djvu | e90a190d50682a2c0cd77d9a395c75243d404c88bd779b3812dadc0dad7b2b01

Sharing

Copy URL

Twitter E-mail

General

Target

d246b71e5df1eb4c2a7e617404aee3d4bin_JC.zip
Size

133KB
Sample

230917-lzcbqabg64
MD5

0638de0039870b9f1e12c737b57d75b6
SHA1

739d5f5581d9d6351a8bbb8a636a44ee28d7f41f
SHA256

e90a190d50682a2c0cd77d9a395c75243d404c88bd779b3812dadc0dad7b2b01
SHA512

035272c928f639e124204ecccf32dcaf858396999f0006d76146cbaad54aec80172fd7e59d71010cafbecef7391ca9ea18b172e7e66f1b954cda2709c672a6ba
SSDEEP

3072:p+KrFr094v1rG07kTMP4vnWXWGcyTQaaPk+dahywar3nZDlrd2y3:pt90WG8kvvYcFc+gh63Bloy3

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/raud/get.php

http://zexeq.com/lancer/get.php

Attributes

extension
.ooza
offline_id
dhL6XvokZotUzL67Na5WfNIBufODsob7eYc3mzt1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-XA1LckrLRP Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0785Okhu

rsa_pubkey.plain

Extracted

Family

redline

Botnet

lux3

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

38.181.25.43:3325

Attributes

auth_value
082cde17c5630749ecb0376734fe99c9

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

51.38.95.107:42494

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Extracted

Family

vidar

Version

5.6

Botnet

7b01483643983171e949f923c5bc80e7

https://steamcommunity.com/profiles/76561199550790047

https://t.me/bonoboaz

Attributes

profile_id_v2
7b01483643983171e949f923c5bc80e7
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/103.0.0.0

Extracted

Family

smokeloader

Botnet

pub1

Targets

- Target
  
  110ca627ec28db642faf112f5ff6d36694b68b3616510dca552a04c05cfa1cc6.exe
- Size
  
  196KB
- MD5
  
  d246b71e5df1eb4c2a7e617404aee3d4
- SHA1
  
  57ae3ea47c9b3ac954a69ea0272d0b311e97c129
- SHA256
  
  110ca627ec28db642faf112f5ff6d36694b68b3616510dca552a04c05cfa1cc6
- SHA512
  
  c1cf471a2e3c80ccd51d1b91f931008a660ccf9566340d31426a800c31db79c6dc0978f2a19b9131380e3c8a7d5cc2162775e13db5cef992e5e9fb6a4dacd731
- SSDEEP
  
  3072:TOhzzLL/JYhibm2wUgur/U5f0vgbqu8FlpO56VpPT3R49:GzzLzOh6VwxuzU5fbbp8fbvPTh4
Score

10^/10

djvu lgoogloader redline smokeloader vidar 7b01483643983171e949f923c5bc80e7 logsdiller cloud (tg: @logsdillabot)lux3 backdoor discovery downloader infostealer persistence ransomware stealer trojan glupteba pub1 dropper evasion loader rootkit spyware
- Detected Djvu ransomware
- Detects LgoogLoader payload
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- LgoogLoader
  A downloader capable of dropping and executing other malware families.
  downloader lgoogloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2