djvu | 72efbfa5972765d3525084a4c5724a14a8e0e996e209ffd26c10b98784896f17

General

Target

file.exe
Size

230KB
Sample

221019-g928nsehe2
MD5

0a360c78eb57f0ebc3970b448bc8c4e6
SHA1

b658b50853e13368508a55a7c98676c2bd7419a0
SHA256

72efbfa5972765d3525084a4c5724a14a8e0e996e209ffd26c10b98784896f17
SHA512

0e599e01f8dd67a0e0a0b4fcf74b631a16bb30fb6dc4680c3dd2c96046b874046a4f9e14862a24421da25c9c4f2b5b6dbb7dd35787cabe8e906dc164a07148fb
SSDEEP

3072:LVinP8hhO8Uez8ZgvSLo0SlyWZTjFy3+RBk48ts9f9WzrE366AAbfKHDNZK/:LAPqFQ+aLglyk8OBXVWE35KHxZ

Score

10^/10

Malware Config

Extracted

Family

djvu

C2

http://winnlinne.com/lancer/get.php

Attributes

extension
.tury
offline_id
Uz66zEbmA32arcxwT81zZhkb23026oHz5iSp8qt1
payload_url
http://rgyui.top/dl/build2.exe

http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-o7UXxOstmw Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0585Jhyjd

rsa_pubkey.plain

Extracted

Family

vidar

Version

55

Botnet

517

C2

https://t.me/truewallets

https://mas.to/@zara99

http://116.203.10.3:80

Attributes

profile_id
517

Targets

- Target
  
  file.exe
- Size
  
  230KB
- MD5
  
  0a360c78eb57f0ebc3970b448bc8c4e6
- SHA1
  
  b658b50853e13368508a55a7c98676c2bd7419a0
- SHA256
  
  72efbfa5972765d3525084a4c5724a14a8e0e996e209ffd26c10b98784896f17
- SHA512
  
  0e599e01f8dd67a0e0a0b4fcf74b631a16bb30fb6dc4680c3dd2c96046b874046a4f9e14862a24421da25c9c4f2b5b6dbb7dd35787cabe8e906dc164a07148fb
- SSDEEP
  
  3072:LVinP8hhO8Uez8ZgvSLo0SlyWZTjFy3+RBk48ts9f9WzrE366AAbfKHDNZK/:LAPqFQ+aLglyk8OBXVWE35KHxZ
Score

10^/10

smokeloader backdoor trojan djvu vidar 517 collection discovery persistence ransomware spyware stealer
- Detected Djvu ransomware
- Detects Smokeloader packer
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2