hash:

b09326b08b34a37e019ae1ed2443a1d68b73d60d

Link:

https://www.unpac.me/results/bbec84fc-6713-405b-8a8c-9f9d0ef52fe1/

Malware family:

Djvu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f4f1a59fb2ff/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4f1a59fb2ff044fa64232b1714b5c59b8390faa65a05a031949b2549c888f12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_STOP Create hunting rule
Author:	ditekSHen
Description:	Detects STOP ransomware

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Ransomware_Stop_1e8d48ff Create hunting rule
Author:	Elastic Security

Rule name:	win_stop_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.stop.

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/445162/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample