Resubmissions

11-09-2022 15:45

220911-s66x8sffap 10

21-10-2020 17:56

201021-l4bghzn2b2 10

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • Size

    80KB

  • Sample

    201021-l4bghzn2b2

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note To recover your data contact the email below potentialenergy@mail.ru Key Identifier: M13QXKon7C2hkmKC2rgNCHGj5mjFsrhjl+ySO6RMmlJPOxmPQlUIJq2A78fYplgtNaKD0yMxcUuZ4Xhc6NjsXaRiUda+D9j2akL4mdsBmcdpDY/oBfmrGkd/F7D2XYLWs+BrcrGuTNuJkT2MrA9ClBuFN+Qn4imadXWf83wdDThSgRupEt8+3no5Q04HrGM1psRfpqWz1LLmjSKkSojdEtcwpmMul1OTxbtGcy2kVFcnk8+J6bflIhtnwJiauBC0+N7hmGE22aR24kFhZLzlU7e07AwuMa0LBp8Rm+XqLJD/01WUAYDTjv4L+6rmFPXyQx5dl+DE6eJ0yYbH0V5ufZ11q/Ifol3niHIo2ZtDJTdMpPlyH9no4/GU2Yf90GPSozBVGh3c5W4PR3AwMjWXKfX1Zh8acH6BeVJHVbiXLznCsGZNo5PVCkEVH64d39d3HEzN3mA6WUipKiA0dbTxyIyw+gf5hBScbsidlnxhCu9GS95p6hmdR1t8Lskc3vUP1zgrq+G89FCqvipwMN1MiABUhTHyMLvkl3HfmL7EutwJX8JnJPJqnI98nFG1rNx9dIe8Xo1MaiAmq0j61XJTpOe42Ll7+Ui+LooUHbMbpBJ/BUBaaRkdHZId+52teVRQ9wHoLtis+ZqcLt9u4U2GQJHQam7O/N99JxI0quEElNc= Number of files that were processed is: 406
Emails

potentialenergy@mail.ru

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note To recover your data contact the email below potentialenergy@mail.ru Key Identifier: BlDLIs4wzgDoTYIEMMCvweBKQMXgNYDM9ggNJQgtZzjpRuLtkCHG5p7iVoU/LG9TeH623icJzMryxecZlwnGkjZNupY5CL6nC/En+NpYtGKgHgUR5ZL83odx4bFs/rF6ZxqWxrC8X9+JZ88sm/37IAb1dp9CnSae01HuaWsmD2gt/L34ysM/0bXFqMEKkmnCZFt0V1P3LpSMszf7XvRCUi/XW403bjsTv/HtW8wu/AtnvP49tu19hOuFbw8D4yhgMuD++XNq+gSl/uuewL2kBtMeZQeULo0Lpvc1AZ7GObTXObHBuvrxnrNjx3XCt9yEiLi2qkuX7wTrP+mtfvwOplEeRjffx5/oshpgrIf/AJuMOrfeHWW/SDmX4Va/e0d+800rY58aT04X6Vz39OUMh8rgB5q4IUqT8QWWv66Rh/hpjcjCqZSUFUZDZvwe1C0zChYOeSZSnl623VekCeq+YzSgwU3SdNrchIvwW4Ob/LsJ0qIeHN3mvVlyh2RH3mPdojiL6WJHEYR8oRyhC2aSvwGGYHAlrj8Hqg7+MAvCbhrOKLJE4VA2jkggkm3g3keytAlWafs0Udr/SO945dMPIigrzbrsQDvUFNTU4G0CXnsojb4wwRA9Qim8zH8OTJ6u3Bhg/Xt5VPWytqACHOK7s/PApIBsfcjeTrjhS6RHp1Y= Number of files that were processed is: 1230
Emails

potentialenergy@mail.ru

Targets

    • Target

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • Size

      80KB

    • MD5

      8152a3d0d76f7e968597f4f834fdfa9d

    • SHA1

      c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

    • SHA256

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • SHA512

      eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Tasks