Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Client-17.exe
Size

60KB
Sample

200510-rylqg3s5bx
MD5

0f27d1180d28e1bcaf4d66f6b51c087c
SHA1

15a00d3aba362aade900374b6d159de98e8eac62
SHA256

34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
SHA512

7a6f8f1f55fbd37124fdf24ce057f8cb2231ecc2fc4cf9d9028ab83436e64ae59af97a5e4ec1e6587ebcdfe6487f6794450ba961429afba0b24bd6fb48237ea8

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 250 Euro in Bitcoins and contact us on E-Mail with proof of payment and your Key Identifier, you can find this here. We will send you a decryption tool with your personal decryption password. When you not Contact us and Pay, we do make your Data Public on a Websites, where everyone sees their entire computer content from you. -------------------------------------------------------------------------------------------------------------- Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com https://anycoin.eu https://bitpanda.com https://binance.com https://bitcoinbon.at For Switzerland and Austria Bitcoin Automat Värdex - Swiss Clients All SBB Automat - Swiss Clients Bitcoin Bon - Austria Clients You can calculate the Bitcoin rate here: https://preev.com -------------------------------------------------------------------------------------------------------------- Contact: timepay@protonmail.com Please send us the key identification code via email, which you can see at the bottom of this text as soon as the payment has been made by you. Please send the Bitcoin on this Adress for the Payment: bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3 -------------------------------------------------------------------------------------------------------------- GERMAN SPEAK CLIENTS -------------------------------------------------------------------------------------------------------------- Achtung! Alle Ihre Daten wurden verschlüsselt, wenn Sie alle ihre Daten auf Ihrem Rechner wieder wollen, dann Bezahlen Sie 250 Euro in Bitcoins und Kontaktieren Sie uns via E-Mail mit einer Bestätigung der Zahlung an unsere Bitcoin Adresse. Wir senden Ihnen dann ein Entschlüsselungs Programm damit Sie alles wieder Entschlüsseln können. Falls Sie nicht innerhalb ein paar Tagen Bezahlen,werden wir Ihre Date auf einer Webseite veröffentlichen die für jeden Zugänglich ist. Oberhalb des Textes sehen Sie wo Sie die Bitcoins erwerben können um diese an uns zu senden. Bitte senden Sie uns via E-Mail den Key Identifikationscode, diesen sehen Sie ganz unten in diesem Text aufgeführt, sobald die Zahlung getätigt wurde von Ihnen. Unsere Kontakt E-Mail : timepay@protonmail.com -------------------------------------------------------------------------------------------------------------- Bitte senden sie hierhin die Bitcoins für die Zahlung bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3 -------------------------------------------------------------------------------------------------------------- IDENTIFICATIONSKEY - IDENTIFKATIONSCODE / SEND THIS CODE VIA E-MAIL L1kIUMVBjbEiR17vks+oODArJwFMRXrDekxJXoYOKBtWCzPmmQewVxW1TPgC+pNBa7FO+M1OyjUVU8MFCuUSqkhdFUx70YNpMU1VtOTrxtVBMViYzdxD5JL6RSBGnCbW9m7tuB5Ks21ayk/olr1XzV1pfSuz6tN6EYQOgnM0f85CwPIMWEPZ+uV/tj1x+A4b7+6WfwODAfTafgqgz5e2og31DxmLDdu8++OUvE3ew7SkxI72eCkQ0tYJrliQw8zZ4eYZTWt/WIbAQIgr0jdYN5wqVRwH9BBXbcUZOQCphi/o5Va5eDVs8oeqpqu7h6/mGeEfHKNmvep5Q82KsgtpjQ==

Emails

timepay@protonmail.com

Wallets

bc1q5dn3tc67wh90mrq65xm8a2z9lr9t0tc2lctwv3

Extracted

Credentials

Protocol: ftp
Host:
199.188.200.253
Port:
21
Username:
9b732058@noether-stiftung.de
Password:
13MelisaLening37

Targets

- Target
  
  Client-17.exe
- Size
  
  60KB
- MD5
  
  0f27d1180d28e1bcaf4d66f6b51c087c
- SHA1
  
  15a00d3aba362aade900374b6d159de98e8eac62
- SHA256
  
  34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e
- SHA512
  
  7a6f8f1f55fbd37124fdf24ce057f8cb2231ecc2fc4cf9d9028ab83436e64ae59af97a5e4ec1e6587ebcdfe6487f6794450ba961429afba0b24bd6fb48237ea8
Score

10^/10

hakbit ransomware spyware
- Hakbit
  Ransomware which encrypts files using AES, first seen in November 2019.
  ransomware hakbit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

Score

N/A

behavioral1

hakbitransomwarespyware

Score

10^/10

Sharing

General

Malware Config

Extracted

Extracted

Targets

Hakbit

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

MITRE ATT&CK Matrix

Tasks

static1

behavioral1