djvu | b5894034c64a59c927615881f133b65857c750d43f2cb5064f1a0c42d25f4e6b

Sharing

Copy URL

Twitter E-mail

General

Target

file_release_v3.rar
Size

16.9MB
Sample

240218-1sy98sfd25
MD5

94ec83b25bf1f1574aedb939601d9420
SHA1

0e0f31bb10186551b14d2e29c4fb72315f184446
SHA256

b5894034c64a59c927615881f133b65857c750d43f2cb5064f1a0c42d25f4e6b
SHA512

e8574f110ab92554709c44254a1d365fd99226388ee9ae74d52c5dbf32364372b3751a3771c7aea39063042663be710d46b944318d317f54f2a856597d09b7b8
SSDEEP

196608:z3+cXxXIkRZAY88Tz55JLsTe7dydv1UWk3A5ymQc8+lXw2f0IjTCnsneCls9Ppx8:L+oX+tkz3JLT78d0g3AMusneXNpxfZ6J

Malware Config

Extracted

Family

risepro

193.233.132.62

193.233.132.49:50500

193.233.132.67:50500

Extracted

Family

djvu

http://habrafa.com/test2/get.php

Attributes

extension
.lkfr
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0852ASdw

rsa_pubkey.plain

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

stealc

http://185.172.128.24

Attributes

url_path
/f993692117a3fda2.php

Extracted

Family

lumma

https://isotrimorphicnongrasse.shop/api

Targets

- Target
  
  ICQLiteShell.dll
- Size
  
  56KB
- MD5
  
  05e61539b8917fca37c03756bbdd043d
- SHA1
  
  5a72e0e528260de0ea5b34badb9e5f9873cb4245
- SHA256
  
  515c8e0b93f0fef15da3e2573ad92b7e7840374140e65e5d73df63d8e22cb3e8
- SHA512
  
  565d57783e6044d6e7e2026c79dbd897e637c5e1d96e7930dc704ef2b6d801669b38f0c26382f00e67e26668439274941e937a0ade54666de50b5d84f6da7e97
- SSDEEP
  
  768:YEGJ9blT7XZBSbHwJU+tGR0KZUyGKZ0ZgwmF1+3UVambg:YEGJ9bln5o0KZjGKZ0Z1mF1+3UVayg
Score

1^/10
behavioral1 behavioral2
- Target
  
  ICQRT.dll
- Size
  
  32KB
- MD5
  
  1aedcb8994d6ad63ef9dcb87016e028f
- SHA1
  
  f5b891aa15c6353b681bdb7e2d96c6ac8a5f02d7
- SHA256
  
  53e1f40144bab532f9700ff25ec3d5c6a39784a98e17fada583b4ee6d9dd5dbc
- SHA512
  
  89c0f408797c4d78afc52335a9e162345c614e1e419f55487cb358c14f7a69ec82138a7e6250be3133233386ba3659d241e80ab63c9b972b6c8b26b0424cb0c8
- SSDEEP
  
  384:+qtTeds1tkMAp4TxCW9su5UcSu93ggoXUQQIPGEANHl:FTedukelF95RjQUUPpANHl
Score

3^/10
behavioral3 behavioral4
- Target
  
  Language/WinRar.exe
- Size
  
  3.2MB
- MD5
  
  b66dec691784f00061bc43e62030c343
- SHA1
  
  779d947d41efafc2995878e56e213411de8fb4cf
- SHA256
  
  26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370
- SHA512
  
  6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3
- SSDEEP
  
  98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8
Score

1^/10
behavioral5 behavioral6
- Target
  
  LiteRes.dll
- Size
  
  735KB
- MD5
  
  88962410244bc5c03482b82a7e3cb5e1
- SHA1
  
  4622be2d3deda305bf0a16c0e01bc2ecf9d56fad
- SHA256
  
  afa884228afc5c05f4b47e90b6de42854d5a8886ec5ed15a253faeccd5309036
- SHA512
  
  c6e7667f91c1439e33ad4d9e2052b7c9fcc3ca2c7688d9e2bc0550b71a5762b76aa76427331df0217429d9bd984925997c7a8d009f25e44e2776c5ce7cc9d98c
- SSDEEP
  
  6144:x9Ej/jb82/HRoXO1q2pt+Mc1/PDPicsUzM+gYESoE/wOuET8F62bH5vnGfcJvl+b:fqptG/PDPo0no2Iq8F6CHBTWqU
Score

1^/10
behavioral7 behavioral8
- Target
  
  LiteSkinUtils.dll
- Size
  
  48KB
- MD5
  
  059d94e8944eca4056e92d60f7044f14
- SHA1
  
  46a491abbbb434b6a1a2a1b1a793d24acd1d6c4b
- SHA256
  
  9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6
- SHA512
  
  0f45fe8d5e80a8fabf9a1fd2a3f69b2c4ebb19f5ffdcfec6d17670f5577d5855378023a91988e0855c4bd85c9b2cc80375c3a0acb1d7a701aff32e9e78347902
- SSDEEP
  
