djvu | cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20

Analysis

max time kernel
4s
max time network
162s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0407f464f5383cc888945bda2afa42c6.exe
Size

723KB
MD5

0407f464f5383cc888945bda2afa42c6
SHA1

92de3404b2b42c0460565201ceaf2669bd6fc149
SHA256

cc44b762d57a9c109e4255cb94fd3f550a18bc005a45aaed1ac9c99d806e6c20
SHA512

39aabd70c7065714718c0cb91795b1e690972780e1c118cb0f71f7f481f889f1df36b2e4b17b2e791ac8ef477c69f412a00f51bde9eec9e3c7531498c5586e50
SSDEEP

12288:qKWz9fNdRDFUssQkmmhlew/2NSFaanti7JDaDN79dOCOMW+/jeV/sJ/oftN2y2Eh:nQ9pDFUs1kzhlew/uSFBtilDaDNpd3xE

Score

10^/10

djvu vidar discovery ransomware stealer

Malware Config

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdpo
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0844OSkw

rsa_pubkey.plain

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral1/memory/2708-78-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral1/memory/2708-85-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral1/memory/2380-84-0x0000000000460000-0x00000000004AB000-memory.dmp	family_vidar_v6
behavioral1/memory/2708-83-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral1/memory/2708-90-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral1/memory/2708-92-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6
behavioral1/memory/2708-214-0x0000000000400000-0x000000000065E000-memory.dmp	family_vidar_v6

Detected Djvu ransomware 12 IoCs

resource	yara_rule
behavioral1/memory/2524-3-0x0000000001CE0000-0x0000000001DFB000-memory.dmp	family_djvu
behavioral1/memory/2104-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2104-8-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2104-9-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2104-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2664-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2664-36-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2664-49-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2664-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2664-54-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2664-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2664-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2876	icacls.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2864	2708	WerFault.exe	37

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21
PID 2524 wrote to memory of 2104	2524	0407f464f5383cc888945bda2afa42c6.exe	21

C:\Users\Admin\AppData\Local\Temp\0407f464f5383cc888945bda2afa42c6.exe
"C:\Users\Admin\AppData\Local\Temp\0407f464f5383cc888945bda2afa42c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\0407f464f5383cc888945bda2afa42c6.exe
  "C:\Users\Admin\AppData\Local\Temp\0407f464f5383cc888945bda2afa42c6.exe"
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\0454c923-095f-4a02-bd5e-c2af8316dba3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\0407f464f5383cc888945bda2afa42c6.exe
    "C:\Users\Admin\AppData\Local\Temp\0407f464f5383cc888945bda2afa42c6.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\0407f464f5383cc888945bda2afa42c6.exe
      "C:\Users\Admin\AppData\Local\Temp\0407f464f5383cc888945bda2afa42c6.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:2664
    - - C:\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe
        
        "C:\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe"
        5⤵
        
        PID:2380
      - C:\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe
        
        "C:\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe"
        6⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1432
        7⤵
        Program crash
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
9abccb669092048794e059f0cb3c297f

SHA1
b27cc48a4a3e63e0a18640a381fbf63c445495a4

SHA256
ea77439e9d310540a73cc76391317e00862c4107e3ef5a0d67ca55efdbd270fb

SHA512
3897e61557d12d01c26e291131e9431922cecb2ec60b33581ed46e933fd9926123e4de9eb5b404ef8328bef3de4753b0cd0dd9f3bd47b7ba67c5136d5184f4e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5f8ea8880ebefdb8945174c225485881

SHA1
2248d15c8f1ea8efca02f564f200583396a5b057

SHA256
d50940990e16b2632cdc9fdd071cc80799a39a912a1b7289141c153ffc43dfa9

SHA512
0c6b30dbf51346fe350138df080a53e5b059f16ca70995f2ee46f8dc5fd193d55e77ac1f1f9c6be001b774d3bef799c98e97f46dffe270232b926fcff110f7dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5512122fb443059ecd55f212cdbd6955

SHA1
58770ac6edf358ff941cac1f6ef590f53f643218

SHA256
d94dd10b6565b5eab59aaa97537e6641be43e66bf3c01798062a47f761c618c7

SHA512
e6c4d4412e4fc944b4b64356eb6d918c6aeb09034906c6c6f6af57d7296744bee25bee769550a5fcfcc46bea8818254d4845c62611699bcfaa194df5282e3dde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
e0a9b94ea4e62612aaa7f58236df28e2

SHA1
7abe44780d1d041ee81427b758ed85d269787659

SHA256
3b9940c36d0fa1e7ea93dee884425626841b6cddc03becc4ba1e50a392400f84

SHA512
bcdea02f2f798dec77cfdea44f230075b7e8b0f5fccba86d2181ef88d844bcf894065a2120e234e9a99a9ca4960fa166a50bb675606a23a0425ad73a5dcd2a44

Download Submit
C:\Users\Admin\AppData\Local\0454c923-095f-4a02-bd5e-c2af8316dba3\0407f464f5383cc888945bda2afa42c6.exe

Filesize
116KB

MD5
c1c5830b250a5369bcf96f04209261fe

SHA1
c58110c4eee1da1198bf996777069c88071aed83

SHA256
42de5c518b5604afcc172ae93368c3573afc679d47cc61cf8bd5ae629190b963

SHA512
3ff2ae2b52b6de6a2e2e1f36473a39dc59a4455c0e59da6fd7af597b632fe9352eaab4584965b540c206d917e3a8af8f494f3597cbefe279d615d9e90217f355

Download Submit
C:\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe

Filesize
21KB

MD5
18662b8850359e57ff8b5d69b0e88c4c

SHA1
09a366ca35ce96853c92175edf53153be0491c06

SHA256
358b689513344f38b9d70f390f40112916177da50d970547310142fc612edd8d

SHA512
fec5b0ec57f931d17c3e7dbcc9006e55ddae4d17aab94f737169c4e684e22e89fa4cd8b7ab17a8bed307486d476d7515136623810cf021c5738d951704eebbd0

Download Submit
C:\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe

Filesize
1KB

MD5
fe01c85761f73499aad7b52653767efc

SHA1
994ce5a6898ccefbfe7d3cdd21e7b044b98a47ae

SHA256
caf7e3d57333c9367bcbeee6fa78a6dbd5ea796f138c9b384a96940de47fdee2

SHA512
9af67eeffc27cd1e54740db15101caecfdc5067b78a17865a3bb9ef38e5ce4d8275ab15a3be81788477e05684a28366ffb7bac513af840893741c20813ccc90d

Download Submit
C:\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe

Filesize
11KB

MD5
7330f645388de7b320435cd0f2b6cbd8

SHA1
594e2618cbae8d6d906d1a989eba64311277b685

SHA256
1bae55c3d30c934580f302b2fcd7578b625c6a8851e431726574295188271b96

SHA512
802d944285d83b1ba9adbf98b8441745a7469d715fca1ba7004a6acce1ae54410d0855fbc92f3f09d2f63964367260e918cd4ad292f6041d8a85cdfca0bdfa55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab840E.tmp

Filesize
27KB

MD5
afa3772d855141f42da9513340ddd9b4

SHA1
9bfada8e9dac067767670cc16ea489e189cce3f3

SHA256
9bbab623c425621894632622e0dbf41006976af45400777efb96570e70973951

SHA512
aaab81112915fdc13d975dc38b4f59f1432e69bf7c5d1b6aea43a12ddfd418e951c9521181b9eed49e6537177e327aa4e96b54aa2108bd31af7b900f049629b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA1EB.tmp

Filesize
7KB

MD5
6840afaebfb619753a7adc87b57bea23

SHA1
ae4ba1c40c91b0b416f68e7ba42ec4425f02b7ae

SHA256
c74d9a369e521d9297211ba9eceb3d0151dad76bb4a2e82c2fb374e7a2bf8d84

SHA512
58db29feb4b8a2e3069556790e47a58161337d1fd61b5a7454f685ad4bca0d9fca7c2ccc65e6554f5205105a94a6220a47d370e1c0063790cc751325701f513d

