General

  • Target

    10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample

  • Size

    61KB

  • Sample

    210726-7kdxb4j7ve

  • MD5

    2a66b3b2638dfc5dfcf8aaf825993269

  • SHA1

    4e04822d6b8c3087be0550dba96f0c80d84359f8

  • SHA256

    10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5

  • SHA512

    1d63645dc8564057367ed295cb56b0aebdb071b652786d67ae2d9fc0371a034231ace703001bc353b303000fde0c6f9774a120ace83b665964278f8e7127c435

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note Atention! all your important files were encrypted! to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: torsec1@secmail.pro agarrard@protonmail.com Bitcoin wallet to make the transfer to is: 1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ MP20BmgzYCXvImRatoGL+q+WvgnrNvM4H7wmIZQet5imyu8Lk6Ps0IgChbYpAvcV1LlaXRk5l4NIStrUFPszW/5lTfH2CIdAz7VSA/eVWg3qkxG+0hURjLNCnBqJt4WPmQsG4h9VzYPWBCiFOZ7+Gva1ailSHx0Itu2oKOjH4fQbkklXqeVC/FCc3QduTj0MrPgjnK20NYBtqP5DkV5d7jnXNU+eAasZXS0fN3zBariWU8D+BdoQlE/zHz0XseJv3gY47A+4qsGwBp8WxWhr/ICtnISf3luOQ9xjEt1e+TRIAKH7B+OGpbVCexLIy3v/6B59UzAUOJ+zPY/ECxSHQw== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

torsec1@secmail.pro

agarrard@protonmail.com

Targets

    • Target

      10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5.sample

    • Size

      61KB

    • MD5

      2a66b3b2638dfc5dfcf8aaf825993269

    • SHA1

      4e04822d6b8c3087be0550dba96f0c80d84359f8

    • SHA256

      10dc9cb12580bc99f039b1c084ca6f136047ac4d5555ad90a7b682a2ffac4dc5

    • SHA512

      1d63645dc8564057367ed295cb56b0aebdb071b652786d67ae2d9fc0371a034231ace703001bc353b303000fde0c6f9774a120ace83b665964278f8e7127c435

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Initial Access

          Lateral Movement

            Persistence

              Privilege Escalation

                Tasks