Analysis
-
max time kernel
141s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
14-05-2023 22:34
Static task
static1
Behavioral task
behavioral1
Sample
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
5 signatures
150 seconds
General
-
Target
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
-
Size
2.2MB
-
MD5
c41d9625ccd175647ffa10484ab2556d
-
SHA1
77d7614156607b68265b122fb35a1d408625cb96
-
SHA256
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0
-
SHA512
7036bbdd7079b560abcfe3aac1b5951571c318708d48fea340e82185e351c3853091900b31ef0d790ca3309943318620e00f9567440693e89a259b56fc09c9b2
-
SSDEEP
49152:kOAAzrb/TYvO90dL3BmAFd4A64nsfJiTZxwuXf9nTCqw0Xfgg778laMex5D1:k1Dw+b3+
Score
10/10
Malware Config
Extracted
Path
/4oEi_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: xUvZHAXDfpoW
Password: xvsX47VFucuDKUw4i77C
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.21k5p files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 588 Process not Found -
Reads CPU attributes 1 TTPs 22 IoCs
description ioc File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/microcode File opened for reading /sys/devices/system/cpu/smt File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/cpu0/microcode File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/cpu0/cache/power File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/platform/serial8250/tty/ttyS8 Process not Found File opened for reading /sys/fs/cgroup/systemd/user.slice/user-0.slice/session-1.scope 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/jbd2/jbd2_handle_stats 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_msgget 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/bus/platform/drivers/sram Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-Virtual-1 Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/js0/power Process not Found File opened for reading /sys/kernel/debug/tracing/events/clk/clk_set_phase_complete 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_bpf 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_tee 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/virtual/vc/vcsa/power 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_eventfd 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/cryptd/holders 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/sch_fq_codel/sections 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_adjtimex 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_semget 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/writeback/writeback_write_inode Process not Found File opened for reading /sys/module/pata_acpi/notes 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/bus/gpio/drivers Process not Found File opened for reading /sys/bus/platform/drivers/charger-manager Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/ata_port Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_rt_sigaction 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/sysfillrect/sections 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/hidraw Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_lchown 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_mq_getsetattr 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/joydev 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/usb1-port3 Process not Found File opened for reading /sys/module/drm/notes 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/spurious/parameters 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/platform/serial8250/tty/ttyS21 Process not Found File opened for reading /sys/kernel/debug/tracing/events/cgroup 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/filemap/filemap_set_wb_err 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_splice Process not Found File opened for reading /sys/kernel/slab/tw_sock_TCPv6/cgroup 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/virtual/misc/snapshot 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_mq_unlink 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/slab/:d-0000128 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata7/ata_port/ata7/power Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio0/block/vda/slaves Process not Found File opened for reading /sys/devices/platform/serial8250/tty/ttyS22 Process not Found File opened for reading /sys/devices/virtual/tty/tty34 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/kmem/kmem_cache_alloc 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_poll 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/class/dmi Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio0/block/vda/holders Process not Found File opened for reading /sys/devices/pnp0/00:04 Process not Found File opened for reading /sys/devices/tracepoint/power Process not Found File opened for reading /sys/kernel/slab/:0000448 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/uncore_cbox/format Process not Found File opened for reading /sys/devices/virtual/block/loop6/slaves 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_utime 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_writev 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/virtual/tty/tty28/power 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/firmware/acpi 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_fadvise64 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_mballoc_prealloc 