General
-
Target
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5.7z
-
Size
943KB
-
Sample
220112-ye478adgd4
-
MD5
daf92795d534c38b98a4be33033f7e36
-
SHA1
98bf1ef78abf066eca4b590cc1e3dd1912cd2281
-
SHA256
143c286fd4b71174dc7f1764f7758e9b91614c4019686bfb6291c1b31009e4b5
-
SHA512
b0d93e5b35149bc8543679af4b81e5227ebed0c27230500252c20bed7ac73a271373c367ee542e9aafba6af8ca857eec1271a569381d6c8062a4d204a08f3589
Malware Config
Extracted
C:\Program Files\7-Zip\6yLH_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Targets
-
-
Target
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5
-
Size
3.3MB
-
MD5
257cd3ef7ac49a4b7942f7b61ca10b6c
-
SHA1
a0043163d33e25ba2a62c5061fd641c44807b492
-
SHA256
585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5
-
SHA512
bb9dded0fa261da418b3b0b14cfa72e4688f378bfe5814a0df45a01eb6d4b2ada6f56fb3151b75e6c8118dffd80e3e79c084befbcdfeeef851926e6faa4158db
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-