Download Submit
\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe

Filesize
42KB

MD5
50bdc0fad35fc0f461b652b761572d00

SHA1
afcd4609bfd113de3dd71ceafd6b6541b6dd731b

SHA256
42337145a8352ae8a027c05455537c57d9d00aabae5dca71cc2c3a54cec47610

SHA512
22c09d2e27b85debd8213ae52da24f5f5c0d24f5fad68e0b608ff26d11a84c359fd3a095d7733106673348a090935e3db24c36620f5270aa8a8b8b176dba3703

Download Submit
\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe

Filesize
34KB

MD5
f7d8f34e90a5934424878900274211f9

SHA1
9e8a2c207fc0204bbbb266e61203b655fdb5afcd

SHA256
cf20314fc04484127f0563da78f0915c42371a8243f1a6dac0ffaa6e2883f693

SHA512
2c0fb7aef4472064e2b116aad18474ca1a6cf6f5d8f1e4474f4cbf65704ebc253ecb66971be26b65b3f72b74455d983a55f28d5afbbcc18bd5afb36a5e496a3c

Download Submit
\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe

Filesize
92KB

MD5
22e09e303bf210c5a1366eed0be0b294

SHA1
8579012d28b1c325facb09e50ee0f33400c98d0f

SHA256
ef828c82ba2541737e984e24f16ab37b68810ccd90c836cf18d74e4a90417c7d

SHA512
9d5aec3a9787b019191e700366aed9ed6d48a01868ec6588a6b64759b84fd96523a48f5a2eff723cdcee0096c40ea0f2f6d9bc2a67aa559f11cf2928317b3570

Download Submit
\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe

Filesize
68KB

MD5
164132e7e74110503b87ee1ab13c8164

SHA1
73a37f42e6bcb96f41c3e5421a2a828896600281

SHA256
974dc33fd42bc76ff1f05c2fc3aab8e9192aec511ba9ec039f57c927bed2a320

SHA512
9667128c7d594a0c620863b3e330359a13ecd51345128b3d735204a100dbf3561239f4152a994f78af38d757b8ab0fdd918e1adbc3f12279ef330cf9cfebf2da

Download Submit
\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe

Filesize
23KB

MD5
6dd62c1337f4748a1c25e02977fa6155

SHA1
b11794929192eca13aa47bcda4189e98b94baa4b

SHA256
29bb39a50c3a0918b0e84d0176a40851d959620b14d08ea8cb39083554bb5b1a

SHA512
f7cdd14115a5e50ee2bf47dd22a5cb4e63ddbcded86f2d9b741f24419146a2a813e488a23aee194109d96c633e6bed4b399543ed95e2fe59bac86dd8ed47efcd

Download Submit
\Users\Admin\AppData\Local\454db8b8-648b-4400-a24e-dbd1be852f85\build2.exe

Filesize
6KB

MD5
6837987a14ac8d69d18dac7e864e90ae

SHA1
51dd1f72fed1f9bc987f654f4cc116d589087be2

SHA256
3d25a61b685a7f139f22e15e114817bdc2a36e3044e9a6caaa34bc6d304db782

SHA512
40c05fa2da497d8fbbb4a22f2326506be10dcbddfb0b4f0c9d8b3c22c036cab230d313ec8d6effe4702fa54517d529ea7b78eb7a94d29d264adcd00fe611ff58

Download Submit
memory/2104-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2104-8-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2104-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2104-9-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2104-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2380-84-0x0000000000460000-0x00000000004AB000-memory.dmp

Filesize
300KB

Download
memory/2380-93-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/2380-82-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/2524-7-0x00000000004C0000-0x0000000000552000-memory.dmp

Filesize
584KB

Download
memory/2524-0-0x00000000004C0000-0x0000000000552000-memory.dmp

Filesize
584KB

Download
memory/2524-3-0x0000000001CE0000-0x0000000001DFB000-memory.dmp

Filesize
1.1MB

Download
memory/2524-1-0x00000000004C0000-0x0000000000552000-memory.dmp

Filesize
584KB

Download
memory/2612-33-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2612-29-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2664-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2664-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2664-227-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2664-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2664-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2664-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2664-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2664-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2664-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2708-83-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2708-92-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2708-90-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2708-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-78-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2708-214-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/2708-85-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download