Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154
Size

62KB
Sample

220607-w4sjlscddq
MD5

131a20e9f579bc9f7dd9832b4c5f25bd
SHA1

83979db718962e3a0b45e5f70320fe5b4f009b7c
SHA256

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154
SHA512

92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note

Atention! all your important files were encrypted! to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: torsec1@secmail.pro agarrard@protonmail.com Bitcoin wallet to make the transfer to is: 1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ JF2ae85uI+qcJGrh/PT5oWG8IAmo/+JAXYzpaqtvTaj2JEnTJ9yBQOSV6ApaKD/C9UlRWF7uGWeOUzyX5NYqdSLJr2ZKVlRBxZzRSIs1j7wqvHbVB6deFJspSspk6p6KjPkg5TOK9LofUgvPwPk6/PAF5Xvk8OtX1qbeopJLzoJ1v0OViMvPOS9V/TV6tshC1XNIwTYKCo6MmK8j+Gg+5mC4tkrOMXiCr1WT7WXKCzf4Lmi5mA2Tzgp0EpXG1tkFRn0S2Cgs3QBPQ5VlG1jZTccorKLk1xEB1ZjZ9/9jp3xBi4bEtbn3TJj5Ryscc4gPf039Oiuyxlph/LBDw1rmGA== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Emails

torsec1@secmail.pro

agarrard@protonmail.com

Targets

- Target
  
  a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154
- Size
  
  62KB
- MD5
  
  131a20e9f579bc9f7dd9832b4c5f25bd
- SHA1
  
  83979db718962e3a0b45e5f70320fe5b4f009b7c
- SHA256
  
  a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154
- SHA512
  
  92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c
Score

10^/10

hakbit ransomware spyware stealer
- Hakbit
  Ransomware which encrypts files using AES, first seen in November 2019.
  ransomware hakbit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Web Service

T1102

File Deletion

T1107

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Inhibit System Recovery

T1490

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Hakbit

Deletes shadow copies

Modifies extensions of user files

Deletes itself

Reads user/profile data of web browsers

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2