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/binfmt_misc/sections 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/i2c_piix4/sections 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/module/kgdboc/parameters 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/virtual/misc/memory_bandwidth/power 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/virtual/tty/ttyprintk 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/cgroup 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/kernel/slab/:a-0000016/cgroup 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/24/task/24/ns Process not Found File opened for reading /proc/32/task/32/fd 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/582/net/netfilter Process not Found File opened for reading /proc/599/task/599/attr/apparmor Process not Found File opened for reading /proc/169 Process not Found File opened for reading /proc/29/task/29/net/stat 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/85/task Process not Found File opened for reading /proc/169/task/169/fd Process not Found File opened for reading /proc/17/net/dev_snmp6 Process not Found File opened for reading /proc/20/task/20/ns Process not Found File opened for reading /proc/31/net 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/193/map_files Process not Found File opened for reading /proc/26/net/dev_snmp6 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/453/attr/selinux Process not Found File opened for reading /proc/7/task/7/fdinfo Process not Found File opened for reading /proc/85/net/dev_snmp6 Process not Found File opened for reading /proc/sys/net/ipv6/neigh Process not Found File opened for reading /proc/581/net Process not Found File opened for reading /proc/583/task/583 Process not Found File opened for reading /proc/80/net/netfilter Process not Found File opened for reading /proc/25 Process not Found File opened for reading /proc/26/attr/smack 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/364/attr Process not Found File opened for reading /proc/582/task/582/net/netfilter Process not Found File opened for reading /proc/585 Process not Found File opened for reading /proc/589/task/591/attr/selinux Process not Found File opened for reading /proc/11/task/11/attr/smack Process not Found File opened for reading /proc/157/ns Process not Found File opened for reading /proc/192/task/192/ns Process not Found File opened for reading /proc/160/task/160/attr Process not Found File opened for reading /proc/170/task/170/fdinfo Process not Found File opened for reading /proc/20/net/dev_snmp6 Process not Found File opened for reading /proc/80/ns Process not Found File opened for reading /proc/166/task/166/ns Process not Found File opened for reading /proc/169/attr/smack Process not Found File opened for reading /proc/17/task/17/attr/smack Process not Found File opened for reading /proc/26/attr 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/423/task/423/attr Process not Found File opened for reading /proc/589/task/590/fdinfo Process not Found File opened for reading /proc/79/task/79/fd Process not Found File opened for reading /proc/8/task/8/net/stat Process not Found File opened for reading /proc/115/fdinfo Process not Found File opened for reading /proc/13/attr/apparmor Process not Found File opened for reading /proc/167/task/167/attr Process not Found File opened for reading /proc/361/attr/apparmor Process not Found File opened for reading /proc/417/net/dev_snmp6 Process not Found File opened for reading /proc/593 Process not Found File opened for reading /proc/32/attr/apparmor 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/593/task Process not Found File opened for reading /proc/604/attr Process not Found File opened for reading /proc/80/net/dev_snmp6 Process not Found File opened for reading /proc/sys/fs/binfmt_misc 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/155/task/155/attr/selinux Process not Found File opened for reading /proc/157/task/157/net/dev_snmp6 Process not Found File opened for reading /proc/168/task/168/attr/apparmor Process not Found File opened for reading /proc/361/map_files Process not Found File opened for reading /proc/425/map_files Process not Found File opened for reading /proc/154/task/154/attr/selinux Process not Found File opened for reading /proc/163/task/163/ns Process not Found File opened for reading /proc/221/map_files Process not Found File opened for reading /proc/26/fd 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/26/task/26/ns 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/31/map_files 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /proc/600/net/netfilter Process not Found
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59932bbfea02ad4bb0c43b36fddd98a7a
SHA11faee3c9dbb5f005769c8123387b45cf545cac89
SHA25613f91b1c2c02259660f4d83dd7383b5bbc4f04be98331fbbcf92f1e56f8557a4
SHA512cad236319f2bc80d4223aca681e1adc446ae72dd46530e00aa9887c331b94ac95c9b23c55c3d98c4615cb05da689d68006d75c3f0d213c6f9303ee04f2d4f7ab
-
Filesize
1.1MB
MD566d33fe7f903b7d1a73b1a27c89f3126
SHA156afa45352e672b2602df6c3a2cdeaa6e3686bd4
SHA2563d6ba55fb2543da980044949912d99de8df47f91ccb7dcfeeb91aba996460418
SHA51241d613e49d9eea8d6bc34e2c6f442c48c6df222d8e804b5b9a57221b1b9ec2490facbcc651a5da5987a787700af21aae303b750fc1d480c25a28814c7ccea2b4