djvu | 596be482747a9c9fe559196b0a389de92eeeea2b305777c2d1800f9c014c22ce

General

Target

3edbc9c7553dad54925210b7f9ece36c.exe
Size

301KB
Sample

231219-z4frladdcr
MD5

3edbc9c7553dad54925210b7f9ece36c
SHA1

57014d3163d27b21075c37d993c14a56cf7208da
SHA256

596be482747a9c9fe559196b0a389de92eeeea2b305777c2d1800f9c014c22ce
SHA512

2944c936c953478fdc496b90428296080f49f91de136b36c88ef95b330ad8300d560291d7d14b98e168b8f589482e6f4cb0ad08102c2f16721d0d54f7c1773b1
SSDEEP

6144:jTisyjd2Gdq45dCnn0jiXXg/RHnpVeVs4:/VGYGs45dCnnFXkVeu

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

C2

http://zexeq.com/test1/get.php

Attributes

extension
.loqw
offline_id
NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw

rsa_pubkey.plain

Targets

- Target
  
  3edbc9c7553dad54925210b7f9ece36c.exe
- Size
  
  301KB
- MD5
  
  3edbc9c7553dad54925210b7f9ece36c
- SHA1
  
  57014d3163d27b21075c37d993c14a56cf7208da
- SHA256
  
  596be482747a9c9fe559196b0a389de92eeeea2b305777c2d1800f9c014c22ce
- SHA512
  
  2944c936c953478fdc496b90428296080f49f91de136b36c88ef95b330ad8300d560291d7d14b98e168b8f589482e6f4cb0ad08102c2f16721d0d54f7c1773b1
- SSDEEP
  
  6144:jTisyjd2Gdq45dCnn0jiXXg/RHnpVeVs4:/VGYGs45dCnnFXkVeu
Score

10^/10

djvu rhadamanthys smokeloader zgrat pub1 backdoor discovery evasion persistence ransomware rat stealer themida trojan
- Detect ZGRat V1
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2