General
-
Target
5441c3d3300cc1bd9cf3ad9277b148d7.bin
-
Size
147KB
-
Sample
230222-bn7ndahc69
-
MD5
56743ad85e2d881508a9949ccbd46fba
-
SHA1
8732aa131485243d26ef5cb0f2a6b6fb26e82e4f
-
SHA256
1baed7b6f7419f92bb36486895514e8856991455e29e67af39090bac0860b9d5
-
SHA512
bbae3d90ef8696ac8ad434f4073ccc1f6556011c5d06ac319a53478ae42782c142e1b7d1533f77800d9184464e158e4b9e2a52321a541d015c110966e0bdeafd
-
SSDEEP
3072:xue4xlhRYRpb5RIGiTzn3jg/rJ6rZvFqkaywPd+HFP:xue4XhRwpbJojg/9ucGlP
Malware Config
Extracted
djvu
http://jiqaz.com/lancer/get.php
-
extension
.iotr
-
offline_id
O5Ml6uMfuo0gYusk48e0q49EQlFERyL5eSVQmVt1
-
payload_url
http://uaery.top/dl/build2.exe
http://jiqaz.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vdhH9Qcpjj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0651JOsie
Extracted
vidar
2.6
19
-
profile_id
19
Targets
-
-
Target
76ada160c9de1605419ffc09b2c91716b975da0cf9be53a4ed12776cad0d174d.exe
-
Size
202KB
-
MD5
5441c3d3300cc1bd9cf3ad9277b148d7
-
SHA1
76bd564a9aa0515cb6ffdc4a2394076538879b47
-
SHA256
76ada160c9de1605419ffc09b2c91716b975da0cf9be53a4ed12776cad0d174d
-
SHA512
c3b695b921ac9c9eaa7d3ee4362fd12378ded805ec12409405d3ef8af213ff2c92e45f227be034e6a061acb973df949d288410e782a3b79270e82b08fdfbf3f3
-
SSDEEP
3072:Dlrj0jePLvA2velimYAXB5EgIxTrIsE5ohcqqqe8798yWAkM:FjMQLqiwuxxDE5ohcqj/
Score10/10-
Detected Djvu ransomware
-
Detects Smokeloader packer
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies file permissions
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-