General
-
Target
Ransomware.Hive.zip
-
Size
6.6MB
-
Sample
221223-y39gvahb28
-
MD5
33dc6cf9108fa7a395d632c29021791c
-
SHA1
61ccffbfb8f2458be139aa1d3c9dd715f25cd06d
-
SHA256
af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe
-
SHA512
5b7206cd076e313f15a13c4f6278ea80c109577530bc43614efc631aeb8b53f8b0abba1135298ba6b6b7fa2f19321ab673b257d3b4c0cbc95bd4c50c8040466d
-
SSDEEP
196608:xUPLIETGA/+0vcL5o/Vu0vlQ77Z0SOJM7j:xmJ6ANa6/Vu0q3+SOw
Malware Config
Extracted
C:\Program Files\7-Zip\n8pw_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Extracted
C:\HOW_TO_DECRYPT.txt
hive
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Extracted
C:\Program Files\7-Zip\EGdu_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Extracted
C:\K8zJ_HOW_TO_DECRYPT.txt
hive
Targets
-
-
Target
211xahcou.dll
-
Size
3.9MB
-
MD5
0e4d44dde522c07d09d9e3086cfae803
-
SHA1
d8dc26e2094869a0da78ecb47494c931419302dc
-
SHA256
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
-
SHA512
ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
-
SSDEEP
49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
hive.bin_exe
-
Size
764KB
-
MD5
2f9fc82898d718f2abe99c4a6fa79e69
-
SHA1
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
-
SHA256
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
-
SHA512
19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
-
SSDEEP
12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH
Score10/10-
Detects Go variant of Hive Ransomware
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
sjl8j6ap3.dll
-
Size
661KB
-
MD5
7692a5dca7c3c48095aa6db0db640d4a
-
SHA1
268faa86ae921da264264f392b541a9facc3bdf5
-
SHA256
b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b
-
SHA512
2e8c4c0ed23dffc2494e39654f0cec03e4ad6bd4c04a80342afa7ad412d1a3dbcbf4a4cab7841354ca6bc2932252eaacfaf7f0abe3f9380e30eed14a610cc882
-
SSDEEP
12288:BLF6OtM1z8JLbA689tSfvTvFSYIzp4yzhrWbttQfaa4Gxjzgdlo/AhwN/eh9z/ET:BLF6gb0xqx9z/EO3BxhR
Score1/10 -
-
-
Target
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
-
Size
884KB
-
MD5
da13022097518d123a91a3958be326da
-
SHA1
24a71ab462594d5a159bbf176588af951aba1381
-
SHA256
25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
-
SHA512
a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
-
SSDEEP
12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
zi1ysv64h.dll
-
Size
3.3MB
-
MD5
5384c6825a5707241c11d78529dbbfee
-
SHA1
85f5587e8ad534c2e5de0e72450b61ebda93e4fd
-
SHA256
3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21
-
SHA512
856861295efb9c1b0000b369297cf6905a277c2d7dd0bc238f3884cd22598055450bf0459d68441f135bb77150685a86707ea9320a37e10548b40185f09b961f
-
SSDEEP
49152:HJ9mQ5uetkErb/TKvO90dL3BmAFd4A64nsfJ+9NRUMZXuPH9fc0KHPKG/g+eNgiz:HJ9jkl9NbBo9fc0KHYno
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-