Overview

overview

10

Static

static

a8117abc27...54.exe

windows7_x64

10

a8117abc27...54.exe

windows10-2004_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

  • Size

    62KB

  • Sample

    220607-w4sjlscddq

  • MD5

    131a20e9f579bc9f7dd9832b4c5f25bd

  • SHA1

    83979db718962e3a0b45e5f70320fe5b4f009b7c

  • SHA256

    a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

  • SHA512

    92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c

Score
10/10
hakbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note
Atention! all your important files were encrypted! to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: torsec1@secmail.pro agarrard@protonmail.com Bitcoin wallet to make the transfer to is: 1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ JF2ae85uI+qcJGrh/PT5oWG8IAmo/+JAXYzpaqtvTaj2JEnTJ9yBQOSV6ApaKD/C9UlRWF7uGWeOUzyX5NYqdSLJr2ZKVlRBxZzRSIs1j7wqvHbVB6deFJspSspk6p6KjPkg5TOK9LofUgvPwPk6/PAF5Xvk8OtX1qbeopJLzoJ1v0OViMvPOS9V/TV6tshC1XNIwTYKCo6MmK8j+Gg+5mC4tkrOMXiCr1WT7WXKCzf4Lmi5mA2Tzgp0EpXG1tkFRn0S2Cgs3QBPQ5VlG1jZTccorKLk1xEB1ZjZ9/9jp3xBi4bEtbn3TJj5Ryscc4gPf039Oiuyxlph/LBDw1rmGA== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

torsec1@secmail.pro

agarrard@protonmail.com

Targets

    • Target

      a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

    • Size

      62KB

    • MD5

      131a20e9f579bc9f7dd9832b4c5f25bd

    • SHA1

      83979db718962e3a0b45e5f70320fe5b4f009b7c

    • SHA256

      a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

    • SHA512

      92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c

    Score
    10/10
    hakbitransomwarespywarestealer

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

      ransomwarehakbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks