Analysis
-
max time kernel
12s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20221125-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
14-05-2023 10:00
Static task
static1
Behavioral task
behavioral1
Sample
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
Resource
debian9-armhf-20221111-en
debian-9-armhf
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
Resource
debian9-mipsbe-20221111-en
debian-9-mips
0 signatures
150 seconds
Behavioral task
behavioral3
Sample
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
Resource
debian9-mipsel-en-20211208
debian-9-mipsel
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
Resource
ubuntu1804-amd64-20221125-en
ubuntu-18.04-amd64
5 signatures
150 seconds
General
-
Target
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf
-
Size
2.2MB
-
MD5
c41d9625ccd175647ffa10484ab2556d
-
SHA1
77d7614156607b68265b122fb35a1d408625cb96
-
SHA256
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0
-
SHA512
7036bbdd7079b560abcfe3aac1b5951571c318708d48fea340e82185e351c3853091900b31ef0d790ca3309943318620e00f9567440693e89a259b56fc09c9b2
-
SSDEEP
49152:kOAAzrb/TYvO90dL3BmAFd4A64nsfJiTZxwuXf9nTCqw0Xfgg778laMex5D1:k1Dw+b3+
Score
10/10
Malware Config
Extracted
Path
/4oEi_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: xUvZHAXDfpoW
Password: xvsX47VFucuDKUw4i77C
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.21k5p files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 608 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf -
Reads CPU attributes 1 TTPs 22 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/cpu0/cache/power File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/cpu0/microcode File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/microcode File opened for reading /sys/devices/system/cpu/smt File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata6/ata_port/ata6/power Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sysctl Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_fchownat Process not Found File opened for reading /sys/dev/char Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata3/ata_port/ata3 Process not Found File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits Process not Found File opened for reading /sys/devices/virtual/tty/tty9 Process not Found File opened for reading /sys/kernel/debug/tracing/events/irq_matrix/irq_matrix_remove_managed Process not Found File opened for reading /sys/kernel/debug/tracing/events/regmap/regmap_cache_only Process not Found File opened for reading /sys/devices/virtual/tty/tty53 Process not Found File opened for reading /sys/kernel/debug/tracing/events/fib6 Process not Found File opened for reading /sys/fs/cgroup/unified/user.slice/user-0.slice/session-1.scope Process not Found File opened for reading /sys/kernel/debug/tracing/events/writeback/writeback_dirty_inode Process not Found File opened for reading /sys/kernel/slab/:d-0000008 Process not Found File opened for reading /sys/module/xen_acpi_processor Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:01.3/i2c-0/i2c-dev/i2c-0 Process not Found File opened for reading /sys/kernel/debug/regulator Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_select Process not Found File opened for reading /sys/kernel/mm Process not Found File opened for reading /sys/kernel/debug/tracing/events/fs_dax/dax_pmd_load_hole Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_rt_sigaction Process not Found File opened for reading /sys/bus/serial/drivers Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/js0/power Process not Found File opened for reading /sys/devices/virtual/tty/console Process not Found File opened for reading /sys/kernel/debug/tracing/events/drm/drm_vblank_event_delivered Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_mkdirat Process not Found File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size 6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0.elf File opened for reading /sys/devices/pci0000:00/pci_bus/0000:00 Process not Found File opened for reading /sys/kernel/debug/tracing/events/alarmtimer Process not Found File opened for reading /sys/kernel/debug/tracing/events/migrate/mm_numa_migrate_ratelimit Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata3/link3/dev3.0 Process not Found File opened for reading /sys/kernel/debug/tracing/events/fs_dax/dax_pmd_load_hole_fallback Process not Found File opened for reading /sys/kernel/irq/13 Process not Found File opened for reading /sys/devices/platform/serial8250/tty/ttyS11 Process not Found File opened for reading /sys/devices/platform/serial8250/tty/ttyS13/power Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_copy_file_range Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_timerfd_gettime Process not Found File opened for reading /sys/kernel/debug/block/loop5/hctx0 Process not Found File opened for reading /sys/kernel/debug/pinctrl Process not Found File opened for reading /sys/kernel/debug/tracing/events/regmap/regmap_hw_read_start Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata6/link6/dev6.0/ata_device Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_swapon Process not Found File opened for reading /sys/devices/pnp0 Process not Found