djvu | 3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205

Analysis

max time kernel
164s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
10-05-2022 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
Size

262KB
MD5

991c52184801e3de9d2cf74a00febbcf
SHA1

f3eeeff5ebb09dbdc21ced35624c8dd9a466840b
SHA256

3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205
SHA512

ba93fca49ff98f2568e3938273cdaa5b8d725494de87725ca944aeeb171fad93bc5a32746196da701c065daa693177c42d824096f233ce6b99c217239777a44c

Score

10^/10

djvu smokeloader vidar 1333 backdoor ransomware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://monsutiur4.com/

http://nusurionuy5ff.at/

http://moroitomo4.net/

http://susuerulianita1.net/

http://cucumbetuturel4.com/

http://nunuslushau.com/

http://linislominyt11.at/

http://luxulixionus.net/

http://lilisjjoer44.com/

http://nikogminut88.at/

http://limo00ruling.org/

http://mini55tunul.com/

http://samnutu11nuli.com/

http://nikogkojam.org/

rc4.i32

Extracted

Family

djvu

http://ugll.org/lancer/get.php

Attributes

extension
.egfg
offline_id
QcVY9rkapJoL3nQkZAsvfTFVYLmscrM1v1QxGWt1
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6Ti2DxXR3I Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@time2mail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0474JIjdm

rsa_pubkey.plain

Extracted

Family

vidar

Version

Botnet

1333

https://t.me/hollandracing

https://busshi.moe/@ronxik321

Attributes

profile_id
1333

Signatures

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4532-143-0x0000000002330000-0x000000000244B000-memory.dmp	family_djvu
behavioral1/memory/4984-151-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4984-153-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4984-155-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4984-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2568-141-0x0000000000640000-0x000000000068D000-memory.dmp	family_vidar
behavioral1/memory/2568-154-0x0000000000400000-0x00000000004FB000-memory.dmp	family_vidar

Executes dropped EXE 5 IoCs

Processes:

3023.exe3DEF.exe4F84.exe3023.exedwuewdh

pid process

4532 3023.exe
2568 3DEF.exe
1448 4F84.exe
4984 3023.exe
2592 dwuewdh
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

100 api.2ip.ua
Suspicious use of SetThreadContext 1 IoCs

Processes:

3023.exe

description pid process target process

PID 4532 set thread context of 4984 4532 3023.exe 3023.exe

pid	process
4532	3023.exe
2568	3DEF.exe
1448	4F84.exe
4984	3023.exe
2592	dwuewdh

flow	ioc
100	api.2ip.ua

description	pid	process	target process
PID 4532 set thread context of 4984	4532	3023.exe	3023.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exedwuewdh

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dwuewdh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dwuewdh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dwuewdh

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe

pid	process
2476	3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
2476	3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2896
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exedwuewdh

pid process

2476 3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
2896
2896
2896
2896
2592 dwuewdh
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2896
Token: SeCreatePagefilePrivilege 2896

pid	process
2896

description	pid	process
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

3023.exe

description	pid	process	target process
PID 2896 wrote to memory of 4532	2896		3023.exe
PID 2896 wrote to memory of 4532	2896		3023.exe
PID 2896 wrote to memory of 4532	2896		3023.exe
PID 2896 wrote to memory of 2568	2896		3DEF.exe
PID 2896 wrote to memory of 2568	2896		3DEF.exe
PID 2896 wrote to memory of 2568	2896		3DEF.exe
PID 2896 wrote to memory of 1448	2896		4F84.exe
PID 2896 wrote to memory of 1448	2896		4F84.exe
PID 2896 wrote to memory of 1448	2896		4F84.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 4532 wrote to memory of 4984	4532	3023.exe	3023.exe
PID 2896 wrote to memory of 4280	2896		explorer.exe
PID 2896 wrote to memory of 4280	2896		explorer.exe
PID 2896 wrote to memory of 4280	2896		explorer.exe
PID 2896 wrote to memory of 4280	2896		explorer.exe
PID 2896 wrote to memory of 2388	2896		explorer.exe
PID 2896 wrote to memory of 2388	2896		explorer.exe
PID 2896 wrote to memory of 2388	2896		explorer.exe

C:\Users\Admin\AppData\Local\Temp\3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe
"C:\Users\Admin\AppData\Local\Temp\3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2476

C:\Users\Admin\AppData\Local\Temp\3023.exe
C:\Users\Admin\AppData\Local\Temp\3023.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\3023.exe
C:\Users\Admin\AppData\Local\Temp\3023.exe
2⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\AppData\Local\Temp\3DEF.exe
C:\Users\Admin\AppData\Local\Temp\3DEF.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Users\Admin\AppData\Local\Temp\4F84.exe
C:\Users\Admin\AppData\Local\Temp\4F84.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4280

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2388

C:\Users\Admin\AppData\Roaming\dwuewdh
C:\Users\Admin\AppData\Roaming\dwuewdh
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3023.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3023.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3023.exe
Filesize
793KB

MD5
63af65fe36babc095e343bf05cff70cc

SHA1
97c72008b97c8d043336b76c55dd62b5b16393a8

SHA256
a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3

SHA512
07f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DEF.exe
Filesize
411KB

MD5
4d4aacaaac0146811970c85ce456cc2a

SHA1
bb25d5c6d7a9cc289c5195e13b2a0575289e6134

SHA256
771e19ccac62a39284a2e7e6929b5b3d770c151f0e1e79b54a987e41a02595e9

SHA512
4a0483cb4622240c6d9ad321e3e653f8bb0bc983feb20237473a63865eb5b284710081a06e563af5be69416b0e019c5da22a3bd6fd0dc91f6c009f01032ddef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DEF.exe
Filesize
411KB

MD5
4d4aacaaac0146811970c85ce456cc2a

SHA1
bb25d5c6d7a9cc289c5195e13b2a0575289e6134

SHA256
771e19ccac62a39284a2e7e6929b5b3d770c151f0e1e79b54a987e41a02595e9

SHA512
4a0483cb4622240c6d9ad321e3e653f8bb0bc983feb20237473a63865eb5b284710081a06e563af5be69416b0e019c5da22a3bd6fd0dc91f6c009f01032ddef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F84.exe
Filesize
583KB

MD5
6dc93b1c4f33daa01c3820905e7a46d7

SHA1
164fa25aa71ae510efa8fa525c00a9a650920596

SHA256
064a2978517c3f85867bd6219e4017420be47181fd4d2b6b26e9f29312482bdc

SHA512
8074970f179fb6307ac1898e490763c5a2a53ff97d739a1d66f83253a1a48ddb5e811162ae80f3d22ff352dde0080a829493376f40e116c2b85018dcc52f0a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F84.exe
Filesize
583KB

MD5
6dc93b1c4f33daa01c3820905e7a46d7

SHA1
164fa25aa71ae510efa8fa525c00a9a650920596

SHA256
064a2978517c3f85867bd6219e4017420be47181fd4d2b6b26e9f29312482bdc

SHA512
8074970f179fb6307ac1898e490763c5a2a53ff97d739a1d66f83253a1a48ddb5e811162ae80f3d22ff352dde0080a829493376f40e116c2b85018dcc52f0a42

Download Submit
C:\Users\Admin\AppData\Roaming\dwuewdh
Filesize
262KB

MD5
991c52184801e3de9d2cf74a00febbcf

SHA1
f3eeeff5ebb09dbdc21ced35624c8dd9a466840b

SHA256
3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205

SHA512
ba93fca49ff98f2568e3938273cdaa5b8d725494de87725ca944aeeb171fad93bc5a32746196da701c065daa693177c42d824096f233ce6b99c217239777a44c

Download Submit
C:\Users\Admin\AppData\Roaming\dwuewdh
Filesize
262KB

MD5
991c52184801e3de9d2cf74a00febbcf

SHA1
f3eeeff5ebb09dbdc21ced35624c8dd9a466840b

SHA256
3d2847fe50324aeb276be3e268b935ce6994223ee694c6dd7fe3e9d4eae2c205

SHA512
ba93fca49ff98f2568e3938273cdaa5b8d725494de87725ca944aeeb171fad93bc5a32746196da701c065daa693177c42d824096f233ce6b99c217239777a44c

Download Submit
memory/1448-144-0x0000000000000000-mapping.dmp

Download
memory/1448-149-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1448-148-0x0000000000610000-0x000000000064A000-memory.dmp

Filesize
232KB

Download
memory/1448-147-0x00000000007E7000-0x0000000000813000-memory.dmp

Filesize
176KB

Download
memory/2388-157-0x0000000000000000-mapping.dmp

Download
memory/2476-130-0x00000000006F7000-0x0000000000707000-memory.dmp

Filesize
64KB

Download
memory/2476-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2476-131-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/2568-137-0x0000000000000000-mapping.dmp

Download
memory/2568-154-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2568-141-0x0000000000640000-0x000000000068D000-memory.dmp

Filesize
308KB

Download
memory/2568-140-0x000000000078C000-0x00000000007BA000-memory.dmp

Filesize
184KB

Download
memory/2592-163-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-161-0x0000000000827000-0x0000000000837000-memory.dmp

Filesize
64KB

Download
memory/2592-162-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download
memory/2896-164-0x0000000002940000-0x0000000002956000-memory.dmp

Filesize
88KB

Download
memory/2896-133-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/4280-156-0x0000000000000000-mapping.dmp

Download
memory/4532-142-0x00000000021E1000-0x0000000002272000-memory.dmp

Filesize
580KB

Download
memory/4532-143-0x0000000002330000-0x000000000244B000-memory.dmp

Filesize
1.1MB

Download
memory/4532-134-0x0000000000000000-mapping.dmp

Download
memory/4984-151-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4984-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4984-155-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4984-153-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4984-150-0x0000000000000000-mapping.dmp

Download