djvu | 66e523d5776ab9a33199942bce36b9ce642e07e5266eeb0f6f80e9a5c1a0e0d8

Sharing

Copy URL

Twitter E-mail

General

Target

66e523d5776ab9a33199942bce36b9ce642e07e5266eeb0f6f80e9a5c1a0e0d8.bin
Size

198KB
Sample

220617-w92pgachhm
MD5

4162ac037f86abc4fcbe342bc957e971
SHA1

7f9cae6bb0f484e76efa718b0f6d5a63c626905c
SHA256

66e523d5776ab9a33199942bce36b9ce642e07e5266eeb0f6f80e9a5c1a0e0d8
SHA512

2c37f26e2e41bfbf9af0ef18a77bef741efb73fafec292b29cd46320b3d8680746249fb66dc7b11e5f9c5e3467ec7b8887c6d3c85a7f5ed0559a03bd3850749c

Malware Config

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

http://212.193.30.45/proxies.txt

http://212.193.30.29/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

212.193.30.21

http://45.144.225.57/server.txt

85.202.169.116

Attributes

payload_url
http://193.233.185.125/download/NiceProcessX64.bmp

http://193.233.185.125/download/NiceProcessX32.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://mnbuiy.pw/adsli/note8876.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://luminati-china.xyz/aman/casper2.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

vidar

Version

52.5

Botnet

1448

https://t.me/tg_randomacc

https://indieweb.social/@ronxik333

Attributes

profile_id
1448

Extracted

Family

vidar

Version

52.6

Botnet

937

https://t.me/tg_dailylessons

https://busshi.moe/@olegf9844xx

Attributes

profile_id
937

Extracted

Family

nymaim

37.0.8.39

31.210.20.149

212.192.241.16

Extracted

Family

djvu

http://abababa.org/test3/get.php

Attributes

extension
.bbii
offline_id
fE1iyGbFRSHwEwVlLZsE3FvHU8UKd1wubsS4CFt1
payload_url
http://rgyui.top/dl/build2.exe

http://abababa.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-KXqYlvxcUy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0498JIjdm

rsa_pubkey.plain

Extracted

Family

redline

Botnet

8888

103.89.90.61:12036

Attributes

auth_value
0234674e8f564170371b0b0ab9952ce1

Extracted

Family

redline

Botnet

Cryptexxx

185.106.92.174:13804

Attributes

auth_value
d42a185dfec14082755998da317b5397

Targets

- Target
  
  66e523d5776ab9a33199942bce36b9ce642e07e5266eeb0f6f80e9a5c1a0e0d8.bin
- Size
  
  198KB
- MD5
  
  4162ac037f86abc4fcbe342bc957e971
- SHA1
  
  7f9cae6bb0f484e76efa718b0f6d5a63c626905c
- SHA256
  
  66e523d5776ab9a33199942bce36b9ce642e07e5266eeb0f6f80e9a5c1a0e0d8
- SHA512
  
  2c37f26e2e41bfbf9af0ef18a77bef741efb73fafec292b29cd46320b3d8680746249fb66dc7b11e5f9c5e3467ec7b8887c6d3c85a7f5ed0559a03bd3850749c
Score

10^/10

privateloader evasion loader main spyware stealer suricata trojan djvu nymaim redline vidar 1448 8888 937 cryptexxx discovery infostealer persistence ransomware themida vmprotect
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NyMaim
  NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
  trojan nymaim
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
  suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
  suricata
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2