  768:FPGeoWyuTx6vrP/zAdWQS6Z9CSKh64crVKTl9inMUAK:tGeJxIHepSKzjVK9iMUAK
Score

3^/10
behavioral10 behavioral9
- Target
  
  Resource/Locals/x64/AdonisUI.ClassicTheme.dll
- Size
  
  287KB
- MD5
  
  8a1b183bca062f48402c74f2daba7b92
- SHA1
  
  d9417bf78b3b37d668c08e67f3c0f21dbc6dc11e
- SHA256
  
  8103f2cce6a864ceefe6c5b0c05087ac85ab04a2abf150e93bc9db90c54d9d20
- SHA512
  
  0f5120fa9ed24d2a49b82cdc62113302002ccc5e1cf389cc28830f36b2915f876bdf77094fa6dfa312fc01b6f482465297fa734509511fa7e72285569ce57e87
- SSDEEP
  
  6144:aMNTja9KIKf5RCs1ussMKlzI5iJQn9gu5DPOvObo:5Za9KIjs1ussMKlzI5lo
Score

1^/10
behavioral11 behavioral12
- Target
  
  Resource/Locals/x64/AdonisUI.dll
- Size
  
  164KB
- MD5
  
  3d4c8b6aad28ec574e56ccda22b34ef3
- SHA1
  
  bc22ac7097e597fba3d7367b2fd5c61adff28941
- SHA256
  
  db46b6106dc1b30041ce3f287ded91166895ff3f1928250fc79dd46c444b1e45
- SHA512
  
  fc56241e65dc7bcc678a2af92f79bda017ceb3f7c4f203c7e9ce753d573da868608a6f56545c0d181a625737278b7b73223e5dcce85bf1f3c5b7b1b06e5c5739
- SSDEEP
  
  3072:fuZPAdWKbu3355s555GPQKljrKxX0yAbTxin1YzqHf0llbS1sjZ73h39Iwj:GydWDrKxG3h39Iw
Score

1^/10
behavioral13 behavioral14
- Target
  
  Resource/Locals/x64/SQLite.Interop.dll
- Size
  
  1.7MB
- MD5
  
  56a504a34d2cfbfc7eaa2b68e34af8ad
- SHA1
  
  426b48b0f3b691e3bb29f465aed9b936f29fc8cc
- SHA256
  
  9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
- SHA512
  
  170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
- SSDEEP
  
  24576:YPUxmkgSxPgobZPRjZ22H6edtOZzWySRO3mlE0i/Yl5P+qF+8k+ao/si6:8UxXPgo8e6WYBSJZSS5P97I
Score

1^/10
behavioral15 behavioral16
- Target
  
  Resource/Locals/x86/BouncyCastle.Crypto.dll
- Size
  
  3.2MB
- MD5
  
  0cf454b6ed4d9e46bc40306421e4b800
- SHA1
  
  9611aa929d35cbd86b87e40b628f60d5177d2411
- SHA256
  
  e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42
- SHA512
  
  85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048
- SSDEEP
  
  49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
Score

1^/10
behavioral17 behavioral18
- Target
  
  Resource/Locals/x86/SQLite.Interop.dll
- Size
  
  1.3MB
- MD5
  
  8be215abf1f36aa3d23555a671e7e3be
- SHA1
  
  547d59580b7843f90aaca238012a8a0c886330e6
- SHA256
  
  83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
- SHA512
  
  38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
- SSDEEP
  
  24576:eiDAYMz2epP8AEXn8z7qsyb8c+gntHKuvKtBLtTvD0nsrFSK96fYlYyv:1AYMza36enEuyjpTV96A2yv
Score

1^/10
behavioral19 behavioral20
- Target
  
  Resource/opengl64.dll
- Size
  
  145.8MB
- MD5
  
  71466589eb444bbf272c0f5c920c57f0
- SHA1
  
  4fcace49ee032779d3bf7b8e03c6a9f29ed871ba
- SHA256
  
  e7d625cf255360b0ea96a52ca990be6f1cef522ff7440393e45b12793ac88031
- SHA512
  
  eff62450cf03d72af2594d750a70b008226fa2e46216661716287639bf5e1ff1303076fdaf4f062ca4098ef10a8e29502de55ecb3a6e04753aad7fcad01e3352
- SSDEEP
  
  48:0ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZY:n
Score

1^/10
behavioral21 behavioral22
- Target
  
  setup.exe
- Size
  
  796.0MB
- MD5
  
  20ec80218851ba0adc9e715e55951d35
- SHA1
  
  b6a2fc65ec253fdadaf84b6f22d268151aa02167
- SHA256
  
  20e3396489f07c8582f797f78a3ad3d6fa76bb229adb214bf1fc2b0386e3e1c0
- SHA512
  
  0ab5aa354fe64a55913dff67c469b9f79f92e2aaed8e62af7a61966ad245531c6ecd30eab3067249e457ec1de2ecfc1462939e210f2f79ca941d126e4153e2b3
- SSDEEP
  
  98304:Y48A1GVS1CftH2UTY4r2TLHYbr3Bv8tR8ed:Y9A1G6CfbT12Tr2Byd
Score

10^/10

djvu glupteba risepro smokeloader stealc zgrat pub3 backdoor discovery dropper evasion loader ransomware rat spyware stealer trojan lumma persistence rootkit themida
- Detect ZGRat V1
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral23 behavioral24