Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample
Size

61KB
Sample

210726-7kdxb4j7ve
MD5

2a66b3b2638dfc5dfcf8aaf825993269
SHA1

4e04822d6b8c3087be0550dba96f0c80d84359f8
SHA256

10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
SHA512

1d63645dc8564057367ed295cb56b0aebdb071b652786d67ae2d9fc0371a034231ace703001bc353b303000fde0c6f9774a120ace83b665964278f8e7127c435

Score

10^/10

hakbit ransomware spyware stealer

Malware Config

Extracted

Path	C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
Family	hakbit
Ransom Note	Atention! all your important files were encrypted! to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: torsec1@secmail.pro agarrard@protonmail.com Bitcoin wallet to make the transfer to is: 1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ MP20BmgzYCXvImRatoGL+q+WvgnrNvM4H7wmIZQet5imyu8Lk6Ps0IgChbYpAvcV1LlaXRk5l4NIStrUFPszW/5lTfH2CIdAz7VSA/eVWg3qkxG+0hURjLNCnBqJt4WPmQsG4h9VzYPWBCiFOZ7+Gva1ailSHx0Itu2oKOjH4fQbkklXqeVC/FCc3QduTj0MrPgjnK20NYBtqP5DkV5d7jnXNU+eAasZXS0fN3zBariWU8D+BdoQlE/zHz0XseJv3gY47A+4qsGwBp8WxWhr/ICtnISf3luOQ9xjEt1e+TRIAKH7B+OGpbVCexLIy3v/6B59UzAUOJ+zPY/ECxSHQw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails	torsec1@secmail.pro agarrard@protonmail.com torsec1@secmail.pro agarrard@protonmail.com

Targets

- Target
  
  10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample
- Size
  
  61KB
- MD5
  
  2a66b3b2638dfc5dfcf8aaf825993269
- SHA1
  
  4e04822d6b8c3087be0550dba96f0c80d84359f8
- SHA256
  
  10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5
- SHA512
  
  1d63645dc8564057367ed295cb56b0aebdb071b652786d67ae2d9fc0371a034231ace703001bc353b303000fde0c6f9774a120ace83b665964278f8e7127c435
Score

10^/10

hakbit ransomware spyware stealer
- Hakbit
  Ransomware which encrypts files using AES, first seen in November 2019.
  ransomware hakbit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

File Deletion

Discovery

Execution

Exfiltration

Impact

Inhibit System Recovery

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

hakbitransomwarespywarestealer

behavioral2

ransomwarespywarestealer