djvu | 29ad7d20e6b80713f0c74d711378f1b35ec3e77bc69af90c136c9e36c6f12b56

Sharing

Copy URL

Twitter E-mail

General

Target

v3_file_x86x64.rar
Size

6.8MB
Sample

240510-qrm6gagh7z
MD5

a9156a0bd435bb316530070ea542feff
SHA1

acf5fda43e4b1b699bceb6dd4dc4f241352032a4
SHA256

29ad7d20e6b80713f0c74d711378f1b35ec3e77bc69af90c136c9e36c6f12b56
SHA512

5cff55acc5dacc26e72b72038b298b1b2aec1b4b4dd74b63b5feb81ed94023fd43c288091fa7d33be9427c5b7f8068019386cb0941c19ba34c071f5e57785cc2
SSDEEP

196608:AFVmWOQbeGv/fBOqvT/bMLACYPIybJHIxsKVrY:Smf+Tv/fDfMkCYPPbJm3Y

Malware Config

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

stealc

http://185.172.128.151

Attributes

url_path
/7043a0c6a68d9c65.php

rc4.plain

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

Extracted

Family

vidar

Version

9.6

Botnet

681a223bec180ebfdc48547d3d5bd784

https://steamcommunity.com/profiles/76561199681720597

https://t.me/talmatin

Attributes

profile_id_v2
681a223bec180ebfdc48547d3d5bd784
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0

Extracted

Family

djvu

http://cajgtus.com/lancer/get.php

Attributes

extension
.qeza
offline_id
jgILOjDrBgyzY4JmT3B2jDSyBmDPBruKk8bKs6t1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/665ddae3fc3cd10bbaaa4350408b196920240504141005/4cae7e Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0869PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.77:6541

Extracted

Family

lumma

https://stiffraspyofkwsl.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Targets

- Target
  
  concrt140.dll
- Size
  
  309KB
- MD5
  
  31f210ed5c6f2d8faa1d896cda18584b
- SHA1
  
  5444d919f5014fb6bf58cefc6f01088c32a24a00
- SHA256
  
  5393f592cded7bd8ae07b2afc3efdcc4a0b05f7e8e74380a267398266fc02d41
- SHA512
  
  d39aa7acfd982759825b537a9ca5b04e6cdd9c0a28089e0f666ae4b75e84e2e2e58180103da38bea79efe3252cb9f1932efa69b64461cb76173645e8b6ddf3f6
- SSDEEP
  
  6144:Ylm+bq4hSdOec4xWMXdtvo4KbrniIzb7wQjnWzgCE33g:pmP/eJXzvSCzW3g
Score

1^/10
behavioral1 behavioral2
- Target
  
  msvcp140.dll
- Size
  
  576KB
- MD5
  
  a11a1d761d757d367146f0f772632d8c
- SHA1
  
  9fd3eee4c4111dc386510a930192d56a2e938dfe
- SHA256
  
  2cc02c5e6654aa9175d5963f811cac222f4a2604dc28553139c675b1a78995a7
- SHA512
  
  6fbbb77766ee9846d6d3bde2ced5eeaafe721de5524a410a4821dfa6c08edbd00905bec2b9237b8f7986d6d06dbe444c5845130193da537cadaf29ea784c48e1
- SSDEEP
  
  12288:fFrCZUcfGI/O+bE9krdFFM5lle0dkM4X2n08ukSIAg6wQEKZm+jWodEEVrR+:9rCZUNYX2nSkGg6wQEKZm+jWodEE9R+
Score

1^/10
behavioral3 behavioral4
- Target
  
  res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc
- Size
  
  114KB
- MD5
  
  a2f3ded45da8870e93e5d2186dab27e8
- SHA1
  
  3f8e0cddecc3827b33ec02cd78d192c18f1ddf82
- SHA256
  
  fc19237a4e9ae65829dbde384ce0de2c78b22d9577384dded9d4cde569a12742
- SHA512
  
  438621491061c7f14f59c48d0d2fdd637a17c058df13417e21d660d81632dbb826a6144032f6f9192ab9bb0afb46b8f6cf3982879dc9942261c2538dbd17187c
- SSDEEP
  
  3072:k6BVH7SBjeSCbupKVfG2yQJ23J+Svsy9k/TukuPMh:zrbKeWmDyQ+13kOPMh
Score

3^/10
behavioral5 behavioral6
- Target
  
  setup.exe
- Size
  
  728.0MB
- MD5
  
  d42c009f5de776968186dc6611afc922
- SHA1
  
  dd33414810424002b6c352ba52e32cc6de107340
- SHA256
  
  95d4dc9ddb0a283dc001ef3e24112336c19e4411a5749e9612b3b87bd4a3c278
- SHA512
  
  dfd643f0f62d979fc39b582670e62e51407b45461258cda0d170d4448646064efb7bc8452c92055f2284e704e07412709537958695a5a8c9e0cc12c7ecf7850d
- SSDEEP
  
  98304:3Spz0Du6W9TrgWd/JdKX1Hxsyp7loTGEE2W/gMnzJ:3Spr9TVdxQXkY5o7U
Score

10^/10

glupteba privateloader risepro stealc bootkit discovery dropper evasion execution loader persistence rootkit spyware stealer themida trojan upx djvu lumma redline vidar zgrat 681a223bec180ebfdc48547d3d5bd784 logsdiller cloud (tg: @logsdillabot)infostealer ransomware rat
- Detect Vidar Stealer
  stealer
- Detect ZGRat V1
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies firewall policy service
  evasion
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Stops running service(s)
  evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Manipulates WinMon driver.
  Roottkits write to WinMon to hide PIDs from being detected.
  rootkit evasion
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral7 behavioral8