djvu | e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e

Sharing

General

Target

E3387D3F62414FB262DA20E54D5775A647443B88CD8A0.exe
Size

3.7MB
Sample

220516-mvh45sggb2
MD5

1d31d98bb67d56dfc57dee908cb90187
SHA1

0856cef58fdd7a2c02952f36df97310efb5e560b
SHA256

e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
SHA512

e23cdb285da9242eb53a5a3eaf2b5cf40d4c65ae43c62b152c475b2f393e795a3aa55e627788191c83abe8373f7d4edafd5a2c8511e8d38466c9b21f87d919a5

Score

10^/10

Malware Config

Extracted

Family

redline

193.106.191.253:4752

178.20.47.241:23253

Attributes

auth_value
6dc858733096320e3d11256c87cea006

Extracted

Family

redline

Botnet

Cana

176.111.174.254:56328

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Ani

detuyaluro.xyz:80

Extracted

Family

redline

Botnet

Ruzki

193.233.48.58:38989

Attributes

auth_value
80c38cc7772c328c028b0e4f42a3fac6

Extracted

Family

redline

Botnet

193.106.191.182:23196

Attributes

auth_value
21351f5b8358ade7446b0c10ec81735e

Extracted

Family

redline

Botnet

test1

185.215.113.75:80

Attributes

auth_value
7ab4a4e2eae9eb7ae10f64f68df53bb3

Extracted

Family

redline

Botnet

SUSHI

65.108.101.231:14648

Attributes

auth_value
26bcdf6ae8358a98f24ebd4bd8ec3714

Extracted

Family

redline

Botnet

@humus228p

185.215.113.24:15994

Attributes

auth_value
bb99a32fdff98741feb69d524760afae

Targets

- Target
  
  E3387D3F62414FB262DA20E54D5775A647443B88CD8A0.exe
- Size
  
  3.7MB
- MD5
  
  1d31d98bb67d56dfc57dee908cb90187
- SHA1
  
  0856cef58fdd7a2c02952f36df97310efb5e560b
- SHA256
  
  e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
- SHA512
  
  e23cdb285da9242eb53a5a3eaf2b5cf40d4c65ae43c62b152c475b2f393e795a3aa55e627788191c83abe8373f7d4edafd5a2c8511e8d38466c9b21f87d919a5
Score

10^/10

djvu redline smokeloader vidar 51 706 @humus228p ani cana ruzki sushi test1 aspackv2 backdoor evasion infostealer ransomware spyware stealer suricata trojan upx
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detected Djvu ransomware

Djvu Ransomware

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine Payload

SmokeLoader

Vidar

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

Vidar Stealer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2