Overview

overview

10

Static

static

4984825fb2...le.exe

windows7_x64

10

4984825fb2...le.exe

windows10_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample

  • Size

    423KB

  • Sample

    210726-x9vwyfbvax

  • MD5

    055c2fba242d03ae153be4a796c55ae2

  • SHA1

    be71b94e30d5465d8b72e1fc7c0137024f97baee

  • SHA256

    4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024

  • SHA512

    20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890

Score
10/10
hakbitevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 0.5 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: daaaataaaaa@protonmail.com. Bitcoin wallet to make the transfer to is:1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9 Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ZB8esl2bqi2Bn1aS+inCS4R44bX4TdXLbrQ1QAgDqW2GKFbvdg/GcHe7BYRMtDzhFh4A0696Qictq7CSV7AZ9JlX+mAwmYF79yzLwuRgLleqiihzYKJC4zbaN1M+79AY/9BOBsi10qmHaRaUzCM/Ag3+FJQhZpEKtk4Uo/LPvf7YHKilUc/ZWH3OaYSY/jbVM4sKZoG6OUk8pBn0eZACxs0O0jxqNS/tR7AXgH8uuVLsf8Zi1UHzy9G0U8xcsSLBqXbXSajrgLp4xIEfkMxAJ6xLXbR6lht4T/f0mOCyi173K7ODmAa9n/ikwCAMOzSdRlexTyjdW7ATo+x+xUx2Sg== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Number of files that you could have potentially lost forever can be as high as: 108
Emails

daaaataaaaa@protonmail.com

Wallets

1Kex5QmBGtJLDagn3o2p1yoqyKn2A6EFG9

Targets

    • Target

      4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample

    • Size

      423KB

    • MD5

      055c2fba242d03ae153be4a796c55ae2

    • SHA1

      be71b94e30d5465d8b72e1fc7c0137024f97baee

    • SHA256

      4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024

    • SHA512

      20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890

    Score
    10/10
    hakbitevasionpersistenceransomwarespywarestealer

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks