Overview STOP/DJVU ransomware can be executed with one of the parameters listed: --Admin, --ForNetRes, --Task , --AutoStart or --Service . It gathers location information of the victim with the help of a geolocation API service and compares its hard coded country codes to the victim’s code, if one of them matches the malware stops running. It uses the Salsa20 algorithm to encrypt files and adds the .cdpo file extension at the end of each one of them.

This sample of Stealc infostealer targets browsers, extensions, desktop cryptocurrency wallets and applications such as Outlook, Steam, Discord, Telegram, Tox, and Pidgin. It also gathers information about the victim's machine. Several anti-analysis methods are applied while strings are obfuscated with base64 and RC4.