djvu | 823b93d7c68dd22fabed1dc210435942db33b170860edc640630202833bbd398

General

Target

64075e8da3af0b198b9786b1d35c0b92.bin
Size

638KB
Sample

230312-bsvjlscb88
MD5

dcf5319a5ed5308bb98aaad63eeed32b
SHA1

0aa597d7f3d14f4a7b2bc77bf6cadbc87a422c9c
SHA256

823b93d7c68dd22fabed1dc210435942db33b170860edc640630202833bbd398
SHA512

541f5861358b0adfadd9b066b98bf1d8efb28f022f0ab3638a051d19fcca2535acf032b9c08138b57a4e716be81fb0b77764907e32aef2949c83d5e2444acfd2
SSDEEP

12288:210yr1te8IT71q8H5na+bzJGf8j/PW4qEJBUPcLEkLYe88lPabb+0ipz0jBQT2xk:dC1tenZq8ZzU0jW4vBHLY+Mb+lyjB0L7

Score

10^/10

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/test2/get.php

Attributes

extension
.coaq
offline_id
fTU4hYOJ0niv7WAg9utRTzxXv2TcoEvGPJhzIot1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-hhA4nKfJBj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0659JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

2.9

Botnet

694f12963bedb0c6040fb3c74aac71e5

C2

https://t.me/nemesisgrow

https://steamcommunity.com/profiles/76561199471222742

http://65.109.12.165:80

Attributes

profile_id_v2
694f12963bedb0c6040fb3c74aac71e5

Targets

- Target
  
  525e0d1a709248c6b34c0e4e42860bf90365e51ed426a9337d2ef7cd4c2674a5.exe
- Size
  
  707KB
- MD5
  
  64075e8da3af0b198b9786b1d35c0b92
- SHA1
  
  82a2bfefa3dd772499d15bfed75ef242da754022
- SHA256
  
  525e0d1a709248c6b34c0e4e42860bf90365e51ed426a9337d2ef7cd4c2674a5
- SHA512
  
  218358d32006a45cdb442b2f231ca38e12f5a7190b74e41cfd9ff9f0ebbed0295b6d0b18e75bac01acdb4bab255e33c2cbeec509af41def510dc82764ed6e85e
- SSDEEP
  
  12288:EEEcaGsIT3kKZykULh/6XogEOvliUGk9wrDR60GFip1MrJdPofjCRdvg4Klj9+:EyMIT3DQ6Y1hDR607p1vf+f5Aj9
Score

10^/10

djvu vidar 694f12963bedb0c6040fb3c74aac71e5 discovery persistence ransomware spyware stealer
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2