General

  • Target

    Client-17.exe

  • Size

    60KB

  • Sample

    200510-rylqg3s5bx

  • MD5

    0f27d1180d28e1bcaf4d66f6b51c087c

  • SHA1

    15a00d3aba362aade900374b6d159de98e8eac62

  • SHA256

    34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e

  • SHA512

    7a6f8f1f55fbd37124fdf24ce057f8cb2231ecc2fc4cf9d9028ab83436e64ae59af97a5e4ec1e6587ebcdfe6487f6794450ba961429afba0b24bd6fb48237ea8

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 250 Euro in Bitcoins and contact us on E-Mail with proof of payment and your Key Identifier, you can find this here. We will send you a decryption tool with your personal decryption password. When you not Contact us and Pay, we do make your Data Public on a Websites, where everyone sees their entire computer content from you. -------------------------------------------------------------------------------------------------------------- Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com https://anycoin.eu https://bitpanda.com https://binance.com https://bitcoinbon.at For Switzerland and Austria Bitcoin Automat Värdex - Swiss Clients All SBB Automat - Swiss Clients Bitcoin Bon - Austria Clients You can calculate the Bitcoin rate here: https://preev.com -------------------------------------------------------------------------------------------------------------- Contact: timepay@protonmail.com Please send us the key identification code via email, which you can see at the bottom of this text as soon as the payment has been made by you. Please send the Bitcoin on this Adress for the Payment: bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3 -------------------------------------------------------------------------------------------------------------- GERMAN SPEAK CLIENTS -------------------------------------------------------------------------------------------------------------- Achtung! Alle Ihre Daten wurden verschlüsselt, wenn Sie alle ihre Daten auf Ihrem Rechner wieder wollen, dann Bezahlen Sie 250 Euro in Bitcoins und Kontaktieren Sie uns via E-Mail mit einer Bestätigung der Zahlung an unsere Bitcoin Adresse. Wir senden Ihnen dann ein Entschlüsselungs Programm damit Sie alles wieder Entschlüsseln können. Falls Sie nicht innerhalb ein paar Tagen Bezahlen,werden wir Ihre Date auf einer Webseite veröffentlichen die für jeden Zugänglich ist. Oberhalb des Textes sehen Sie wo Sie die Bitcoins erwerben können um diese an uns zu senden. Bitte senden Sie uns via E-Mail den Key Identifikationscode, diesen sehen Sie ganz unten in diesem Text aufgeführt, sobald die Zahlung getätigt wurde von Ihnen. Unsere Kontakt E-Mail : timepay@protonmail.com -------------------------------------------------------------------------------------------------------------- Bitte senden sie hierhin die Bitcoins für die Zahlung bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3 -------------------------------------------------------------------------------------------------------------- IDENTIFICATIONSKEY - IDENTIFKATIONSCODE / SEND THIS CODE VIA E-MAIL L1kIUMVBjbEiR17vks+oODArJwFMRXrDekxJXoYOKBtWCzPmmQewVxW1TPgC+pNBa7FO+M1OyjUVU8MFCuUSqkhdFUx70YNpMU1VtOTrxtVBMViYzdxD5JL6RSBGnCbW9m7tuB5Ks21ayk/olr1XzV1pfSuz6tN6EYQOgnM0f85CwPIMWEPZ+uV/tj1x+A4b7+6WfwODAfTafgqgz5e2og31DxmLDdu8++OUvE3ew7SkxI72eCkQ0tYJrliQw8zZ4eYZTWt/WIbAQIgr0jdYN5wqVRwH9BBXbcUZOQCphi/o5Va5eDVs8oeqpqu7h6/mGeEfHKNmvep5Q82KsgtpjQ==
Emails

timepay@protonmail.com

Wallets

bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    199.188.200.253
  • Port:
    21
  • Username:
    9b732058@noether-stiftung.de
  • Password:
    13MelisaLening37

Targets

    • Target

      Client-17.exe

    • Size

      60KB

    • MD5

      0f27d1180d28e1bcaf4d66f6b51c087c

    • SHA1

      15a00d3aba362aade900374b6d159de98e8eac62

    • SHA256

      34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e

    • SHA512

      7a6f8f1f55fbd37124fdf24ce057f8cb2231ecc2fc4cf9d9028ab83436e64ae59af97a5e4ec1e6587ebcdfe6487f6794450ba961429afba0b24bd6fb48237ea8

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks