Resubmissions

11-09-2022 15:45

220911-s66x8sffap 10

21-10-2020 17:56

201021-l4bghzn2b2 10

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • Size

    80KB

  • Sample

    220911-s66x8sffap

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note To recover your data contact the email below potentialenergy@mail.ru Key Identifier: L/iGu+Gzagql0oXRpLjEgpa93pEkry4vdk4yw3jar9ETeoLjB05OZudA6BfYQjnWxepziQcSfMRK9MwiaJBg3U5mwJyeyotZkXVucRKAG6ALx80OC64x0x6D6RK/52dvKDkuhNHxueCEpEWVdPNqs6dviqo44+Oy4QMWUqzvIxU3qC4xGJyZRFX5kaazOiIklbS6bg4mkQDPJJ8w+BizNBJ93ndttaoxwdwVAcH2Hx6aOBJN0xtFuhtHcPY2eNDiCCX9o7yP6/BtBaySfCh1Zk69JKOg9M1y/9IHAkgZq+6xK3mbgt4QneLnjkuZJXJUYvbvAP3VEgLkImrTgYu+uC7Q3aQ1u6B9bV8N0t/QPYotI9nsoEbRfDl7KiqENW4wwOGj/lwb8gwrdOfQZNkpIO4vZNJmQFuYQc+q5eS4xahvpF2oSbbVCG1MzXKjtCwkCAjB+2pt2R0VCTg7Swo1rbWTkA8gCvAkFlmEL5/ChpQtFljVkjq3TkrqJXtJRipF/Vp7aFvCByqp6LjFLnpAiPhHhPxi0mZxKJ3Nc3fY9+exyHSL6AteqaaidRUe2X1/bnVZGm5AKpYVmyoToQmY/7VkbyWekR4ZFSeU9+mpSJfgnOe5prwhH/DoShzXlloBhEkeKiDBpRXWCR54EgjKBdV7jqq3IogOZ3SREveFtcs= Number of files that were processed is: 457
Emails

potentialenergy@mail.ru

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note To recover your data contact the email below potentialenergy@mail.ru Key Identifier: u6KAYt9nGmuQMCdrum0OHkc8oFALeXODCc0M+SIGWl0RHWRFNFRObERzzs1bC8yGSehrTs/r+3t1oPBCD5nFVaX2jlHdM7uJZ+9QpfbRptA6Exgb2oRueQSL1wuXOgeAk3Vx1HeuBWlAhY/l7h9KeF1ZOa6DFctO2ilM8v7chdQfYN2PVgCPt6BXDU3gGvU3txBQjkhKHTB8/dvbSDGr+Us2ryE8nHIg71ykXZWT2SEHaA61+vpxeG9WJMXwJ1fQfVZQViDajSO3CNCCgH45Goh6VyHz87O4oytDd1YRWFkIebcAzPoXDvbf1Dkr7584xDJ2tV4cH4lK8UCoL0+kjojyOudrYQUX4+9OzjrCaPUObVFP34snpWF0HWQkEI5geV/g17zhmiS8nrNXnEtCmvbUb5SRCdVCdyiD8oIV1XJhElGc89br43JQvD+euWfBX1RtOMw2A/uRIbHGnzmGUv98xoCkQ/3zg3uNVpHAh4241VPXJGvQs1ktYa91mDPbTB7v/mV/4uA/YrHt0P16U1HjZQbSPEKSjxjnSORlmAoWHBhDH9nQ/QOXUosaoJkalsM4ueOurmE51x58dM8cIPVxrOAa/MKuSX3vnSfEv5US3/33W9qI/AdPEVvPpg8tvRzhDBvNYSBSy6NqvtRp12W+4HAcoezFl209ip/uGOI= Number of files that were processed is: 390
Emails

potentialenergy@mail.ru

Targets

    • Target

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • Size

      80KB

    • MD5

      8152a3d0d76f7e968597f4f834fdfa9d

    • SHA1

      c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

    • SHA256

      69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

    • SHA512

      eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

    • SSDEEP

      1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

    • Hakbit

      Ransomware which encrypts files using AES, first seen in November 2019.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation

                  Tasks