Overview

overview

10

Static

static

3

2025-04-13...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/04/2025, 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe

  • Size

    778KB

  • MD5

    606afb9356c8795f0705cccf3b51c37a

  • SHA1

    52bac27cbbae58bc1bad63623ff77b95fea70732

  • SHA256

    00f1f15c5750b5ec016c7182487455583f3a286185ac5370ed4660fa4b033297

  • SHA512

    54b5637a7e580a1069a8f6a425f889a8dc532e8fda0d42e008a8d29de0680865c098440a5349d7e6406c9ab58c0bf986af390bb44ea1e60a2acfdc87e3f934da

  • SSDEEP

    24576:r6Oa1JYHc6wdzrwQQT+47C2YEOQYAk4bOMIm:OJJDhdz0QS+42B4bu

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://habrafa.com/test1/get.php

Attributes
  • extension

    .lkhy

  • offline_id

    OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1

  • payload_url

    http://brusuax.com/dl/build2.exe

    http://habrafa.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 18 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Djvu family
    djvu
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5140
    • C:\Users\Admin\AppData\Local\Temp\2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\bce963e7-7f6e-409e-a2c6-5fe4ef1faefd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:6112
      • C:\Users\Admin\AppData\Local\Temp\2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:6040
        • C:\Users\Admin\AppData\Local\Temp\2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe
          "C:\Users\Admin\AppData\Local\Temp\2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1068

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    1KB

    MD5

    4a90329071ae30b759d279cca342b0a6

    SHA1

    0ac7c4f3357ce87f37a3a112d6878051c875eda5

    SHA256

    fb6a7c3edcd7b97fabc18855102a39fc4d6d3f82c0fdd39b1667807b71b9c49b

    SHA512

    f0e206053d4369437c2c0f1f90f0fd03d631e4b9859d807049b41efde823d64cf4d75c28316d932360f7c03bd409e923c8bc2d4f5959361feacecfcf101ae823

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    530B

    MD5

    1fbb37f79b317a9a248e7c4ce4f5bac5

    SHA1

    0ff4d709ebf17be0c28e66dc8bf74672ca28362a

    SHA256

    6fb1b8e593cb0388f67ead35313a230f524657317ea86271b3a97362e5ec6ad9

    SHA512

    287e1d62c9ceb660965c266f677c467fbb997c2f5dcd1d63e185e266488aafc3489ac1d3feec81d10f01ce4a72e61a8bc4e124f137ce8675a220aa7797002e74

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    174B

    MD5

    2ea86aadd9f337e152de13103685396a

    SHA1

    311ea1eec02c736d56bba0856debd6d29efd6f51

    SHA256

    3b4c24c6edcb8ee35f233587327c9770a3530fcc43d014e39a67b18973baa073

    SHA512

    cc95f631a2f84ed0361d148bb2dc2d69f37484b18e365889226750d1e2642f2f30282d863456b16d6502743c24be85e50e399099a46946e1d9cbd805b20bf6f8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    170B

    MD5

    e01e1c1c8b9dec89b33c97cc744c55b3

    SHA1

    e03b4ca3380c8282260016cc17ef9c9cc35eeea2

    SHA256

    5a234548978be7cafff6bcdaa0c3b2e7bed58f82290df653f8956ed22afeb98b

    SHA512

    420b6959c48cd1d70959d67910734cdf02a440677de84a4c7f28c5a7c6e5713a22b745bf0d8ea8500cd7c6b5a58598881661ea400b1da993aa320e24c9328a7f

    Download Submit

  • C:\Users\Admin\AppData\Local\bce963e7-7f6e-409e-a2c6-5fe4ef1faefd\2025-04-13_606afb9356c8795f0705cccf3b51c37a_amadey_elex_redline-stealer_rhadamanthys_smoke-loader.exe
    Filesize

    778KB

    MD5

    606afb9356c8795f0705cccf3b51c37a

    SHA1

    52bac27cbbae58bc1bad63623ff77b95fea70732

    SHA256

    00f1f15c5750b5ec016c7182487455583f3a286185ac5370ed4660fa4b033297

    SHA512

    54b5637a7e580a1069a8f6a425f889a8dc532e8fda0d42e008a8d29de0680865c098440a5349d7e6406c9ab58c0bf986af390bb44ea1e60a2acfdc87e3f934da

    Download Submit

  • memory/1068-40-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-34-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-45-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-25-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-24-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-44-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-42-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-43-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-36-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-31-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1068-35-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4752-5-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4752-6-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4752-3-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4752-4-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4752-22-0x0000000000400000-0x0000000000537000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5140-1-0x0000000001D40000-0x0000000001DD8000-memory.dmp

    Filesize

    608KB

    Download

  • memory/5140-2-0x00000000039C0000-0x0000000003ADB000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/6040-30-0x0000000000400000-0x0000000001AAF000-memory.dmp

    Filesize

    22.7MB

    Download

  • memory/6040-37-0x0000000000400000-0x0000000001AAF000-memory.dmp

    Filesize

    22.7MB

    Download