General

  • Target

    a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

  • Size

    62KB

  • Sample

    220607-w4sjlscddq

  • MD5

    131a20e9f579bc9f7dd9832b4c5f25bd

  • SHA1

    83979db718962e3a0b45e5f70320fe5b4f009b7c

  • SHA256

    a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

  • SHA512

    92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt

Family

hakbit

Ransom Note Atention! all your important files were encrypted! to get your files back send 1 Bitcoins and contact us with proof of payment and your Unique Identifier Key. We will send you a decryption tool with your personal decryption password. Where can you buy Bitcoins: https://www.coinbase.com https://localbitcoins.com Contact: torsec1@secmail.pro agarrard@protonmail.com Bitcoin wallet to make the transfer to is: 1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR1F9i1vpfGfKXaUqhhgTmxe9Y2aS8stSGvR Unique Identifier Key (must be sent to us together with proof of payment): ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ JF2ae85uI+qcJGrh/PT5oWG8IAmo/+JAXYzpaqtvTaj2JEnTJ9yBQOSV6ApaKD/C9UlRWF7uGWeOUzyX5NYqdSLJr2ZKVlRBxZzRSIs1j7wqvHbVB6deFJspSspk6p6KjPkg5TOK9LofUgvPwPk6/PAF5Xvk8OtX1qbeopJLzoJ1v0OViMvPOS9V/TV6tshC1XNIwTYKCo6MmK8j+Gg+5mC4tkrOMXiCr1WT7WXKCzf4Lmi5mA2Tzgp0EpXG1tkFRn0S2Cgs3QBPQ5VlG1jZTccorKLk1xEB1ZjZ9/9jp3xBi4bEtbn3TJj5Ryscc4gPf039Oiuyxlph/LBDw1rmGA== ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Emails

torsec1@secmail.pro

agarrard@protonmail.com

Targets

    • Target

      a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

    • Size

      62KB

    • MD5

      131a20e9f579bc9f7dd9832b4c5f25bd

    • SHA1

      83979db718962e3a0b45e5f70320fe5b4f009b7c

    • SHA256

      a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

    • SHA512

      92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Initial Access

          Lateral Movement

            Persistence

              Privilege Escalation

                Tasks