djvu | 07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820

Sharing

Copy URL

Twitter E-mail

General

Target

SecuriteInfo.com.Win64.Evo-gen.16085.20859.exe
Size

3.7MB
Sample

240123-tx31naccar
MD5

496a327e9fd93b6db80bd14c4a719be3
SHA1

b190039a7587a94d6ebf96415bd7bcf5d632b28e
SHA256

07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820
SHA512

7573798146cd11bac90851aa3189c222af430e24c640181dee5b947b21d31b9f66daccd47bd05be78f33de726e1d8220329a32f0c59a7a3dccf92a357649294b
SSDEEP

98304:V4MqoEwrHPzQ3eASj+yn49pqF+JE/vhU4pVQ:pqOrHPzQ3kto4qKpK

Malware Config

Extracted

Family

djvu

http://habrafa.com/test2/get.php

Attributes

extension
.cdtt
offline_id
Bn3q97hwLouKbhkQRNO4SeV07gjdEQVm8NKhg0t1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-FCWSCsjEWS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0845OSkw

rsa_pubkey.plain

Extracted

Family

redline

Botnet

24k

91.92.245.15:80

Extracted

Family

stealc

http://185.172.128.24

Attributes

url_path
/40d570f44e84a4�4.php

rc4.plain

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

smokeloader

Version

2022

http://gxutc2c.com/tmp/index.php

http://proekt8.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

45.15.156.60:12050

Extracted

Family

fabookie

http://app.alie3ksgaa.com/check/safe

Targets

- Target
  
  SecuriteInfo.com.Win64.Evo-gen.16085.20859.exe
- Size
  
  3.7MB
- MD5
  
  496a327e9fd93b6db80bd14c4a719be3
- SHA1
  
  b190039a7587a94d6ebf96415bd7bcf5d632b28e
- SHA256
  
  07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820
- SHA512
  
  7573798146cd11bac90851aa3189c222af430e24c640181dee5b947b21d31b9f66daccd47bd05be78f33de726e1d8220329a32f0c59a7a3dccf92a357649294b
- SSDEEP
  
  98304:V4MqoEwrHPzQ3eASj+yn49pqF+JE/vhU4pVQ:pqOrHPzQ3kto4qKpK
Score

10^/10

djvu redline risepro smokeloader stealc zgrat 24k pub3 backdoor discovery evasion infostealer ransomware rat spyware stealer themida trojan fabookie rhadamanthys logsdiller cloud (telegram: @logsdillabot)persistence
- Detect Fabookie payload
- Detect ZGRat V1
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2