djvu | ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24

General

Target

SecuriteInfo.com.Mal.GandCrypt-A.26403.26463
Size

176KB
Sample

210331-lhhpkr3an6
MD5

de276c3b5b196028e89b37f04230a39d
SHA1

77df36a5cccf073b4fb998efe4e42df8b78e3277
SHA256

ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24
SHA512

0268a4deb27a2874a7796086e1635b325ac98d2a83d93521a8b3fb7fc3142d3165a55724b411bf5934a1c80c7096374690afebf4edbf0d57a954343de4a5a4ea

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Targets

- Target
  
  SecuriteInfo.com.Mal.GandCrypt-A.26403.26463
- Size
  
  176KB
- MD5
  
  de276c3b5b196028e89b37f04230a39d
- SHA1
  
  77df36a5cccf073b4fb998efe4e42df8b78e3277
- SHA256
  
  ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24
- SHA512
  
  0268a4deb27a2874a7796086e1635b325ac98d2a83d93521a8b3fb7fc3142d3165a55724b411bf5934a1c80c7096374690afebf4edbf0d57a954343de4a5a4ea
Score

10^/10

smokeloader backdoor discovery persistence trojan djvu tofsee vidar bootkit evasion ransomware spyware stealer
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Creates new service(s)
  persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2