Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/y...

windows10-1703-x64

10

Resubmissions

31-05-2024 03:56

240531-ehcgtsfd36 10

31-05-2024 03:37

240531-d6wpyaeh64 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://github.com/ytisf/theZoo/tree/master/malware/Binaries/Ransomware.Hive

  • Sample

    240531-ehcgtsfd36

Score
10/10
hivedefense_evasionexecutionimpactpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data is encrypted. To decrypt all the data you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EQA9oydTxwXS Password: vNtgAgb3kMFmCooANNQr Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Targets

    • Target

      https://github.com/ytisf/theZoo/tree/master/malware/Binaries/Ransomware.Hive

    Score
    10/10
    hivedefense_evasionexecutionimpactpersistenceransomwarespywarestealerupx

    • Detects Go variant of Hive Ransomware

    • Hive

      A ransomware written in Golang first seen in June 2021.

      ransomwarehive

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

      persistence

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks