Resubmissions
03-03-2024 13:05
240303-qbxpzabd88 1024-05-2023 16:08
230524-tk9bxadc98 323-05-2023 16:48
230523-vbmbfsha9z 1029-10-2021 20:23
211029-y55axaagcj 1Analysis
-
max time kernel
22s -
max time network
18s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
03-03-2024 13:05
Static task
static1
Behavioral task
behavioral1
Sample
Filecoder.Hive_linux.bin
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
9 signatures
150 seconds
General
-
Target
Filecoder.Hive_linux.bin
-
Size
2.2MB
-
MD5
c41d9625ccd175647ffa10484ab2556d
-
SHA1
77d7614156607b68265b122fb35a1d408625cb96
-
SHA256
6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0
-
SHA512
7036bbdd7079b560abcfe3aac1b5951571c318708d48fea340e82185e351c3853091900b31ef0d790ca3309943318620e00f9567440693e89a259b56fc09c9b2
-
SSDEEP
49152:kOAAzrb/TYvO90dL3BmAFd4A64nsfJiTZxwuXf9nTCqw0Xfgg778laMex5D1:k1Dw+b3+
Score
10/10
Malware Config
Extracted
Path
/4oEi_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: xUvZHAXDfpoW
Password: xvsX47VFucuDKUw4i77C
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.21k5p files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 1559 Filecoder.Hive_linux.bin -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 22 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/cpu0/cache/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/microcode Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/smt Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/hotplug Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpuidle Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/microcode Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/vulnerabilities Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/topology Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpufreq Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/hotplug Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0 Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/cache Filecoder.Hive_linux.bin File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power Filecoder.Hive_linux.bin -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/power Filecoder.Hive_linux.bin -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc Process File opened for reading /sys/devices/virtual/net/lo/queues Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/net/lo/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/net/lo/statistics Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 Filecoder.Hive_linux.bin -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/bus/pci/drivers/serial Filecoder.Hive_linux.bin File opened for reading /sys/module/crc32_pclmul/holders Filecoder.Hive_linux.bin File opened for reading /sys/bus/virtio/drivers/virtio_rproc_serial Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_setdomainname Process not Found File opened for reading /sys/kernel/debug/block/loop1/hctx0 Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_free_dev Filecoder.Hive_linux.bin File opened for reading /sys/bus/pci_express/devices Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:02.0/virtio0 Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_msgget Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/misc/vga_arbiter/power Filecoder.Hive_linux.bin File opened for reading /sys/fs/cgroup/systemd/system.slice/system-serial\x2dgetty.slice/[email protected] Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/opp Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/qdisc/qdisc_dequeue Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_sysinfo Process not Found File opened for reading /sys/bus/node Filecoder.Hive_linux.bin File opened for reading /sys/bus/virtio/devices Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/tty/tty14 Filecoder.Hive_linux.bin File opened for reading /sys/module/ppdev Process not Found File opened for reading /sys/module/rng_core/parameters Process not Found File opened for reading /sys/module/virtio_pci/parameters Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/tty/tty15/power Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/kmem/mm_page_alloc_extfrag Filecoder.Hive_linux.bin File opened for reading /sys/kernel/slab/:0000120/cgroup Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_punch_hole Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/sock Filecoder.Hive_linux.bin File opened for reading /sys/module/nf_tables_ipv4/holders Filecoder.Hive_linux.bin File opened for reading /sys/module/virtio_gpu/notes Filecoder.Hive_linux.bin File opened for reading /sys/bus/i2c/drivers/sx150x-pinctrl Filecoder.Hive_linux.bin File opened for reading /sys/class/printer Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:03.0 Filecoder.Hive_linux.bin File opened for reading /sys/fs/cgroup/pids/user.slice/user-0.slice/[email protected]/evolution-calendar-factory.service Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/module/module_request Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init Filecoder.Hive_linux.bin File opened for reading /sys/kernel/security/apparmor/features/network Filecoder.Hive_linux.bin File opened for reading /sys/module/psmouse/sections Process not Found File opened for reading /sys/bus/pnp/drivers/rtc_cmos Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/tty/tty7/power Filecoder.Hive_linux.bin File opened for reading /sys/firmware/acpi/tables/data Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_fchmod Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sendfile64 Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/x86_fpu/x86_fpu_after_save Filecoder.Hive_linux.bin File opened for reading /sys/module/hid_generic Filecoder.Hive_linux.bin File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/DADY0002:00/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/graphics/fbcon/power Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/tty/tty20/power Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_lookup_dcookie Filecoder.Hive_linux.bin File opened for reading /sys/module/watchdog Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/mem/zero/power Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/iommu/io_page_fault Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/x86_platform_ipi_exit Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/mem/mem/power Filecoder.Hive_linux.bin File opened for reading /sys/fs/cgroup/devices/system.slice/anacron.service Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_connect Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_pselect6 Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_recvmmsg Filecoder.Hive_linux.bin File opened for reading /sys/class/hidraw Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/id Filecoder.Hive_linux.bin File opened for reading /sys/devices/virtual/mem/full Filecoder.Hive_linux.bin File opened for reading /sys/kernel/slab/tw_sock_TCP/cgroup Filecoder.Hive_linux.bin File opened for reading /sys/kernel/debug/tracing/events/jbd2 Filecoder.Hive_linux.bin File opened for reading /sys/bus/platform/drivers/byt_gpio Filecoder.Hive_linux.bin File opened for reading /sys/devices/pci0000:00/0000:00:01.1/ata1/host0/scsi_host Filecoder.Hive_linux.bin File opened for reading /sys/devices/pnp0/00:03/ppdev Process not Found File opened for reading /sys/bus/mdio_bus Filecoder.Hive_linux.bin -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/168/ns Process not Found File opened for reading /proc/453/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/7/task/7/net Filecoder.Hive_linux.bin File opened for reading /proc/1350/task Filecoder.Hive_linux.bin File opened for reading /proc/36/task/36/attr Process not Found File opened for reading /proc/473/task/473/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/964/attr/apparmor Filecoder.Hive_linux.bin File opened for reading /proc/159 Process not Found File opened for reading /proc/164/ns Process not Found File opened for reading /proc/167/net/stat Process not Found File opened for reading /proc/198/task/198/attr/selinux Process not Found File opened for reading /proc/21/attr/apparmor Process not Found File opened for reading /proc/98/task/98/net Filecoder.Hive_linux.bin File opened for reading /proc/1013/task/1019/attr Filecoder.Hive_linux.bin File opened for reading /proc/1072/task/1073/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/1103/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/1557/net/stat Filecoder.Hive_linux.bin File opened for reading /proc/1575/task/1575/ns Filecoder.Hive_linux.bin File opened for reading /proc/1578/task/1588/fdinfo Filecoder.Hive_linux.bin File opened for reading /proc/659/task/666/fd Filecoder.Hive_linux.bin File opened for reading /proc/1155/fdinfo Filecoder.Hive_linux.bin File opened for reading /proc/1155/task/1181/net/netfilter Filecoder.Hive_linux.bin File opened for reading /proc/1350/task/1350/attr/apparmor Filecoder.Hive_linux.bin File opened for reading /proc/27/task/27/attr/apparmor Process not Found File opened for reading /proc/418/attr Process not Found File opened for reading /proc/945/task/952/attr Filecoder.Hive_linux.bin File opened for reading /proc/1103/ns Filecoder.Hive_linux.bin File opened for reading /proc/154/task/154/net/stat Filecoder.Hive_linux.bin File opened for reading /proc/1575/task/1575/net/netfilter Filecoder.Hive_linux.bin File opened for reading /proc/167/task/167/net/stat Process not Found File opened for reading /proc/36/task Process not Found File opened for reading /proc/526/task/526/net Filecoder.Hive_linux.bin File opened for reading /proc/1079/task/1082/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/1065/task/1068/attr Filecoder.Hive_linux.bin File opened for reading /proc/1159/task/1165/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/156/task/156/fd Filecoder.Hive_linux.bin File opened for reading /proc/1575/task/1576/net Filecoder.Hive_linux.bin File opened for reading /proc/24/map_files Process not Found File opened for reading /proc/30/net Process not Found File opened for reading /proc/1173/net Filecoder.Hive_linux.bin File opened for reading /proc/12/task/12/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/35/attr/apparmor Process not Found File opened for reading /proc/526/task/526/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/1575/task Filecoder.Hive_linux.bin File opened for reading /proc/21 Process not Found File opened for reading /proc/84/attr/selinux Filecoder.Hive_linux.bin File opened for reading /proc/89/task/89/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/27/task/27/fdinfo Process not Found File opened for reading /proc/31/map_files Process not Found File opened for reading /proc/418/task/418/attr/smack Filecoder.Hive_linux.bin File opened for reading /proc/1147/task/1158/net/stat Filecoder.Hive_linux.bin File opened for reading /proc/1159/task/1165/net Filecoder.Hive_linux.bin File opened for reading /proc/1179/fd Filecoder.Hive_linux.bin File opened for reading /proc/1179/task/1214/net/dev_snmp6 Filecoder.Hive_linux.bin File opened for reading /proc/1289/attr/apparmor Process not Found File opened for reading /proc/158/net/stat Process not Found File opened for reading /proc/197/attr Process not Found File opened for reading /proc/1079/net/netfilter Filecoder.Hive_linux.bin File opened for reading /proc/1079/task/1080/attr/apparmor Filecoder.Hive_linux.bin File opened for reading /proc/1133/task/1137/fd Filecoder.Hive_linux.bin File opened for reading /proc/1288/task/1296/net Process not Found File opened for reading /proc/1585/task/1585/ns Process not Found File opened for reading /proc/166/net Process not Found File opened for reading /proc/sys/fs/binfmt_misc Process not Found -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc File opened for modification /tmp/config-err-lY4Q9L.Thy5Fr6CIs_J_B13hrpFnerSWkbO8c6xRf7yjcWsPA7_8OWYxt5r3180.21k5p
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59932bbfea02ad4bb0c43b36fddd98a7a
SHA11faee3c9dbb5f005769c8123387b45cf545cac89
SHA25613f91b1c2c02259660f4d83dd7383b5bbc4f04be98331fbbcf92f1e56f8557a4
SHA512cad236319f2bc80d4223aca681e1adc446ae72dd46530e00aa9887c331b94ac95c9b23c55c3d98c4615cb05da689d68006d75c3f0d213c6f9303ee04f2d4f7ab
-
Filesize
1.1MB
MD5b37af5aa0dbe0f1fe416b39bc2df7064
SHA165f42fc2a44f6e4476b568ae4b17c8f250060715
SHA256b3c48290c576128db6e9857e0d164dcf35d57fc182a4cdf707eff8c82af33321
SHA5122bce5f378d18e2e8de2bdfe157f41078b5d0bedb61cc821282441be79836c89ede44a500df8347af403175748b8506fc7945ca3eb413c0d81b55566c17110074