djvu | c5027e2f50b589839ea665ef65e8686f4eb3a8bcd8f4bd5282f89437e03fbebe

Sharing

Copy URL

Twitter E-mail

General

Target

c5027e2f50b589839ea665ef65e8686f4eb3a8bcd8f4bd5282f89437e03fbebe
Size

3.1MB
Sample

220314-q4nb1aaadn
MD5

5271083a9f29fff118ef0d1cc56e4cee
SHA1

25b6c25525b802ba3ce70d9ed4a2d8cc7610fd78
SHA256

c5027e2f50b589839ea665ef65e8686f4eb3a8bcd8f4bd5282f89437e03fbebe
SHA512

4ceea9d7db66ec6e2ae348fca6e2071e59ebd032c46a9724b6689b4d2ede37c4a907ee57855a5e9bfc1dbf87cd3f46857d21da5871e87b5d414edeb435ce164f

Malware Config

Extracted

Family

redline

5.206.224.220:81

185.11.73.22:45202

Attributes

auth_value
4330eefe7c0f986c945c8babe3202f28

Extracted

Family

redline

Botnet

redline

193.106.191.253:4752

Attributes

auth_value
c6b533a917f5c6a3e6d1afd9c29f81c6

Extracted

Family

redline

Botnet

da da

86.107.197.196:63065

Attributes

auth_value
9b1654b30797c210c85bd0890936a5b9

Extracted

Family

tofsee

patmushta.info

ovicrush.cn

Extracted

Family

redline

Botnet

@ywqmre

185.215.113.24:15994

Attributes

auth_value
5a482aa0be2b5e01649fe7a3ce943422

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com/

Attributes

profile_id
706

Extracted

Family

vidar

Version

50.7

Botnet

1177

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
1177

Extracted

Family

redline

Botnet

DomAni2

flestriche.xyz:80

Targets

- Target
  
  c5027e2f50b589839ea665ef65e8686f4eb3a8bcd8f4bd5282f89437e03fbebe
- Size
  
  3.1MB
- MD5
  
  5271083a9f29fff118ef0d1cc56e4cee
- SHA1
  
  25b6c25525b802ba3ce70d9ed4a2d8cc7610fd78
- SHA256
  
  c5027e2f50b589839ea665ef65e8686f4eb3a8bcd8f4bd5282f89437e03fbebe
- SHA512
  
  4ceea9d7db66ec6e2ae348fca6e2071e59ebd032c46a9724b6689b4d2ede37c4a907ee57855a5e9bfc1dbf87cd3f46857d21da5871e87b5d414edeb435ce164f
Score

10^/10

djvu onlylogger redline smokeloader tofsee vidar 1177 706 @ywqmre da da redline aspackv2 backdoor evasion infostealer loader persistence ransomware stealer suricata trojan domani2 upx
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- OnlyLogger Payload
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detected Djvu ransomware

Djvu Ransomware

Modifies Windows Defender Real-time Protection settings

OnlyLogger

RedLine

RedLine Payload

SmokeLoader

Tofsee

Vidar

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

OnlyLogger Payload

Vidar Stealer

ASPack v2.12-2.42

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

UPX packed file

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2