Extracted

Extracted

Extracted

Extracted

• • Target

    211xahcou.dll

  • Size

    3.9MB

  • MD5

    0e4d44dde522c07d09d9e3086cfae803

  • SHA1

    d8dc26e2094869a0da78ecb47494c931419302dc

  • SHA256

    33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277

  • SHA512

    ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06

  • SSDEEP

    49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

  Score

  10^/10

  hiveevasionransomwaretrojan

  • Deletes Windows Defender Definitions

    Uses mpcmdrun utility to delete all AV definitions.

    evasion

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies security service

    evasion

  • Clears Windows event logs

    evasionransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (73) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  behavioral1behavioral2

• • Target

    Hive.elf

  • Size

    246KB

  • MD5

    22ae3e19ec54a9d314719158c00986e3

  • SHA1

    84353fe08dd87eb2f1086dfd08c014311e7e4889

  • SHA256

    822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25

  • SHA512

    a72a3e8fb908c2ed946b9266cc742b1584709205f1911e381823ef7caac10d55ccec2f35c3e7ca4a3eda7e04e1b57ec2039054c087fdc39241554cd82b62570e

  • SSDEEP

    3072:3Zp7gZzdfvjRCMj1Yk36ioyJ1zgjIlOhXYopNL+V7o0xvvkB/37Nt7xhew8A2Mzc:P7gDj8S1Hlx14+opNClvk977ew8A2M

  Score

  3^/10
  behavioral3behavioral4

• • Target

    hive.bin_exe

  • Size

    764KB

  • MD5

    2f9fc82898d718f2abe99c4a6fa79e69

  • SHA1

    9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb

  • SHA256

    88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

  • SHA512

    19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b

  • SSDEEP

    12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH

  Score

  10^/10

  hivepersistenceransomwarespywarestealerupx

  • Detects Go variant of Hive Ransomware

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Drops file in Drivers directory

  • Modifies Installed Components in the registry

    persistence

  • Deletes itself

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  behavioral5behavioral6

• • Target

    hive_linux_elf

  • Size

    2.4MB

  • MD5

    d3b0102e6632be81ce158c909f583412

  • SHA1

    10bd0f1d3122d6575e882ba8f025eb11b0a95b61

  • SHA256

    bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3

  • SHA512

    cd7c7d5cd4531fbd11d2c0e4fccfaad485fb804621b6a692dd4f640ac048bb6f596314b655df94f96788cbbcd64bf54e2285697db93b1ce4123852c9c9e00d39

  • SSDEEP

    49152:oBWlwme8nhvmR52bzPOA1nsRTuIQflLQn+MJ3m+02D1:YmeQhvmS/R1nsF

  Score

  1^/10
  behavioral7behavioral8

• • Target

    linux_hive.elf

  • Size

    2.3MB

  • MD5

    56075e7c63b3f9f612cde6187d4a7877

  • SHA1

    1bcfa979b7b9044ba5ce5c006bd26b0bdbeb8464

  • SHA256

    12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185

  • SHA512

    7df68e37b3c2e7ce197f0d8736d06adf808343fe2d638bcd3e0f285968e1365c06b33157c6e5816b9fa9362e6adc262d3d2da45d3d1a38efb7e2ce980fce8b80

  • SSDEEP

    49152:TzVcrxrb/TGvO90dL3BmAFd4A64nsfJbJ5PhTZDknzImQXNqw0Xfgg778lwQJKTS:TcbP/kB30JKT

  Score

  3^/10
  behavioral10behavioral9

• • Target

    sjl8j6ap3.dll

  • Size

    661KB

  • MD5

    7692a5dca7c3c48095aa6db0db640d4a

  • SHA1

    268faa86ae921da264264f392b541a9facc3bdf5

  • SHA256

    b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b

  • SHA512

    2e8c4c0ed23dffc2494e39654f0cec03e4ad6bd4c04a80342afa7ad412d1a3dbcbf4a4cab7841354ca6bc2932252eaacfaf7f0abe3f9380e30eed14a610cc882

  • SSDEEP

    12288:BLF6OtM1z8JLbA689tSfvTvFSYIzp4yzhrWbttQfaa4Gxjzgdlo/AhwN/eh9z/ET:BLF6gb0xqx9z/EO3BxhR

  Score

  1^/10
  behavioral11behavioral12

• • Target

    windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5

  • Size

    884KB

  • MD5

    da13022097518d123a91a3958be326da

  • SHA1

    24a71ab462594d5a159bbf176588af951aba1381

  • SHA256

    25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5

  • SHA512

    a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f

  • SSDEEP

    12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw

  Score

  10^/10

  hiveevasionransomwarespywarestealertrojanupx

  • Deletes Windows Defender Definitions

    Uses mpcmdrun utility to delete all AV definitions.

    evasion

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies security service

    evasion

  • Clears Windows event logs

    evasionransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral13behavioral14

• • Target

    zi1ysv64h.dll

  • Size

    3.3MB

  • MD5

    5384c6825a5707241c11d78529dbbfee

  • SHA1

    85f5587e8ad534c2e5de0e72450b61ebda93e4fd

  • SHA256

    3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21

  • SHA512

    856861295efb9c1b0000b369297cf6905a277c2d7dd0bc238f3884cd22598055450bf0459d68441f135bb77150685a86707ea9320a37e10548b40185f09b961f

  • SSDEEP

    49152:HJ9mQ5uetkErb/TKvO90dL3BmAFd4A64nsfJ+9NRUMZXuPH9fc0KHPKG/g+eNgiz:HJ9jkl9NbBo9fc0KHYno

  Score

  10^/10

  hiveevasionransomwaretrojan

  • Deletes Windows Defender Definitions

    Uses mpcmdrun utility to delete all AV definitions.

    evasion

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies security service

    evasion

  • Clears Windows event logs

    evasionransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion
  behavioral15behavioral16