General
-
Target
Ransomware.Hive.zip
-
Size
6.6MB
-
Sample
240303-l27kmshd24
-
MD5
33dc6cf9108fa7a395d632c29021791c
-
SHA1
61ccffbfb8f2458be139aa1d3c9dd715f25cd06d
-
SHA256
af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe
-
SHA512
5b7206cd076e313f15a13c4f6278ea80c109577530bc43614efc631aeb8b53f8b0abba1135298ba6b6b7fa2f19321ab673b257d3b4c0cbc95bd4c50c8040466d
-
SSDEEP
196608:xUPLIETGA/+0vcL5o/Vu0vlQ77Z0SOJM7j:xmJ6ANa6/Vu0q3+SOw
Behavioral task
behavioral1
Sample
211xahcou.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Hive.elf
Resource
win7-20240220-en
Behavioral task
behavioral3
Sample
hive.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
hive_linux_elf
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
linux_hive.elf
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
sjl8j6ap3.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win7-20240221-en
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\HOW_TO_DECRYPT.txt
hive
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Extracted
C:\Program Files\EGdu_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Extracted
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\K8zJ_HOW_TO_DECRYPT.txt
hive
Targets
-
-
Target
211xahcou.dll
-
Size
3.9MB
-
MD5
0e4d44dde522c07d09d9e3086cfae803
-
SHA1
d8dc26e2094869a0da78ecb47494c931419302dc
-
SHA256
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
-
SHA512
ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
-
SSDEEP
49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO
Score10/10-
Modifies security service
-
Clears Windows event logs
-
Modifies boot configuration data using bcdedit
-
-
-
Target
Hive.elf
-
Size
246KB
-
MD5
22ae3e19ec54a9d314719158c00986e3
-
SHA1
84353fe08dd87eb2f1086dfd08c014311e7e4889
-
SHA256
822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25
-
SHA512
a72a3e8fb908c2ed946b9266cc742b1584709205f1911e381823ef7caac10d55ccec2f35c3e7ca4a3eda7e04e1b57ec2039054c087fdc39241554cd82b62570e
-
SSDEEP
3072:3Zp7gZzdfvjRCMj1Yk36ioyJ1zgjIlOhXYopNL+V7o0xvvkB/37Nt7xhew8A2Mzc:P7gDj8S1Hlx14+opNClvk977ew8A2M
Score3/10 -
-
-
Target
hive.bin_exe
-
Size
764KB
-
MD5
2f9fc82898d718f2abe99c4a6fa79e69
-
SHA1
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
-
SHA256
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
-
SHA512
19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
-
SSDEEP
12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH
Score10/10-
Detects Go variant of Hive Ransomware
-
Drops file in Drivers directory
-
Drops startup file
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
hive_linux_elf
-
Size
2.4MB
-
MD5
d3b0102e6632be81ce158c909f583412
-
SHA1
10bd0f1d3122d6575e882ba8f025eb11b0a95b61
-
SHA256
bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3
-
SHA512
cd7c7d5cd4531fbd11d2c0e4fccfaad485fb804621b6a692dd4f640ac048bb6f596314b655df94f96788cbbcd64bf54e2285697db93b1ce4123852c9c9e00d39
-
SSDEEP
49152:oBWlwme8nhvmR52bzPOA1nsRTuIQflLQn+MJ3m+02D1:YmeQhvmS/R1nsF
Score1/10 -
-
-
Target
linux_hive.elf
-
Size
2.3MB
-
MD5
56075e7c63b3f9f612cde6187d4a7877
-
SHA1
1bcfa979b7b9044ba5ce5c006bd26b0bdbeb8464
-
SHA256
12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185
-
SHA512
7df68e37b3c2e7ce197f0d8736d06adf808343fe2d638bcd3e0f285968e1365c06b33157c6e5816b9fa9362e6adc262d3d2da45d3d1a38efb7e2ce980fce8b80
-
SSDEEP
49152:TzVcrxrb/TGvO90dL3BmAFd4A64nsfJbJ5PhTZDknzImQXNqw0Xfgg778lwQJKTS:TcbP/kB30JKT
Score3/10 -
-
-
Target
sjl8j6ap3.dll
-
Size
661KB
-
MD5
7692a5dca7c3c48095aa6db0db640d4a
-
SHA1
268faa86ae921da264264f392b541a9facc3bdf5
-
SHA256
b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b
-
SHA512
2e8c4c0ed23dffc2494e39654f0cec03e4ad6bd4c04a80342afa7ad412d1a3dbcbf4a4cab7841354ca6bc2932252eaacfaf7f0abe3f9380e30eed14a610cc882
-
SSDEEP
12288:BLF6OtM1z8JLbA689tSfvTvFSYIzp4yzhrWbttQfaa4Gxjzgdlo/AhwN/eh9z/ET:BLF6gb0xqx9z/EO3BxhR
Score1/10 -
-
-
Target
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
-
Size
884KB
-
MD5
da13022097518d123a91a3958be326da
-
SHA1
24a71ab462594d5a159bbf176588af951aba1381
-
SHA256
25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
-
SHA512
a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
-
SSDEEP
12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw
-
Modifies security service
-
Clears Windows event logs
-
-
-
Target
zi1ysv64h.dll
-
Size
3.3MB
-
MD5
5384c6825a5707241c11d78529dbbfee
-
SHA1
85f5587e8ad534c2e5de0e72450b61ebda93e4fd
-
SHA256
3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21
-
SHA512
856861295efb9c1b0000b369297cf6905a277c2d7dd0bc238f3884cd22598055450bf0459d68441f135bb77150685a86707ea9320a37e10548b40185f09b961f
-
SSDEEP
49152:HJ9mQ5uetkErb/TKvO90dL3BmAFd4A64nsfJ+9NRUMZXuPH9fc0KHPKG/g+eNgiz:HJ9jkl9NbBo9fc0KHYno
-
Modifies security service
-
Clears Windows event logs
-
Modifies boot configuration data using bcdedit
-
Deletes itself
-