MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ffbf3c9e0ec433e6ea684b848440bc8d039164fca4174763ba12335ab57d7606. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Stop
Vendor detections: 15
| SHA256 hash: | ffbf3c9e0ec433e6ea684b848440bc8d039164fca4174763ba12335ab57d7606 |
|---|---|
| SHA3-384 hash: | dfb5d50bc2726f8a199f0fe7d5e3ebc7ea260697a666e9247fcbcc9206a1802e4660c48c47fa65cd4ebc026a9936a360 |
| SHA1 hash: | 1fc6c1437c6c029ee1e8a7a6829c3ebed30310d9 |
| MD5 hash: | 30991b64d4cff0569511abce709a5118 |
| humanhash: | yellow-red-nitrogen-lima |
| File name: | ffbf3c9e0ec433e6ea684b848440bc8d039164fca4174763ba12335ab57d7606 |
| Download: | download sample |
| Signature | Stop |
| File size: | 789'504 bytes |
| First seen: | 2022-04-04 06:23:34 UTC |
| Last seen: | 2022-04-04 06:55:07 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 4015140a4b9194b9643a2e5ad5a6ffac (4 x Stop, 1 x RedLineStealer) |
| ssdeep | 12288:plWyCVH/Av5DyxwJbWhgaU3b08Py9gpkloAvaDMdxTZWRyIGvyx7sQZgq:peIBD/JbWhgaCYGLAvaDMdQ1JZZ |
| Threatray | 1'062 similar samples on MalwareBazaar |
| TLSH | T119F402207BA0C035F5B716F45D7A82697A3F7EA09B3494CB96D916EA1B34AE4DC30307 |
| File icon (PE): |  |
| dhash icon | badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader) |
| Reporter |  JAMESWT_WT |
| Tags: | exe Stop |
Intelligence
File Origin
# of uploads :
2
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
8/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
greyware packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Verdict:
Malicious
Result
Threat name:
Djvu Vidar
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Possible FUD Crypter (malicious underground PE packer) detected
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Azorult
Status:
Malicious
First seen:
2022-04-02 01:42:39 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
32 of 42 (76.19%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 1'052 additional samples on MalwareBazaar
Result
Malware family:
djvu
Score:
10/10
Tags:
family:djvu ransomware
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/test1/get.php
Unpacked files
SH256 hash:
fc90a956316d6efabf262e575d5801e6ec502502dcef75269b2db592d0e5a70a
MD5 hash:
98fd0039533495e6a5756eae5a9ea38b
SHA1 hash:
5c8fdddd87ccc8b5ac13d0adc0178d2d356f0e6d
Detections:
win_stop_auto
Parent samples :
9cfe27f65401391f31681939a2044e00e873f2391398656a6066c9e09030f5e1
a7dd575a5d02cf4531309ba335481564cf35383285d84effa519d302962556e7
56fdae721975ff81c3ba41c65aa74395ffac22f832d494c1edd3ecc2593e45c0
adb3dfa05eb1eac98d1c860e0e88c6050952b00e854f962e02126b14ab0e8423
58800e8556bb1ecb9d1554a14cd59136cbf41bac263c56d8e0adea85e6fbcc35
ae46809e1f04125ca54e9108794c6426d389617e0bd8133ce91aeee9ce9bb573
a08d308902b9494ee1a0d38e4c7cb5dc91e302efc8e869be3c2ec0394034fe06
2fbd58e933ac02775649129f2d72a4a40c011f1075d4714052141c6c0813b049
1fc49b9f134cd2ce6b203dfea77b85269bba7ed1e29060d11dad4fabcaa66f67
1cf6de69e4116e27fdc7fdd485432566bd2c65598bc9420bc1089fd5f7c3cf4f
2b52418f70ca659187a5d9959802adc348af02b4bb4bdfaa634de930295d8ae3
5efb1ae4bb8bb433c72d9a5ffa3e567e9ac235eb666ce25a56035e30fb623abc
6fcec37ad944a768f9e87a590de03e1df6c5b86cd7ffe3105589ce463cc67615
28de739e5a1ed53773ef2d8747f800a88c631b7fc27466cbc6371bccb9259da9
37ee32817b5a8fe72af37a71d051f1330a2486a88a2735e051f860bf92fdbfdc
82e869f41c09e99a544ce6d50fedf25e1f08b60286a8085299d3196b00083a1b
295ba48b48c596fcf5792578fe2c0678b841984588efbcf77067f51961d374f2
3289a7e157927ea433bcbef1e2f4a14830051bf75824c0769c31efaf1225955c
3d14f23b4729d498460c0831236950c4d854fea2de797c1fe65b1eb6548dc241
9301195c700b39f71484a9302e0ee0f714b8914113394b08f4f4788cd6f5a40e
a512b4b6c99877a9990299da663556a582fc6eb9713b9984d9c2927d73c9c6ff
c10580e06da040aa1e72bb74f872bb45d63f1733e432f15920eff91848d31377
893641698acd5b415c7a079b5512abadd0da0ebcd9e9e440bd0cf33fc5596257
d536de2200a9424de07b26726d16c18a88277745eb87d3e3f31f3ce83207a2b6
e2008f3eb3480e576bd34e3a1079b21a17a03fe3f02d74c98461a1eef4e28275
eacbde48d95aaaa21da6ff9acb0e5e29b4a19d89816351a6616c6e800e686261
c4b422fc75b9e6b9b7bc6d5dc6ceb221aba807ccf9973710b5c62a30fd636bf8
ffbf3c9e0ec433e6ea684b848440bc8d039164fca4174763ba12335ab57d7606
436d45423beaf3553cf83814334614f11d786650981bfd1deec29093761efea3
6672fed2e98c442d1d0f86f03fcdc939f502cb9952061c57af7d4f232ed6d16c
d89e36841e53232e807fe543972ca6a1b4dd425da6ea87d7455043a75c6df957
e094869a8bb09c533b826e173f853cf8d7d1ab31f56fa7cbdf3ea72dabd7ead4
edbe71fea0f03f364ec2b75c2786ddea29541034496d5005c132d8b402a3c778
9dc1ae55fc0b55f3a3268a59a50fb9052d917b53295d1415cbc4045ddc3dbad0
02f7349342a424adae32d57fa13d89be4b7b54e119b068d1046c14e36b7f5bc3
6dceff38ea7aa0c62437cdb32c52bbaff747db2bcd8cf38597dce31a26695c3c
0b6c3923a7d34f3062dab70853887a2a3c8bdb009e9a110d4a554bef892b26fd
3dd2f20a676053db4004a363fe3a838b4eeea2b24447336f80b19de465affa9a
5eba82a7e94705bf27fadd086866acebcd1afe20d9b5ad9ee9f224ab21f46ad9
8a2d0bf67b76ca5e61e73cb91957a5cc4281ebf9ff3a2cc83d5c0262c64d7abe
8c5a7318f7201df35cfd4c7902108e287a1932454a8120c47da88114cd845138
9d86a0b05fe7895b350e225e4585dc999008ce6df6bb54cfb1141613f1e97df1
22a282ef1bcc703568825a99c13a5f409718291d9817d11a2ab4ca0ef9272865
28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d
44eed310cb747cc6e34b10937c0f7f8011d20b7559ab8846bf981def59275f5a
99eaee03c735e58c791b29c4d8b0911a0b42b70bd55ac3e5f33cf0729accfe0f
23a56459c8c96187dccb00c4f206678c901ac4b20f25a92babd1197213f16b01
