Overview

overview

10

Static

static

Frog_Standard_Test

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AVTK_Win_Sybari.exe

  • Size

    62KB

  • Sample

    200709-fvq2m94xjs

  • MD5

    d5edd6b32296d1cee4829fb1499c8759

  • SHA1

    b7f33bd8aeb6cdd59cbf88802938c6efc0108829

  • SHA256

    b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad

  • SHA512

    8f320e8461691572dbe21f7ae4d96f067e4d2fb228de8c9b3be5325d43905d637438fd5aaed14e603ef73bb79b47d20e650dfb4b27dad74140a703a629884bf5

Score
10/10
hakbitpersistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: torsec1@secmail.pro agarrard@protonmail.com Bitcoin wallet to make the transfer to is: 1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ n4oC8V5pUjJ61XDU0XZo7S+2HV88Z+URAxPv7zEZsXchYOENWei2gK1g2Uk8m+0YKXrrQZ+6QjlXhMa/uEoAj8YK4T7nwDQaLZOG5vZr/btKFeZCKgZupLrISRA87jYL2gNt0fqe0Db0w5LYP5mSs+v6w7DslwJw5BtAeCVHbpz2ZL9v1jy+dD2asYjCwNsnfCqSa0H2h+IV8cBbZcgqUq08Cu2hZpv7VA7bjcT08pS2XesLojQ/X06v5ktwYgKapc/0eaAxEbbkUk80+4cbt/1qbqCSPGfJkDJ6Su55EoOVZc7I27c7l4Bx9tJGgsqBvuAurFWtTvsey8D+N+dg2A== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

torsec1@secmail.pro

agarrard@protonmail.com

Targets

    • Target

      AVTK_Win_Sybari.exe

    • Size

      62KB

    • MD5

      d5edd6b32296d1cee4829fb1499c8759

    • SHA1

      b7f33bd8aeb6cdd59cbf88802938c6efc0108829

    • SHA256

      b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad

    • SHA512

      8f320e8461691572dbe21f7ae4d96f067e4d2fb228de8c9b3be5325d43905d637438fd5aaed14e603ef73bb79b47d20e650dfb4b27dad74140a703a629884bf5

    Score
    10/10
    ransomwarehakbitpersistencespyware

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Modifies service

      persistence
    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks