djvu | ff43ee5ecaf9dc20c646d933753880e5fb8f06531f4f38db71b1f62f7e725083

General

Target

ff43ee5ecaf9dc20c646d933753880e5fb8f06531f4f38db71b1f62f7e725083
Size

794KB
Sample

220523-ygckzsgfck
MD5

063fc270274be8d3d872311c46985add
SHA1

c413add626f4ce5c9105a11e7a4e7c0336274eab
SHA256

ff43ee5ecaf9dc20c646d933753880e5fb8f06531f4f38db71b1f62f7e725083
SHA512

a10ace69494d7c255a01e2d9df65d95854e6ad7ea5d77ed6712434fc40b9d5184ccf25e8c9c2dbbb748de6b07a8f7cacc3df8430b054c6a20f5733c2aed8d053

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

52.1

Botnet

517

C2

https://t.me/verstappenf1r

https://climatejustice.social/@ronxik312

Attributes

profile_id
517

Targets

- Target
  
  ff43ee5ecaf9dc20c646d933753880e5fb8f06531f4f38db71b1f62f7e725083
- Size
  
  794KB
- MD5
  
  063fc270274be8d3d872311c46985add
- SHA1
  
  c413add626f4ce5c9105a11e7a4e7c0336274eab
- SHA256
  
  ff43ee5ecaf9dc20c646d933753880e5fb8f06531f4f38db71b1f62f7e725083
- SHA512
  
  a10ace69494d7c255a01e2d9df65d95854e6ad7ea5d77ed6712434fc40b9d5184ccf25e8c9c2dbbb748de6b07a8f7cacc3df8430b054c6a20f5733c2aed8d053
Score

10^/10

djvu vidar 517 discovery persistence ransomware spyware stealer suricata
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
  suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
  suricata
- suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
  suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
  suricata
- suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
  suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
  suricata
- suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
  suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1