Submit Reports Overview overview 10 Static static 1 dridex windows10-1703-x64 10 Sharing Copy URL Twitter E-mail General Target ca81a9d68d21a4ce49520bc614a1f005c1c55efa8ae2d233909764a6b0ea5353 Size 717KB Sample 230331-1534ysfc3s MD5 fadb8e9e15078704aaed60981b97dbb4 SHA1 a774a65f0cf00ae792e752fb29ff794c8572bf9a SHA256 ca81a9d68d21a4ce49520bc614a1f005c1c55efa8ae2d233909764a6b0ea5353 SHA512 da3be2241c1c5ef743fdb0a60754e17fbdcff0064e7de130e19ba052e75ac68213b931f66326d7414ebf06e95d3fe31c8ea6055619b8cce22d8dc1e3291f3e74 SSDEEP 12288:iLrxtEomlCuJmM15WAK1OVCv77sKaZW7jjUxTA4B9TD1+anO26tXdr:OTEplC+JWAVVCjoW7jOtB9TDM6Z0X5 Score 10 /10 djvuvidar5df88deb5dde677ba658b77ad5f60248discoverypersistenceransomwarespywarestealer Static task static1 Behavioral task behavioral1 Sample ca81a9d68d21a4ce49520bc614a1f005c1c55efa8ae2d233909764a6b0ea5353.exe Resource win10-20230220-en djvuvidar5df88deb5dde677ba658b77ad5f60248discoverypersistenceransomwarespywarestealer windows10-1703-x64 20 signatures 150 seconds Malware Config Family djvu C2 http://zexeq.com/test2/get.php Attributes extension .nifr offline_id FCP2fiITr4rryFhFBnA59GMgwES5CunmcbPc76t1 payload_url http://uaery.top/dl/build2.exe http://zexeq.com/files/1/build3.exe ransomnote ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-v8HcfXTy5x Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0679SUjhw rsa_pubkey.plain Family vidar Version 3.2 Botnet 5df88deb5dde677ba658b77ad5f60248 C2 https://steamcommunity.com/profiles/76561199489580435 https://t.me/tabootalks Attributes profile_id_v2 5df88deb5dde677ba658b77ad5f60248 user_agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79 Targets Target ca81a9d68d21a4ce49520bc614a1f005c1c55efa8ae2d233909764a6b0ea5353 Size 717KB MD5 fadb8e9e15078704aaed60981b97dbb4 SHA1 a774a65f0cf00ae792e752fb29ff794c8572bf9a SHA256 ca81a9d68d21a4ce49520bc614a1f005c1c55efa8ae2d233909764a6b0ea5353 SHA512 da3be2241c1c5ef743fdb0a60754e17fbdcff0064e7de130e19ba052e75ac68213b931f66326d7414ebf06e95d3fe31c8ea6055619b8cce22d8dc1e3291f3e74 SSDEEP 12288:iLrxtEomlCuJmM15WAK1OVCv77sKaZW7jjUxTA4B9TD1+anO26tXdr:OTEplC+JWAVVCjoW7jOtB9TDM6Z0X5 Score 10 /10 djvuvidar5df88deb5dde677ba658b77ad5f60248discoverypersistenceransomwarespywarestealer Detected Djvu ransomware Djvu Ransomware Ransomware which is a variant of the STOP family. ransomwaredjvu Vidar Vidar is an infostealer based on Arkei stealer. stealervidar Downloads MZ/PE file Executes dropped EXE Loads dropped DLL Modifies file permissions discovery Reads user/profile data of web browsers Infostealers often target stored browser data, which can include saved credentials etc. spywarestealer Accesses 2FA software files, possible credential harvesting spywarestealer Accesses cryptocurrency files/wallets, possible credential harvesting spyware Adds Run key to start application persistence Checks installed software on the system Looks up Uninstall key entries in the registry to enumerate software on the system. discovery Looks up external IP address via web service Uses a legitimate IP lookup service to find the infected system's external IP. Suspicious use of SetThreadContext behavioral1 MITRE ATT&CK Matrix ATT&CK v6 Initial Access Execution Scheduled Task 1 T1053 Persistence Registry Run Keys / Startup Folder 1 T1060 Scheduled Task 1 T1053 Privilege Escalation Scheduled Task 1 T1053 Defense Evasion File Permissions Modification 1 T1222 Modify Registry 1 T1112 Credential Access Credentials in Files 3 T1081 Discovery Query Registry 2 T1012 System Information Discovery 2 T1082 Lateral Movement Collection Data from Local System 3 T1005 Exfiltration Command and Control Impact Tasks Score 1 /10 djvu vidar 5df88deb5dde677ba658b77ad5f60248 discovery persistence ransomware spyware stealer Score 10 /10 © 2018-2023 Terms | Privacy window.ttp_lookup["T1053"] ={"id":"T1053","name":"Scheduled Task","tactics":["TA0002","TA0003","TA0004"],"reference":"https://attack.mitre.org/techniques/T1053","parent":"","Uses":1}; window.ttp_lookup["T1060"] ={"id":"T1060","name":"Registry Run Keys / Startup Folder","tactics":["TA0003"],"reference":"https://attack.mitre.org/techniques/T1060","parent":"","Uses":1}; window.ttp_lookup["T1053"] ={"id":"T1053","name":"Scheduled Task","tactics":["TA0002","TA0003","TA0004"],"reference":"https://attack.mitre.org/techniques/T1053","parent":"","Uses":1}; window.ttp_lookup["T1053"] ={"id":"T1053","name":"Scheduled Task","tactics":["TA0002","TA0003","TA0004"],"reference":"https://attack.mitre.org/techniques/T1053","parent":"","Uses":1}; window.ttp_lookup["T1222"] ={"id":"T1222","name":"File Permissions Modification","tactics":["TA0005"],"reference":"https://attack.mitre.org/techniques/T1222","parent":"","Uses":1}; window.ttp_lookup["T1112"] ={"id":"T1112","name":"Modify Registry","tactics":["TA0005"],"reference":"https://attack.mitre.org/techniques/T1112","parent":"","Uses":1}; window.ttp_lookup["T1081"] ={"id":"T1081","name":"Credentials in Files","tactics":["TA0006"],"reference":"https://attack.mitre.org/techniques/T1081","parent":"","Uses":3}; window.ttp_lookup["T1012"] ={"id":"T1012","name":"Query Registry","tactics":["TA0007"],"reference":"https://attack.mitre.org/techniques/T1012","parent":"","Uses":2}; window.ttp_lookup["T1082"] ={"id":"T1082","name":"System Information Discovery","tactics":["TA0007"],"reference":"https://attack.mitre.org/techniques/T1082","parent":"","Uses":2}; window.ttp_lookup["T1005"] ={"id":"T1005","name":"Data from Local System","tactics":["TA0009"],"reference":"https://attack.mitre.org/techniques/T1005","parent":"","Uses":3};