djvu | 38957dd23de6288c1a0d84556d4c55843a33e0b10a96be0d209a821f2978a889

General

Target

1.bin.bin.zip
Size

642KB
Sample

230425-vzld3adf8x
MD5

fb01fde5df1cb1a7cf4328fed8c56c25
SHA1

35e0e57e39e6048d3c3568c000a02f0c66826a38
SHA256

38957dd23de6288c1a0d84556d4c55843a33e0b10a96be0d209a821f2978a889
SHA512

c430007a8bb2a4fbd240caf8248faa0782c0e134f14ee079113774309d2e70bfd9ed817a56ff69ea872439a0487976f7317d604db3ac930f8e62fe80bbe4ae01
SSDEEP

12288:+ZuV9lsFMOhYj2/NsJ/M438YTsMN9WNNgstvVPSn6j6q26DErohi7oWqqgd1rxCr:MuV9OGI60DPhvk6b26Zh2oqgd1rx1ITD

Score

10^/10

Malware Config

Extracted

Family

djvu

C2

http://zexeq.com/lancer/get.php

Attributes

extension
.coty
offline_id
O8Ao46dcCReRPC4I1PGMYsRFFc9WI5eOp0O3MFt1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-EPBZCVAS8s Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0692JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

3.6

Botnet

5cb879265de0011bfc7588d5d251aee6

C2

https://steamcommunity.com/profiles/76561199499188534

https://t.me/nutalse

Attributes

profile_id_v2
5cb879265de0011bfc7588d5d251aee6
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

Targets

- Target
  
  1.bin.bin
- Size
  
  742KB
- MD5
  
  d24c537fb5eb6d0971b50bd0a7ae069e
- SHA1
  
  1e48205e2e4e8e013e4010b7bb99d642567a5860
- SHA256
  
  505b1ba56111898bec9423264ff12643c5e793fbcdbc2559bc9694cee990bec1
- SHA512
  
  e7c8cb2e4a1f0b0faeba22e62588310990a56a89e32ba61b056283b85ad4f091843b645414527d48410601569d4be1e68cbe07d7cb74ebaccc552acf669a826b
- SSDEEP
  
  12288:oKVoCbfsRzMz20j5Ex89MIgjgzwgWv9zXcgaHCuIAxOZK6VM9D7XB1:oKVoCbEgjexp9UUryHCuI2OZBqR
Score

10^/10

djvu vidar 5cb879265de0011bfc7588d5d251aee6 discovery persistence ransomware stealer spyware
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2