83f32b4c80b69df7ac87e097e57990f759d71433010558083e0260238fe3a795
726e184388fa817075ff40803a1c921e9907d426888cf8e265f14d88d606b2bb
bbc0573a3c27403f6191fd3820ee001dc8d248f4af20200ebbac79cb63ef1023
556a1f630405c06e4ebceadee1c8dc291f1fcaba0955adcdb8946cae5765a939
05369a22c30ed4a64f2559bb9e8acbaf0838eac9f4ad2c06e9c5f06bd3d8b01f
b76029c0f387e9c39ca61093bab92354550a28281b8de0ed56e6be3cc59873c4
db31b33ef9ba03ebc8ad2ff4fe5ab3fb5934d92a26c2b512e784bfc34c3effc2
910fe03c505bbae3cb251f6fa48c837347a4505f7e74ba658a06c41667bf03b3
db796fc968041267daff136126768ff072bd3e4e271d1c81120b0eaf6056bf60
fc6ccdf10a489163e43fbd96ed5c48d0b2948e2a21a29a793083cd15b64b5739
6120caded2eeed1982670216779cbfd5a1b6917b339c96106bc23051ea6a2670
8166fa2f97612f886d127e68c511bc2d8edae19cf9eba76ead300beb41b5aa69
e93dfe97cdd0a9bcd8cc42063fb14cef4e4e0d588871614c3cea18e4c4ba77d7
a7dd575a5d02cf4531309ba335481564cf35383285d84effa519d302962556e7
56fdae721975ff81c3ba41c65aa74395ffac22f832d494c1edd3ecc2593e45c0
adb3dfa05eb1eac98d1c860e0e88c6050952b00e854f962e02126b14ab0e8423
58800e8556bb1ecb9d1554a14cd59136cbf41bac263c56d8e0adea85e6fbcc35
ae46809e1f04125ca54e9108794c6426d389617e0bd8133ce91aeee9ce9bb573
a08d308902b9494ee1a0d38e4c7cb5dc91e302efc8e869be3c2ec0394034fe06
2fbd58e933ac02775649129f2d72a4a40c011f1075d4714052141c6c0813b049
1fc49b9f134cd2ce6b203dfea77b85269bba7ed1e29060d11dad4fabcaa66f67
1cf6de69e4116e27fdc7fdd485432566bd2c65598bc9420bc1089fd5f7c3cf4f
2b52418f70ca659187a5d9959802adc348af02b4bb4bdfaa634de930295d8ae3
5efb1ae4bb8bb433c72d9a5ffa3e567e9ac235eb666ce25a56035e30fb623abc
6fcec37ad944a768f9e87a590de03e1df6c5b86cd7ffe3105589ce463cc67615
28de739e5a1ed53773ef2d8747f800a88c631b7fc27466cbc6371bccb9259da9
37ee32817b5a8fe72af37a71d051f1330a2486a88a2735e051f860bf92fdbfdc
82e869f41c09e99a544ce6d50fedf25e1f08b60286a8085299d3196b00083a1b
295ba48b48c596fcf5792578fe2c0678b841984588efbcf77067f51961d374f2
3289a7e157927ea433bcbef1e2f4a14830051bf75824c0769c31efaf1225955c
3d14f23b4729d498460c0831236950c4d854fea2de797c1fe65b1eb6548dc241
9301195c700b39f71484a9302e0ee0f714b8914113394b08f4f4788cd6f5a40e
a512b4b6c99877a9990299da663556a582fc6eb9713b9984d9c2927d73c9c6ff
c10580e06da040aa1e72bb74f872bb45d63f1733e432f15920eff91848d31377
893641698acd5b415c7a079b5512abadd0da0ebcd9e9e440bd0cf33fc5596257
d536de2200a9424de07b26726d16c18a88277745eb87d3e3f31f3ce83207a2b6
e2008f3eb3480e576bd34e3a1079b21a17a03fe3f02d74c98461a1eef4e28275
eacbde48d95aaaa21da6ff9acb0e5e29b4a19d89816351a6616c6e800e686261
c4b422fc75b9e6b9b7bc6d5dc6ceb221aba807ccf9973710b5c62a30fd636bf8
ffbf3c9e0ec433e6ea684b848440bc8d039164fca4174763ba12335ab57d7606
436d45423beaf3553cf83814334614f11d786650981bfd1deec29093761efea3
