e1daf37cf37b5bf55d847618b55a6b60c098d0091c10be5f12c5b54f8595457e

Analysis

max time kernel
0s
max time network
129s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
01-07-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revil_1.1c
Size

102KB
MD5

707009f5555115354ccb5a3b759e7a69
SHA1

40d8a0b3970ce4ccb2ec2b165c5253708ee928ca
SHA256

11fd806cd4c320bca9dc958b2dac04e43691242421db878f266a9a5b09e12240
SHA512

fd1d419377dfddc15c4dbf3c493e7dee33d8b4fef5cc510694f8f4bb263953f08d8464a6bcabbeb367b048e9a8237eb6191751a9e83ecd9ea3eabb780bc60ac7
SSDEEP

3072:db+XoBHfYu9gggwgggwgggwgggwgggfk+LoS:dpkvo

Score

10^/10

ransomware

Malware Config

Extracted

Path

/tmp/.X11-unix/rhkrc-readme.txt

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension rhkrc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EC710450EC710450 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/EC710450EC710450 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: FQZbwljq7Beb47OGRzi5h3Lba4BMbV/jW5pa/8lW36gGgFGdXoTY+jC4MS4wRR/60kpkzIYJjj9cl1yAM6bd542Jw+Ukg/KvKIL7DMlAQwPqMU3kt5UfJXrz2jSjP+I3tUhYZACYMPJnhn3e73zYlYN9NHx3uk7t4CmerNCCP+RMyI/jGrn4pepnijveOPfRldpUHkwuQ9dwCyp/W2vO5Vr9vnXvojz7Qny5idzNpnn197Igf2zoZXCXbRl7GAGrRWC38k9h5KkwN/wU6ZfP0bNxCzF+dkyOZHiy0zdVPEYkWPKb0hFtCG6RrhqyoVAmQFben47Jd7UbQCe7QRhFmzyAoEAaefZs1xrzX/FAEweefnX8PtSrWKtT2GqoCoWAlCLoVYEHqCecaDwk4sWugs1v62iINLaLgVDXIHpn/HD1q8r7UIaTZ7kSFb7nLrDCJDHcuYU6bpxa2KoZv0EnbDGSi4rEDnfbL9ijwlKf1JPqwePHq89zgLK1Sa8W ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EC710450EC710450

http://decoder.re/EC710450EC710450

Signatures

Manipulates ESXi 2 IoCs

Manipulates ESXi.

pid	Process
1574	awk
1572	sh

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1097/cmdline	pkill
File opened for reading	/proc/452/cmdline	pkill
File opened for reading	/proc/224/cmdline	pkill
File opened for reading	/proc/1238/status	pkill
File opened for reading	/proc/1570/cmdline	pkill
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/24/cmdline	pkill
File opened for reading	/proc/1140/cmdline	pkill
File opened for reading	/proc/200/status	pkill
File opened for reading	/proc/1157/status	pkill
File opened for reading	/proc/1165/cmdline	pkill
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/411/cmdline	pkill
File opened for reading	/proc/635/status	pkill
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/407/status	pkill
File opened for reading	/proc/775/status	pkill
File opened for reading	/proc/114/status	pkill
File opened for reading	/proc/832/status	pkill
File opened for reading	/proc/1374/status	pkill
File opened for reading	/proc/411/status	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/769/cmdline	pkill
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/89/status	pkill
File opened for reading	/proc/1347/status	pkill
File opened for reading	/proc/82/cmdline	pkill
File opened for reading	/proc/613/cmdline	pkill
File opened for reading	/proc/1177/cmdline	pkill
File opened for reading	/proc/1570/status	pkill
File opened for reading	/proc/1061/status	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/1276/cmdline	pkill
File opened for reading	/proc/80/status	pkill
File opened for reading	/proc/1156/cmdline	pkill
File opened for reading	/proc/1389/status	pkill
File opened for reading	/proc/216/status	pkill
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/415/status	pkill
File opened for reading	/proc/1032/status	pkill
File opened for reading	/proc/1553/cmdline	pkill
File opened for reading	/proc/227/cmdline	pkill
File opened for reading	/proc/937/status	pkill
File opened for reading	/proc/1176/status	pkill
File opened for reading	/proc/218/status	pkill
File opened for reading	/proc/377/cmdline	pkill
File opened for reading	/proc/1053/cmdline	pkill
File opened for reading	/proc/1247/cmdline	pkill
File opened for reading	/proc/101/cmdline	pkill
File opened for reading	/proc/377/status	pkill
File opened for reading	/proc/589/cmdline	pkill
File opened for reading	/proc/643/cmdline	pkill
File opened for reading	/proc/774/status	pkill
File opened for reading	/proc/1252/status	pkill
File opened for reading	/proc/762/cmdline	pkill
File opened for reading	/proc/795/status	pkill
File opened for reading	/proc/1089/cmdline	pkill
File opened for reading	/proc/1181/cmdline	pkill
File opened for reading	/proc/1163/cmdline	pkill
File opened for reading	/proc/732/cmdline	pkill
File opened for reading	/proc/1131/status	pkill
File opened for reading	/proc/1276/status	pkill
File opened for reading	/proc/1571/status	pkill
File opened for reading	/proc/73/cmdline	pkill

