djvu | 37cd3dab0cdadf45521cf37e3f092a603f89c5036ca90b8cc9332146caa98c3a

General

Target

37cd3dab0cdadf45521cf37e3f092a603f89c5036ca90b8cc9332146caa98c3a
Size

202KB
Sample

230220-xpdycadg8v
MD5

a58d0bb097a487385174ef5f984beb6e
SHA1

e8eb3dafaacec463a1b4314dd548daa01d41bcc1
SHA256

37cd3dab0cdadf45521cf37e3f092a603f89c5036ca90b8cc9332146caa98c3a
SHA512

168d1ca2ca2a60c5959a765bc3f2caa921257a26932165b3d533841fe933c5a16f3e27c528a368adc27a9fba37a66b20f30d5cbece317e843a5014d3d8960061
SSDEEP

3072:liInz3sRLoA2/vxqYAXBvrm/K/cUuTFM/jJjs4sbQ5/kD2jfBoDM:UIz3cLSx8vrmiWi/jJjWM5/42LBo

Score

10^/10

Malware Config

Extracted

Family

djvu

C2

http://jiqaz.com/lancer/get.php

Attributes

extension
.iotr
offline_id
O5Ml6uMfuo0gYusk48e0q49EQlFERyL5eSVQmVt1
payload_url
http://uaery.top/dl/build2.exe

http://jiqaz.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vdhH9Qcpjj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0651JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

2.6

Botnet

19

Attributes

profile_id
19

Targets

- Target
  
  37cd3dab0cdadf45521cf37e3f092a603f89c5036ca90b8cc9332146caa98c3a
- Size
  
  202KB
- MD5
  
  a58d0bb097a487385174ef5f984beb6e
- SHA1
  
  e8eb3dafaacec463a1b4314dd548daa01d41bcc1
- SHA256
  
  37cd3dab0cdadf45521cf37e3f092a603f89c5036ca90b8cc9332146caa98c3a
- SHA512
  
  168d1ca2ca2a60c5959a765bc3f2caa921257a26932165b3d533841fe933c5a16f3e27c528a368adc27a9fba37a66b20f30d5cbece317e843a5014d3d8960061
- SSDEEP
  
  3072:liInz3sRLoA2/vxqYAXBvrm/K/cUuTFM/jJjs4sbQ5/kD2jfBoDM:UIz3cLSx8vrmiWi/jJjWM5/42LBo
Score

10^/10

djvu pseudomanuscrypt rhadamanthys smokeloader vidar 19 backdoor discovery evasion loader persistence ransomware stealer trojan vmprotect
- Detect rhadamanthys stealer shellcode
- Detected Djvu ransomware
- Detects PseudoManuscrypt payload
  loader
- Detects Smokeloader packer
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PseudoManuscrypt
  PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
  loader pseudomanuscrypt
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1