6672fed2e98c442d1d0f86f03fcdc939f502cb9952061c57af7d4f232ed6d16c
d89e36841e53232e807fe543972ca6a1b4dd425da6ea87d7455043a75c6df957
e094869a8bb09c533b826e173f853cf8d7d1ab31f56fa7cbdf3ea72dabd7ead4
edbe71fea0f03f364ec2b75c2786ddea29541034496d5005c132d8b402a3c778
9dc1ae55fc0b55f3a3268a59a50fb9052d917b53295d1415cbc4045ddc3dbad0
02f7349342a424adae32d57fa13d89be4b7b54e119b068d1046c14e36b7f5bc3
6dceff38ea7aa0c62437cdb32c52bbaff747db2bcd8cf38597dce31a26695c3c
0b6c3923a7d34f3062dab70853887a2a3c8bdb009e9a110d4a554bef892b26fd
3dd2f20a676053db4004a363fe3a838b4eeea2b24447336f80b19de465affa9a
5eba82a7e94705bf27fadd086866acebcd1afe20d9b5ad9ee9f224ab21f46ad9
8a2d0bf67b76ca5e61e73cb91957a5cc4281ebf9ff3a2cc83d5c0262c64d7abe
8c5a7318f7201df35cfd4c7902108e287a1932454a8120c47da88114cd845138
9d86a0b05fe7895b350e225e4585dc999008ce6df6bb54cfb1141613f1e97df1
22a282ef1bcc703568825a99c13a5f409718291d9817d11a2ab4ca0ef9272865
28ab91ea2d0e18a098cf8d26e786a7a477a98d6b0a6dcc1ec9e6e54395534b5d
44eed310cb747cc6e34b10937c0f7f8011d20b7559ab8846bf981def59275f5a
99eaee03c735e58c791b29c4d8b0911a0b42b70bd55ac3e5f33cf0729accfe0f
23a56459c8c96187dccb00c4f206678c901ac4b20f25a92babd1197213f16b01
83f32b4c80b69df7ac87e097e57990f759d71433010558083e0260238fe3a795
726e184388fa817075ff40803a1c921e9907d426888cf8e265f14d88d606b2bb
bbc0573a3c27403f6191fd3820ee001dc8d248f4af20200ebbac79cb63ef1023
556a1f630405c06e4ebceadee1c8dc291f1fcaba0955adcdb8946cae5765a939
05369a22c30ed4a64f2559bb9e8acbaf0838eac9f4ad2c06e9c5f06bd3d8b01f
b76029c0f387e9c39ca61093bab92354550a28281b8de0ed56e6be3cc59873c4
db31b33ef9ba03ebc8ad2ff4fe5ab3fb5934d92a26c2b512e784bfc34c3effc2
910fe03c505bbae3cb251f6fa48c837347a4505f7e74ba658a06c41667bf03b3
db796fc968041267daff136126768ff072bd3e4e271d1c81120b0eaf6056bf60
fc6ccdf10a489163e43fbd96ed5c48d0b2948e2a21a29a793083cd15b64b5739
6120caded2eeed1982670216779cbfd5a1b6917b339c96106bc23051ea6a2670
8166fa2f97612f886d127e68c511bc2d8edae19cf9eba76ead300beb41b5aa69
e93dfe97cdd0a9bcd8cc42063fb14cef4e4e0d588871614c3cea18e4c4ba77d7
SH256 hash:
ffbf3c9e0ec433e6ea684b848440bc8d039164fca4174763ba12335ab57d7606
MD5 hash:
30991b64d4cff0569511abce709a5118
SHA1 hash:
1fc6c1437c6c029ee1e8a7a6829c3ebed30310d9
Malware family:
Djvu
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | MALWARE_Win_STOP |
|---|---|
| Author: | ditekSHen |
| Description: | Detects STOP ransomware |
| Rule name: | SUSP_XORed_URL_in_EXE |
|---|---|
| Author: | Florian Roth |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | SUSP_XORed_URL_in_EXE_RID2E46 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | win_stop_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.stop. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.