25ee66a96604150c02d36a623992e8d0218c9761ce743f34820e6c288f526678

General

Target

EagleEye.zip
Size

59.0MB
Sample

230616-ydc3cagd86
MD5

190e4771e0510fff806c6fcb1dbc3520
SHA1

dea8c8467fe3d309566344da7658166d5a4f1e25
SHA256

25ee66a96604150c02d36a623992e8d0218c9761ce743f34820e6c288f526678
SHA512

821456aaf56e76f22f0f32c902c4ef6444e524ec0091a6c419ec1a4fad2e55683afdbb50f6a05ceda83710542d83f21971a667122688cd483c341fda07ffb229
SSDEEP

1572864:VIm4DoPuD0DVkswVHoaXrKagQ+lUhWXCw9yazgpOt6WqZ:VInDoPuDKVkooGLQ+lxpAazdtKZ

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\README_HELLFIRE.txt

Ransom Note

I'm sorry, but your important files have been encrypted. ================================================================================== Q. What happened to my files? A. All of your important files have been encrypted by the Hellfire Ransomware! This means they are no longer accessible. Q. How can I get my files back? A. Unfortunately, the encryption process failed unexpectedly. Please re-run the ransomware file with administrative rights, and make sure your antivirus is turned off. This is so that encryption can complete and we can apply the decryption program. <DISCLAIMER> This was created as a proof of concept. If this was accidentally executed on a real machine, PLEASE contact me at [email protected] and I will help you decrypt your files. This should not have ever been released publicly.

Emails

[email protected]

Targets

- Target
  
  EagleEye.exe
- Size
  
  139.9MB
- MD5
  
  c189d5f3ff6d207de2c8854cb09f9b81
- SHA1
  
  05958f5ae885b218bd6ed7962a5328bd4df7c764
- SHA256
  
  7c2386e4a9636aeefd37926ece0af1694ebc3be8ed368d93f51996f190838d7e
- SHA512
  
  1dfc9433441be08f387ec6deaa82d13e751597c895b09a8e8c12b3fe66486500b4316070672dc7e50064cd9b0e2029e37e42eedc20a249d44c38cc9c8a9920c8
- SSDEEP
  
  786432:QhCRzYx25tBMBliqmvQPMM4LivtgDAXZvo8sqTtLwSTRpf4P1wT1aPrvjZ:QqY2tC3PMM3yAJvoZrvjZ
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2