Resubmissions
03-03-2024 13:05
240303-qbxpzabd88 1024-05-2023 16:08
230524-tk9bxadc98 323-05-2023 16:48
230523-vbmbfsha9z 1029-10-2021 20:23
211029-y55axaagcj 1Analysis
-
max time kernel
12s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
23-05-2023 16:48
Static task
static1
Behavioral task
behavioral1
Sample
Filecoder.Hive_linux.bin
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
8 signatures
1800 seconds
General
-
Target
Filecoder.Hive_linux.bin
-
Size
2.2MB
-
MD5
c41d9625ccd175647ffa10484ab2556d
-
SHA1
77d7614156607b68265b122fb35a1d408625cb96
-
SHA256
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0
-
SHA512
7036bbdd7079b560abcfe3aac1b5951571c318708d48fea340e82185e351c3853091900b31ef0d790ca3309943318620e00f9567440693e89a259b56fc09c9b2
-
SSDEEP
49152:kOAAzrb/TYvO90dL3BmAFd4A64nsfJiTZxwuXf9nTCqw0Xfgg778laMex5D1:k1Dw+b3+
Score
10/10
Malware Config
Extracted
Path
/4oEi_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: xUvZHAXDfpoW
Password: xvsX47VFucuDKUw4i77C
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.21k5p files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 598 Filecoder.Hive_linux.bin -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 22 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0/microcode File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/smt File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 File opened for reading /sys/devices/system/cpu/cpu0/cache/power File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/microcode File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc File opened for reading /sys/devices/virtual/dmi/id/power -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics File opened for reading /sys/devices/virtual/net/lo/queues File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 File opened for reading /sys/devices/virtual/net/lo/statistics File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/virtual/net/lo/power File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc File opened for reading /sys/devices/platform/serial8250/tty/ttyS5/power File opened for reading /sys/devices/virtual/misc/ecryptfs/power File opened for reading /sys/kernel/slab/:d-0000016/cgroup File opened for reading /sys/devices/pnp0/00:05 File opened for reading /sys/devices/virtual/tty/tty7 File opened for reading /sys/kernel/debug/tracing/events/regmap/regmap_hw_read_done File opened for reading /sys/kernel/debug/tracing/events/workqueue/workqueue_queue_work File opened for reading /sys/kernel/slab/:0001152 File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/holders File opened for reading /sys/devices/virtual/block/loop7 File opened for reading /sys/kernel/debug/block/vda File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_epoll_wait File opened for reading /sys/module/pciehp File opened for reading /sys/devices/system/memory/memory13 File opened for reading /sys/devices/virtual/block/loop7/trace File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/vector_activate File opened for reading /sys/module/autofs4/sections File opened for reading /sys/kernel/debug/tracing/events/huge_memory/mm_collapse_huge_page_isolate File opened for reading /sys/bus/pci_express File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:00 File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata8/link8/ata_link/link8/power File opened for reading /sys/bus/mmc/drivers File opened for reading /sys/module/srcutree File opened for reading /sys/devices/virtual/thermal File opened for reading /sys/kernel/debug/tracing/events/xen/xen_mc_entry File opened for reading /sys/module/rfkill File opened for reading /sys/bus/pci_express/drivers/pciehp File opened for reading /sys/devices/pci0000:00/0000:00:01.1/ata1/link1/dev1.1/ata_device/dev1.1/power File opened for reading /sys/devices/pci0000:00/0000:00:04.0/msi_irqs File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_gettid File opened for reading /sys/class/powercap File opened for reading /sys/devices/platform/serial8250/tty/ttyS17/power File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_mkdirat File opened for reading /sys/kernel/debug/bdi/7:1 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_keyctl File opened for reading /sys/module/psmouse/sections File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_chroot File opened for reading /sys/kernel/debug/tracing/events/xdp/xdp_redirect_map File opened for reading /sys/module/pata_acpi/holders File opened for reading /sys/devices/pci0000:00/0000:00:01.0 File opened for reading /sys/fs/cgroup/unified/system.slice/system-serial\x2dgetty.slice/[email protected] File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_poll File opened for reading /sys/fs/cgroup/pids/system.slice/systemd-timesyncd.service File opened for reading /sys/fs/cgroup/unified/system.slice/proc-sys-fs-binfmt_misc.mount File opened for reading /sys/kernel/debug/tracing/events/jbd2/jbd2_drop_transaction File opened for reading /sys/kernel/debug/tracing/events/mpx File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_ring_free File opened for reading /sys/class/watchdog File opened for reading /sys/fs/cgroup/devices/system.slice/agent.service File opened for reading /sys/fs/cgroup/devices/system.slice/ssh.service File opened for reading /sys/kernel/debug/tracing/events/sched/sched_stat_sleep File opened for reading /sys/kernel/debug/tracing/events/smbus/smbus_reply File opened for reading /sys/devices/system/machinecheck/machinecheck0/power File opened for reading /sys/kernel/debug/tracing/events/timer/hrtimer_start File opened for reading /sys/module/parport_pc/parameters File opened for reading /sys/devices/virtual/tty/tty41/power File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_mbind File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_delete_module File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_ptrace File opened for reading /sys/kernel/iommu_groups File opened for reading /sys/bus/pci_express/drivers/pcie_pme File opened for reading /sys/devices/pci0000:00/0000:00:01.1/ata2/host1 File opened for reading /sys/devices/virtual/tty/tty8 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_trim_all_free -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/612/attr Process not Found File opened for reading /proc/80/net/netfilter Filecoder.Hive_linux.bin File opened for reading /proc/84/task Filecoder.Hive_linux.bin File opened for reading /proc/171/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/409/task/409/attr/selinux Process not Found File opened for reading /proc/25/task/25/net/netfilter Process not Found File opened for reading /proc/31/task/31/attr/apparmor Process not Found File opened for reading /proc/602/task/603/net/netfilter Process not Found File opened for reading /proc/606/task/606/attr/smack Process not Found File opened for reading /proc/10/task/10/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/19/attr/apparmor Filecoder.Hive_linux.bin File opened for reading /proc/36/net/stat Process not Found File opened for reading /proc/4/task/4/attr/apparmor Process not Found File opened for reading /proc/81/task/81/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/12/net/netfilter Filecoder.Hive_linux.bin File opened for reading /proc/31/fd Process not Found File opened for reading /proc/389/task/389/net Process not Found File opened for reading /proc/594/task/594/net/stat Process not Found File opened for reading /proc/602/net/netfilter Process not Found File opened for reading /proc/7/task/7/fd Process not Found File opened for reading /proc/83/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/174/task/174/attr Filecoder.Hive_linux.bin File opened for reading /proc/366/attr/smack Process not Found File opened for reading /proc/28/net/netfilter Process not Found File opened for reading /proc/31/task Process not Found File opened for reading /proc/422/net/dev_snmp6 Process not Found File opened for reading /proc/602/task/605/net/netfilter Process not Found File opened for reading /proc/613/map_files Process not Found File opened for reading /proc/7/task/7 Process not Found File opened for reading /proc/177/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/25 Process not Found File opened for reading /proc/9/task/9/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/165/net Filecoder.Hive_linux.bin File opened for reading /proc/176/task/176/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/612/attr/apparmor Process not Found File opened for reading /proc/7/task/7/attr/selinux Process not Found File opened for reading /proc/11/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/13/attr Filecoder.Hive_linux.bin File opened for reading /proc/2/task/2/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/31/net Process not Found File opened for reading /proc/11/net Filecoder.Hive_linux.bin File opened for reading /proc/176/task/176/attr/apparmor Filecoder.Hive_linux.bin File opened for reading /proc/36/task/36/attr Process not Found File opened for reading /proc/598/fdinfo Process not Found File opened for reading /proc/598/task/599/attr/smack Process not Found File opened for reading /proc/10/attr/apparmor Filecoder.Hive_linux.bin File opened for reading /proc/170/attr/apparmor Filecoder.Hive_linux.bin File opened for reading /proc/36/task/36/attr/smack Process not Found File opened for reading /proc/sys/fs/quota Filecoder.Hive_linux.bin File opened for reading /proc/6/task/6/ns Process not Found File opened for reading /proc/sys/net/netfilter Process not Found File opened for reading /proc/169/task/169/attr Filecoder.Hive_linux.bin File opened for reading /proc/29/task/29/attr/smack Process not Found File opened for reading /proc/203/task/203/net Filecoder.Hive_linux.bin File opened for reading /proc/3/task/3/net/netfilter Process not Found File opened for reading /proc/8/attr Filecoder.Hive_linux.bin File opened for reading /proc/80/net Filecoder.Hive_linux.bin File opened for reading /proc/9/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/166 Filecoder.Hive_linux.bin File opened for reading /proc/19/task/19/attr Filecoder.Hive_linux.bin File opened for reading /proc/18/net/netfilter Filecoder.Hive_linux.bin File opened for reading /proc/22/task/22/attr/selinux Filecoder.Hive_linux.bin File opened for reading /proc/81/attr Filecoder.Hive_linux.bin File opened for reading /proc/169/task/169/net Filecoder.Hive_linux.bin
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59932bbfea02ad4bb0c43b36fddd98a7a
SHA11faee3c9dbb5f005769c8123387b45cf545cac89
SHA25613f91b1c2c02259660f4d83dd7383b5bbc4f04be98331fbbcf92f1e56f8557a4
SHA512cad236319f2bc80d4223aca681e1adc446ae72dd46530e00aa9887c331b94ac95c9b23c55c3d98c4615cb05da689d68006d75c3f0d213c6f9303ee04f2d4f7ab
-
Filesize
1.1MB
MD5a0294aa50b6d7d2fcfe9c71aa2a9b129
SHA1968e4c146ebf5f4fab168389d16b174547a2bdec
SHA256d6f1f9ec67edafb91e71b1bc674c2a4a341ebf729a5eb1239308a22904b6ab1e
SHA512e88bc0f1e74b2be78f45c0dc4d842ef7d728a848a3a277245687483c3daae25df67879f4454d97a1bb299f767dccb2fcdee7dd441d82112dbee1bfea79a12cac