General
-
Target
ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.7z
-
Size
874KB
-
Sample
220112-va9qcsddbk
-
MD5
d300d2de152dcc51bc8a8dc0af713beb
-
SHA1
11b768191d25c9395cbc095c163c2349456380e8
-
SHA256
70d9d2f6a9b6a6c881f24ea9779ff6c7282f3f486b545975b5dc2121d4eaeb50
-
SHA512
85fd52f1e08adadbf5a105711492ed42f047d863dee55199c8c6e502e7171afd2c8ec1ec2c75b8c7eb44ee83a9fe2801bf4eac783f617e1fb21882e5d235b3a4
Malware Config
Extracted
C:\rtZ9_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Targets
-
-
Target
ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef
-
Size
2.7MB
-
MD5
4e24407deffd0a8b899961ea1c9222b8
-
SHA1
5e38a984cad2c7538b86bed6f8fec15491b6b8c3
-
SHA256
ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef
-
SHA512
3482a3f81f6a2d4e106df1adcaab2ccef553e0ae944ecfe02ceed2165e9b6ecef8519124c23c8d2eae5a5d301d7d5b4013c88d443b89ad108757ba583391355b
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-