File opened for reading /sys/devices/virtual/misc/network_latency/power Process not Found File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_handle_command Process not Found File opened for reading /sys/class/scsi_host Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata7/host6/power Process not Found File opened for reading /sys/kernel/debug/block/loop2/hctx0/cpu0 Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_ioctl Process not Found File opened for reading /sys/kernel/debug/tracing/events/ftrace/bprint Process not Found File opened for reading /sys/module/sysrq Process not Found File opened for reading /sys/kernel/debug/tracing/events/gpio/gpio_value Process not Found File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/spurious_apic_exit Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_getxattr Process not Found File opened for reading /sys/devices/software Process not Found File opened for reading /sys/devices/system/memory/memory6/power Process not Found File opened for reading /sys/devices/virtual/misc Process not Found File opened for reading /sys/kernel/debug/tracing/events/cpuhp/cpuhp_multi_enter Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_tgkill Process not Found File opened for reading /sys/kernel/debug/tracing/events/xen/xen_mc_batch Process not Found File opened for reading /sys/bus/pci_express/drivers/pciehp Process not Found File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:03/power Process not Found File opened for reading /sys/kernel/debug/tracing/events/fib/fib_table_lookup_nh Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_semop Process not Found -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/172/task/172/attr/selinux File opened for reading /proc/24/attr/apparmor File opened for reading /proc/164/task/164/net File opened for reading /proc/21/task/21/fd File opened for reading /proc/605/map_files File opened for reading /proc/8/task/8/attr/apparmor File opened for reading /proc/159/task/159/attr/smack File opened for reading /proc/171/task/171/net/stat File opened for reading /proc/36/task/36/net/netfilter File opened for reading /proc/4/ns File opened for reading /proc/32/ns File opened for reading /proc/447/task/447/fdinfo File opened for reading /proc/28/fdinfo File opened for reading /proc/81/task/81/attr File opened for reading /proc/83 File opened for reading /proc/11/task/11/net/netfilter File opened for reading /proc/162/map_files File opened for reading /proc/2/attr/selinux File opened for reading /proc/23/net File opened for reading /proc/83/attr File opened for reading /proc/157/ns File opened for reading /proc/163/attr/smack File opened for reading /proc/25/ns File opened for reading /proc/34/task/34/attr/apparmor File opened for reading /proc/80/net File opened for reading /proc/11/attr File opened for reading /proc/155/attr/smack File opened for reading /proc/24 File opened for reading /proc/627/net File opened for reading /proc/169/fdinfo File opened for reading /proc/171/task/171/attr/apparmor File opened for reading /proc/22/attr/smack File opened for reading /proc/447/task/447/net/dev_snmp6 File opened for reading /proc/608/task/610/ns File opened for reading /proc/627/task/630/attr File opened for reading /proc/627/task/630/fd File opened for reading /proc/627/task/632/ns File opened for reading /proc/155/attr/apparmor File opened for reading /proc/160/task File opened for reading /proc/23/attr/apparmor File opened for reading /proc/343/task/343/net/stat File opened for reading /proc/80/attr File opened for reading /proc/157/task/157/net/dev_snmp6 File opened for reading /proc/168/task File opened for reading /proc/21/net File opened for reading /proc/431/task/431 File opened for reading /proc/12/task/12/net/netfilter File opened for reading /proc/618/task/622 File opened for reading /proc/12/ns File opened for reading /proc/168/task/168/attr/selinux File opened for reading /proc/627/net/dev_snmp6 File opened for reading /proc/429/task/429/fd File opened for reading /proc/27/task/27/attr/selinux File opened for reading /proc/628/task/628/fdinfo File opened for reading /proc/89/attr/selinux File opened for reading /proc/22/task/22/attr File opened for reading /proc/115/task/115/net/netfilter File opened for reading /proc/169/ns File opened for reading /proc/18/task/18/net/stat File opened for reading /proc/22/ns File opened for reading /proc/367/task/367/net/netfilter File opened for reading /proc/425/task/425/net/netfilter File opened for reading /proc/604/net/dev_snmp6 File opened for reading /proc/627/task/629/net/stat
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59932bbfea02ad4bb0c43b36fddd98a7a
SHA11faee3c9dbb5f005769c8123387b45cf545cac89
SHA25613f91b1c2c02259660f4d83dd7383b5bbc4f04be98331fbbcf92f1e56f8557a4
SHA512cad236319f2bc80d4223aca681e1adc446ae72dd46530e00aa9887c331b94ac95c9b23c55c3d98c4615cb05da689d68006d75c3f0d213c6f9303ee04f2d4f7ab
-
Filesize
1.1MB
MD539eae1e7fe822b770e8ae8de3024b8c4
SHA1c333486862b0276b271958e162b9f292cdcfefce
SHA2566b08760cfbccee3dfcd5f81031d98344fbf1f27fdd786331bab95dbdfb62fa97
SHA5121c62bc39596baacd4923519e14be2d523ddca2b335897f83f3e90ba1241337395353a00767885c93516296adf800928a32b842f00b16836d8b557a45afc78ed3