djvu | e7cf7131e4c2578bb51fe33d2b6670622233c651a86827a461aa7b081e19b99e

General

Target

file
Size

227KB
Sample

230917-v4e3vaec63
MD5

7c5940c3eb79c3a97f4e98f1a8dac782
SHA1

906603a5e1b79584844fffe441af49bde89f73ce
SHA256

e7cf7131e4c2578bb51fe33d2b6670622233c651a86827a461aa7b081e19b99e
SHA512

5debcb8dd3b8fd783a177625c0744f36fbaa86058b67b84a9ffb8e8c57a41e0f980a86ffcdca991b9d7d49b7b34a87e99b840c8fb5d2ffecb53b8d2ba718d9fb
SSDEEP

3072:gEs7fZA+gkMbHfHWhv5zbSftq4SovLD8h1w:0fm+gz7fuVuY42h

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32

Extracted

Family

djvu

C2

http://zexeq.com/raud/get.php

http://zexeq.com/lancer/get.php

Attributes

extension
.wwza
offline_id
LtYnlJvK0hICyOCeum6Tv4pbia9jcIGHVgA3Xht1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xoUXGr6cqT Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0789JOsie

rsa_pubkey.plain

Extracted

Family

redline

Botnet

lux3

C2

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Extracted

Family

redline

C2

38.181.25.43:3325

Attributes

auth_value
082cde17c5630749ecb0376734fe99c9

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.38.95.107:42494

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Targets

- Target
  
  file
- Size
  
  227KB
- MD5
  
  7c5940c3eb79c3a97f4e98f1a8dac782
- SHA1
  
  906603a5e1b79584844fffe441af49bde89f73ce
- SHA256
  
  e7cf7131e4c2578bb51fe33d2b6670622233c651a86827a461aa7b081e19b99e
- SHA512
  
  5debcb8dd3b8fd783a177625c0744f36fbaa86058b67b84a9ffb8e8c57a41e0f980a86ffcdca991b9d7d49b7b34a87e99b840c8fb5d2ffecb53b8d2ba718d9fb
- SSDEEP
  
  3072:gEs7fZA+gkMbHfHWhv5zbSftq4SovLD8h1w:0fm+gz7fuVuY42h
Score

10^/10

djvu lgoogloader redline smokeloader logsdiller cloud (tg: @logsdillabot)lux3 backdoor discovery downloader infostealer ransomware trojan
- Detected Djvu ransomware
- Detects LgoogLoader payload
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- LgoogLoader
  A downloader capable of dropping and executing other malware families.
  downloader lgoogloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2