Analysis
-
max time kernel
138s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
22-06-2023 23:13
Static task
static1
Behavioral task
behavioral1
Sample
linux_hive.elf
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
8 signatures
150 seconds
General
-
Target
linux_hive.elf
-
Size
2.3MB
-
MD5
56075e7c63b3f9f612cde6187d4a7877
-
SHA1
1bcfa979b7b9044ba5ce5c006bd26b0bdbeb8464
-
SHA256
12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185
-
SHA512
7df68e37b3c2e7ce197f0d8736d06adf808343fe2d638bcd3e0f285968e1365c06b33157c6e5816b9fa9362e6adc262d3d2da45d3d1a38efb7e2ce980fce8b80
-
SSDEEP
49152:TzVcrxrb/TGvO90dL3BmAFd4A64nsfJbJ5PhTZDknzImQXNqw0Xfgg778lwQJKTS:TcbP/kB30JKT
Score
10/10
Malware Config
Extracted
Path
/FVUV_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: FqRAvHSSJR6Z
Password: fWqzu3Kqd31FWKUvb5rq
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.mrvk3 files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 575 linux_hive.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 22 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/microcode File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/microcode File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/cpu0/cache/power File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/smt -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc File opened for reading /sys/devices/virtual/dmi/id/power -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics File opened for reading /sys/devices/virtual/net/lo/power File opened for reading /sys/devices/virtual/net/lo/queues File opened for reading /sys/devices/virtual/net/lo/statistics File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/debug/tracing/events/vmscan/mm_shrink_slab_end Process not Found File opened for reading /sys/devices Process not Found File opened for reading /sys/kernel/debug/tracing/events/ras/memory_failure_event linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/rcu linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_preadv linux_hive.elf File opened for reading /sys/firmware/acpi/hotplug/pci_root Process not Found File opened for reading /sys/fs/cgroup/unified/system.slice/agent.service Process not Found File opened for reading /sys/fs/cgroup/unified/system.slice/sys-kernel-config.mount Process not Found File opened for reading /sys/kernel/slab/:0000240/cgroup Process not Found File opened for reading /sys/devices/virtual/tty/tty47/power Process not Found File opened for reading /sys/fs/cgroup/devices/system.slice/systemd-logind.service Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_nanosleep linux_hive.elf File opened for reading /sys/devices/LNXSYSTM:00 Process not Found File opened for reading /sys/fs/cgroup/unified/system.slice/systemd-timesyncd.service Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_personality linux_hive.elf File opened for reading /sys/bus/i2c/drivers/tps68470 Process not Found File opened for reading /sys/devices/virtual/block/loop1/trace Process not Found File opened for reading /sys/fs/cgroup/cpu,cpuacct/system.slice Process not Found File opened for reading /sys/module/libahci/parameters Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_getrlimit linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_rmdir linux_hive.elf File opened for reading /sys/bus/i2c/drivers/max77693 Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:02.0/graphics Process not Found File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_fsmap_low_key linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/irq/softirq_exit linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/bpf/bpf_obj_pin_map linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/power/pstate_sample linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/smbus/smbus_read linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_rt_tgsigqueueinfo linux_hive.elf File opened for reading /sys/bus/acpi/drivers/hpet Process not Found File opened for reading /sys/bus/pci/slots/8 Process not Found File opened for reading /sys/devices/platform/i8042/serio0/input/input1/event1/power Process not Found File opened for reading /sys/devices/platform/i8042/serio1/power Process not Found File opened for reading /sys/bus/pci/drivers/xhci_hcd Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata7 Process not Found File opened for reading /sys/kernel/slab/:0008192 Process not Found File opened for reading /sys/devices/virtual/tty/tty1 Process not Found File opened for reading /sys/kernel/debug/tracing/events/jbd2/jbd2_run_stats linux_hive.elf File opened for reading /sys/kernel/mm/page_idle Process not Found File opened for reading /sys/module/mac_hid/sections Process not Found File opened for reading /sys/devices/virtual/block/loop0/power Process not Found File opened for reading /sys/kernel/slab/:0002112 Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_times Process not Found File opened for reading /sys/kernel/slab/kmem_cache/cgroup Process not Found File opened for reading /sys/module/pcbc/sections Process not Found File opened for reading /sys/bus/platform/drivers/efi-framebuffer Process not Found File opened for reading /sys/devices/platform/microcode Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_listxattr Process not Found File opened for reading /sys/kernel/slab/:0000096 Process not Found File opened for reading /sys/devices/virtual/block/loop5/mq Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_keyctl linux_hive.elf File opened for reading /sys/module/8139too Process not Found File opened for reading /sys/class/block Process not Found File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:17 Process not Found File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata8/host7 Process not Found File opened for reading /sys/devices/platform/Fixed MDIO bus.0/mdio_bus/fixed-0 Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_msgget linux_hive.elf File opened for reading /sys/module/ppdev/drivers Process not Found File opened for reading /sys/devices/platform/i8042/serio0/input/input1/event1 Process not Found File opened for reading /sys/fs/cgroup/rdma Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_truncate Process not Found File opened for reading /sys/kernel/security/apparmor/features/file Process not Found File opened for reading /sys/kernel/debug/tracing/events/irq_matrix/irq_matrix_assign linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/mpx/bounds_exception_mpx linux_hive.elf -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/36/task/36/net/dev_snmp6 File opened for reading /proc/541/task/541/net/dev_snmp6 File opened for reading /proc/592/task/592/attr/smack File opened for reading /proc/12/attr/selinux File opened for reading /proc/154/task/154/fd File opened for reading /proc/25/task/25/fd File opened for reading /proc/26/task File opened for reading /proc/163/task/163/net/netfilter File opened for reading /proc/21/task/21/fdinfo File opened for reading /proc/26/task/26/attr File opened for reading /proc/32/task/32/attr/apparmor File opened for reading /proc/34/attr/selinux File opened for reading /proc/34/task/34/net/netfilter File opened for reading /proc/155/map_files File opened for reading /proc/157/attr/smack File opened for reading /proc/541/net/stat File opened for reading /proc/592/task/592/net/stat File opened for reading /proc/169/task/169/net/stat File opened for reading /proc/193/fdinfo File opened for reading /proc/20/ns File opened for reading /proc/24/map_files File opened for reading /proc/422/task/422/net/stat File opened for reading /proc/572/net File opened for reading /proc/165/task/165/net/netfilter File opened for reading /proc/166/fd File opened for reading /proc/78/net/netfilter File opened for reading /proc/28/fd File opened for reading /proc/579/task/582/attr File opened for reading /proc/9/task/9/net/netfilter File opened for reading /proc/1/fdinfo File opened for reading /proc/23/task/23/attr/selinux File opened for reading /proc/19/task/19/net/stat File opened for reading /proc/30/net/stat File opened for reading /proc/32/task/32/ns File opened for reading /proc/575/net/stat File opened for reading /proc/583/task File opened for reading /proc/11/task/11/net/dev_snmp6 File opened for reading /proc/161/attr/smack File opened for reading /proc/29/task File opened for reading /proc/32/task/32/attr/smack File opened for reading /proc/81/map_files File opened for reading /proc/84/net/stat File opened for reading /proc/89/fdinfo File opened for reading /proc/164/map_files File opened for reading /proc/18/attr/smack File opened for reading /proc/27/map_files File opened for reading /proc/3/task/3/fd File opened for reading /proc/4/task/4/net/dev_snmp6 File opened for reading /proc/573/fdinfo File opened for reading /proc/8/task/8/net/stat File opened for reading /proc/sys/fs File opened for reading /proc/156/task/156/fd File opened for reading /proc/169/map_files File opened for reading /proc/fs/jbd2 File opened for reading /proc/588/task File opened for reading /proc/592/task/595/attr File opened for reading /proc/575/task/577 File opened for reading /proc/575/task/601/attr/apparmor File opened for reading /proc/7/net/stat File opened for reading /proc/82/net File opened for reading /proc/irq/25 File opened for reading /proc/370/attr/selinux File opened for reading /proc/370/net File opened for reading /proc/394/task/394/net/stat
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD58e438d69690f8cabe3e3a2dcfb96e232
SHA1924d389b62706d0340783c719e841972438b3a72
SHA256da37d45a22d06e3ee8e6b74ff332255d570900caf8c009b86bcbd6dca1fc2d47
SHA51273dcce2a49840be5f3413f5fd2c1dcafc0eada00cba0701e44a57c468169d0ac3e799e9b80ac3d681ea5bfa47b5c73a178d1d3de7ffb7cecfa591c8d245e2ff2
-
Filesize
1KB
MD588cb43b9893d9559fcd7c2ff92198346
SHA110f5b6704bf62d54b6928456dfd5127fcb16a936
SHA25636b00b82b942515e84d145a88bc7bbe9f59773bd8e3c4d9639dd2e3ffc4bb2e6
SHA51248f7b52fa640ac38a8a0e2216c0cfd848ef704c23cd59723b7fb0f5e83da455ff75701a40e8ede99156cdfc8aef0ec6246de0d4afd7fdbe21051bef1eed63224