Writes file to tmp directory 29 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-colord.service-KDhDFp/tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-upower.service-WBo9RV/tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/.font-unix/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/Revil_1.1d	Revil_1.1c
File opened for modification	/tmp/.ICE-unix/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-systemd-resolved.service-7C9zK2/tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-systemd-logind.service-vxJntE/tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-systemd-oomd.service-btRpr5/tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-systemd-oomd.service-btRpr5/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/.XIM-unix/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/snap-private-tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-systemd-logind.service-vxJntE/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/Revil_1.1c	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-upower.service-WBo9RV/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/gdm3-config-err-tLxffQ	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-systemd-timedated.service-8P13na/tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-power-profiles-daemon.service-xxSYVe/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-systemd-resolved.service-7C9zK2/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/.X11-unix/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-ModemManager.service-LRGGoD/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/Revil_1.2a	Revil_1.1c
File opened for modification	/tmp/.Test-unix/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-switcheroo-control.service-Xpokgf/tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-systemd-timedated.service-8P13na/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-colord.service-KDhDFp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-ModemManager.service-LRGGoD/tmp/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-switcheroo-control.service-Xpokgf/rhkrc-readme.txt	Revil_1.1c
File opened for modification	/tmp/systemd-private-81a8bf86f98b4c3aa1e9a82e7e9a9704-power-profiles-daemon.service-xxSYVe/tmp/rhkrc-readme.txt	Revil_1.1c

/tmp/Revil_1.1c
/tmp/Revil_1.1c
1⤵
- Writes file to tmp directory
PID:1563
- /bin/sh
  sh -c "uname -a && echo \" | \" && hostname"
  2⤵
  PID:1564
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1565
- - /usr/bin/hostname
    hostname
    3⤵
    PID:1566
- /bin/sh
  sh -c "uname -a && echo \" | \" && hostname"
  2⤵
  PID:1567
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1568
- - /usr/bin/hostname
    hostname
    3⤵
    PID:1569
- /bin/sh
  sh -c "pkill -9 vmx-*"
  2⤵
  PID:1570
- - /usr/bin/pkill
    pkill -9 "vmx-*"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1571
- /bin/sh
  sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}'"
  2⤵
  - Manipulates ESXi
  PID:1572
- - /usr/bin/awk
    awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}"
    3⤵
    - Manipulates ESXi
    - Reads runtime system information
    PID:1574

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.X11-unix/rhkrc-readme.txt

Filesize
2KB

MD5
87e8fa8d7c790ba7503710a52265a889

SHA1
0a79b884e65d6a48e3dac92d2c14884a416fce42

SHA256
9d2b629577ef6017a5be74e6696356a73f4e47ff98a6fec4d1df8473abb16a1c

SHA512
0f8d7c3ea93cfd1f5b976b44fc692bc49fbca7e14d8653fb05e6acf03a7207a642e6b673aaf0838496f90ebc19853180785b1c828eb683e3011f976d753f69b7

Download Submit