General
-
Target
95b17fdd3066fc39a97ec6a988004b73.bin
-
Size
147KB
-
Sample
230605-n8hwzaha2z
-
MD5
b513920919878a2e46297867de141a93
-
SHA1
e667e508ace2f5c8e6bedb38e655c2468cb8934c
-
SHA256
52fd6f75036ed6149e36a7ab1e444b4e2c1b1d86de9ad650a2f1078eec24583e
-
SHA512
779de9d5bec2f70f02d7bd7761c0734526f5f60b01ea0018f4bed4796d4a6e8eadab728e5ddb32788161491d6dba0bc6b8b7d71ec4d80e46b2cc94a0ea4595f1
-
SSDEEP
3072:D0fV3omL56P3vDGrsrxrLgByhNNAT0yL6+hrLQ7cwSB3:DKYm56P3yah6YeTVhHQ7cwY
Static task
static1
Behavioral task
behavioral1
Sample
209b858f3b9abafb8430c8f3110bd3ec104a314c53f94d95d68c8e9733b40dc6.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
209b858f3b9abafb8430c8f3110bd3ec104a314c53f94d95d68c8e9733b40dc6.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
djvu
http://zexeq.com/raud/get.php
http://zexeq.com/lancer/get.php
-
extension
.neon
-
offline_id
0vTA6MA1m5nzrdffOCJC7YmAa4Lp6YNN8lOJ4mt1
-
payload_url
http://colisumy.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vc50LyB2yb Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0725JOsie
Extracted
smokeloader
pub1
Extracted
vidar
4.1
77a63e71a10ee1d81a28b5c866b75922
https://steamcommunity.com/profiles/76561199510444991
https://t.me/task4manager
-
profile_id_v2
77a63e71a10ee1d81a28b5c866b75922
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.34
Extracted
amadey
3.67
45.9.74.80/0bjdn2Z/index.php
Targets
-
-
Target
209b858f3b9abafb8430c8f3110bd3ec104a314c53f94d95d68c8e9733b40dc6.exe
-
Size
237KB
-
MD5
95b17fdd3066fc39a97ec6a988004b73
-
SHA1
e388d35a4707ea6c13e8837e18facf7fd6d73d50
-
SHA256
209b858f3b9abafb8430c8f3110bd3ec104a314c53f94d95d68c8e9733b40dc6
-
SHA512
1a206e68db40ebe2ba18a69cbb599be09f89de2829f35387056ca53f3cbd352dc75e508e1e5b983c382e9b6fa964557b8b496df4066ddf5d0b9f86732710ec53
-
SSDEEP
3072:n43MmqbNUVnHzUQYYXirzwqgJ3Rk/+eFfMNr1egDhFJNnhYH:43IhU9YiY1Gk/+4fMNr1xFF
-
Detected Djvu ransomware
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-