Submit Reports Overview overview 10 Static static 3 dridex windows10-2004-x64 10 Sharing Copy URL Twitter E-mail General Target 0c6fce422319b4570a61b29e15bfcd8b862ce2263605a06b8498c3e949722138 Size 743KB Sample 230605-qcbh5agg47 MD5 8b6d8cac9412f1375d21d92749c7faa4 SHA1 bc08b806ba62c6cdce75c7d668b9bb89c6029f2c SHA256 0c6fce422319b4570a61b29e15bfcd8b862ce2263605a06b8498c3e949722138 SHA512 7fb328b653dd4d31e8477c283b043da6a853c82736783f17c031bfb048a6a049eac0593494d90105e2cd5ab84fa27f5f21488183ce0ef702cfeda2e93bf9e8a1 SSDEEP 12288:s6wwAz1xo9qL3zLyPQaFR4wzHenQKNZNT2lxIqODKKWYBqDirKPSU0:s6wwAM9qL3H1aFR4ye3N4ODKhYP Score 10 /10 djvuvidar77a63e71a10ee1d81a28b5c866b75922discoverypersistenceransomwarespywarestealer Static task static1 1 signatures Behavioral task behavioral1 Sample 0c6fce422319b4570a61b29e15bfcd8b862ce2263605a06b8498c3e949722138.exe Resource win10v2004-20230220-en djvuvidar77a63e71a10ee1d81a28b5c866b75922discoverypersistenceransomwarespywarestealer windows10-2004-x64 20 signatures 150 seconds Malware Config Family djvu C2 http://zexeq.com/test1/get.php Attributes extension .nerz offline_id 0vTA6MA1m5nzrdffOCJC7YmAa4Lp6YNN8lOJ4mt1 payload_url http://colisumy.com/dl/build2.exe http://zexeq.com/files/1/build3.exe ransomnote ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vc50LyB2yb Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0722JOsie rsa_pubkey.plain Family vidar Version 4.1 Botnet 77a63e71a10ee1d81a28b5c866b75922 C2 https://steamcommunity.com/profiles/76561199510444991 https://t.me/task4manager Attributes profile_id_v2 77a63e71a10ee1d81a28b5c866b75922 user_agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.34 Targets Target 0c6fce422319b4570a61b29e15bfcd8b862ce2263605a06b8498c3e949722138 Size 743KB MD5 8b6d8cac9412f1375d21d92749c7faa4 SHA1 bc08b806ba62c6cdce75c7d668b9bb89c6029f2c SHA256 0c6fce422319b4570a61b29e15bfcd8b862ce2263605a06b8498c3e949722138 SHA512 7fb328b653dd4d31e8477c283b043da6a853c82736783f17c031bfb048a6a049eac0593494d90105e2cd5ab84fa27f5f21488183ce0ef702cfeda2e93bf9e8a1 SSDEEP 12288:s6wwAz1xo9qL3zLyPQaFR4wzHenQKNZNT2lxIqODKKWYBqDirKPSU0:s6wwAM9qL3H1aFR4ye3N4ODKhYP Score 10 /10 djvuvidar77a63e71a10ee1d81a28b5c866b75922discoverypersistenceransomwarespywarestealer Detected Djvu ransomware Djvu Ransomware Ransomware which is a variant of the STOP family. ransomwaredjvu Vidar Vidar is an infostealer based on Arkei stealer. stealervidar Downloads MZ/PE file Checks computer location settings Looks up country code configured in the registry, likely geofence. Executes dropped EXE Loads dropped DLL Modifies file permissions discovery Reads user/profile data of web browsers Infostealers often target stored browser data, which can include saved credentials etc. spywarestealer Accesses 2FA software files, possible credential harvesting spywarestealer Accesses cryptocurrency files/wallets, possible credential harvesting spyware Adds Run key to start application persistence Checks installed software on the system Looks up Uninstall key entries in the registry to enumerate software on the system. discovery Looks up external IP address via web service Uses a legitimate IP lookup service to find the infected system's external IP. Suspicious use of SetThreadContext behavioral1 MITRE ATT&CK Matrix ATT&CK v6 Initial Access Execution Scheduled Task 1 T1053 Persistence Registry Run Keys / Startup Folder 1 T1060 Scheduled Task 1 T1053 Privilege Escalation Scheduled Task 1 T1053 Defense Evasion File Permissions Modification 1 T1222 Modify Registry 1 T1112 Credential Access Credentials in Files 3 T1081 Discovery Query Registry 3 T1012 System Information Discovery 3 T1082 Lateral Movement Collection Data from Local System 3 T1005 Exfiltration Command and Control Impact Tasks Score 3 /10 djvu vidar 77a63e71a10ee1d81a28b5c866b75922 discovery persistence ransomware spyware stealer Score 10 /10 © 2018-2024 Terms | Privacy window.ttp_lookup["T1053"] ={"id":"T1053","name":"Scheduled Task","tactics":["TA0002","TA0003","TA0004"],"reference":"https://attack.mitre.org/techniques/T1053","parent":"","Uses":1}; window.ttp_lookup["T1060"] ={"id":"T1060","name":"Registry Run Keys / Startup Folder","tactics":["TA0003"],"reference":"https://attack.mitre.org/techniques/T1060","parent":"","Uses":1}; window.ttp_lookup["T1053"] ={"id":"T1053","name":"Scheduled Task","tactics":["TA0002","TA0003","TA0004"],"reference":"https://attack.mitre.org/techniques/T1053","parent":"","Uses":1}; window.ttp_lookup["T1053"] ={"id":"T1053","name":"Scheduled Task","tactics":["TA0002","TA0003","TA0004"],"reference":"https://attack.mitre.org/techniques/T1053","parent":"","Uses":1}; window.ttp_lookup["T1222"] ={"id":"T1222","name":"File Permissions Modification","tactics":["TA0005"],"reference":"https://attack.mitre.org/techniques/T1222","parent":"","Uses":1}; window.ttp_lookup["T1112"] ={"id":"T1112","name":"Modify Registry","tactics":["TA0005"],"reference":"https://attack.mitre.org/techniques/T1112","parent":"","Uses":1}; window.ttp_lookup["T1081"] ={"id":"T1081","name":"Credentials in Files","tactics":["TA0006"],"reference":"https://attack.mitre.org/techniques/T1081","parent":"","Uses":3}; window.ttp_lookup["T1012"] ={"id":"T1012","name":"Query Registry","tactics":["TA0007"],"reference":"https://attack.mitre.org/techniques/T1012","parent":"","Uses":3}; window.ttp_lookup["T1082"] ={"id":"T1082","name":"System Information Discovery","tactics":["TA0007"],"reference":"https://attack.mitre.org/techniques/T1082","parent":"","Uses":3}; window.ttp_lookup["T1005"] ={"id":"T1005","name":"Data from Local System","tactics":["TA0009"],"reference":"https://attack.mitre.org/techniques/T1005","parent":"","Uses":3};