e1daf37cf37b5bf55d847618b55a6b60c098d0091c10be5f12c5b54f8595457e

Analysis

max time kernel
0s
max time network
130s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
01-07-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revil_1.1d
Size

102KB
MD5

73041d7b9a93d3cda76e2a052ac02e82
SHA1

f995852f291e2c946e15d20d020bb8e8defd317f
SHA256

776ea636ee33aab6b2db5f46889b027c297280db37400efb091e0d4a9001a7d7
SHA512

6f430874949362bf2d9d29153c0f9d0e5c53ea7bf69a44cf14c2627981d87ff0ad45fb12c26223dc33ceebf57b6113db37e347b2b4b2fa7ac037a63edc209371
SSDEEP

3072:db+XoBHfYu9gggwgggwgggwgggwggg2k+LoS:dphvo

Score

10^/10

ransomware

Malware Config

Extracted

Path

/tmp/ssh-u65xuxWJtjA0/rhkrc-readme.txt

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension rhkrc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/701F1C86701F1C86 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/701F1C86701F1C86 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Myw5uWYUW21UKxqcMO2C+QCIOqx8CijJCpGwLKWkqJbEF/8dlr9LfVM3tqAHPrZWFf9DT6xibk2Lul9/EhEGy9vnbl6jShar0pkk6LHWZirk4ZzWUYHX7sbDei4U97Jb8smd1ENv+/QCFNJFIF+MW/kx75yot8QPEWc7AvBWQ1emzWJ6xH4NBFj80SqVtv5xljM7tWU3m7CODgG5B5Xuiwkc2A1a7uxRVcRF9DvHNTYiOWfBwQJhD3lvytqCB9BqxtbutOcLQlXi6W822wICavjYQ21n4zAqVXgu6yAR0lwnDw0Y++kyRDh6ygu57p8zyuJjZFDEdJEIRRX/+I9WvZUk01mS3ZibOf3tjU4xgxbBKfmvjh6//TBC2Eyjy0IjkjBuveLOBZdv0IJhdmoeQb7/dbKRCICYVyW2iiqARyZXprQSjU333Q/ceyHrW9pHNedBIfIxpkf1qbCQ0DMJ2K9ZtGwGHQNVfntjy8B3Ic0R1+YQZqPE9t3tZr5x ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/701F1C86701F1C86

http://decoder.re/701F1C86701F1C86

Signatures

Manipulates ESXi 2 IoCs

Manipulates ESXi.

pid	Process
1507	sh
1509	awk

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/17/status	pkill
File opened for reading	/proc/78/status	pkill
File opened for reading	/proc/1497/status	pkill
File opened for reading	/proc/81/status	pkill
File opened for reading	/proc/168/status	pkill
File opened for reading	/proc/202/status	pkill
File opened for reading	/proc/1032/cmdline	pkill
File opened for reading	/proc/1003/status	pkill
File opened for reading	/proc/1111/status	pkill
File opened for reading	/proc/1140/cmdline	pkill
File opened for reading	/proc/1177/cmdline	pkill
File opened for reading	/proc/12/cmdline	pkill
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/516/status	pkill
File opened for reading	/proc/986/cmdline	pkill
File opened for reading	/proc/1008/status	pkill
File opened for reading	/proc/1497/cmdline	pkill
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/161/cmdline	pkill
File opened for reading	/proc/201/status	pkill
File opened for reading	/proc/598/status	pkill
File opened for reading	/proc/1146/status	pkill
File opened for reading	/proc/1183/status	pkill
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/25/status	pkill
File opened for reading	/proc/165/cmdline	pkill
File opened for reading	/proc/979/status	pkill
File opened for reading	/proc/170/cmdline	pkill
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/80/status	pkill
File opened for reading	/proc/1183/cmdline	pkill
File opened for reading	/proc/164/status	pkill
File opened for reading	/proc/979/cmdline	pkill
File opened for reading	/proc/1505/cmdline	pkill
File opened for reading	/proc/1151/status	pkill
File opened for reading	/proc/1079/cmdline	pkill
File opened for reading	/proc/1249/cmdline	pkill
File opened for reading	/proc/1490/status	pkill
File opened for reading	/proc/1506/status	pkill
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/98/cmdline	pkill
File opened for reading	/proc/163/status	pkill
File opened for reading	/proc/536/cmdline	pkill
File opened for reading	/proc/1506/cmdline	pkill
File opened for reading	/proc/1151/cmdline	pkill
File opened for reading	/proc/1261/cmdline	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/134/cmdline	pkill
File opened for reading	/proc/465/cmdline	pkill
File opened for reading	/proc/981/cmdline	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/160/status	pkill
File opened for reading	/proc/267/cmdline	pkill
File opened for reading	/proc/314/cmdline	pkill
File opened for reading	/proc/649/cmdline	pkill
File opened for reading	/proc/755/status	pkill
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/30/cmdline	pkill
File opened for reading	/proc/32/status	pkill
File opened for reading	/proc/166/cmdline	pkill
File opened for reading	/proc/1185/cmdline	pkill
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/80/cmdline	pkill

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/Revil_1.1d	Revil_1.1d
File opened for modification	/tmp/.XIM-unix/rhkrc-readme.txt	Revil_1.1d
File opened for modification	/tmp/ssh-u65xuxWJtjA0/rhkrc-readme.txt	Revil_1.1d
File opened for modification	/tmp/snap-private-tmp/rhkrc-readme.txt	Revil_1.1d
File opened for modification	/tmp/netplan_f9q45fhs/rhkrc-readme.txt	Revil_1.1d
File opened for modification	/tmp/systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB/tmp/rhkrc-readme.txt	Revil_1.1d
File opened for modification	/tmp/systemd-private-fe3170d5648a4955adb5eb655984c096-colord.service-f4UabB/rhkrc-readme.txt	Revil_1.1d

/tmp/Revil_1.1d
/tmp/Revil_1.1d
1⤵
- Writes file to tmp directory
PID:1497
- /bin/sh
  sh -c "uname -a && echo \" | \" && hostname"
  2⤵
  PID:1498
- - /bin/uname
    uname -a
    3⤵
    PID:1499
- - /bin/hostname
    hostname
    3⤵
    PID:1500
- /bin/sh
  sh -c "uname -a && echo \" | \" && hostname"
  2⤵
  PID:1501
- - /bin/uname
    uname -a
    3⤵
    PID:1502
- - /bin/hostname
    hostname
    3⤵
    PID:1503
- /bin/sh
  sh -c "pkill -9 vmx-*"
  2⤵
  PID:1505
- - /usr/bin/pkill
    pkill -9 "vmx-*"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1506
- /bin/sh
  sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}'"
  2⤵
  - Manipulates ESXi
  PID:1507
- - /usr/bin/awk
    awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}"
    3⤵
    - Manipulates ESXi
    PID:1509

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ssh-u65xuxWJtjA0/rhkrc-readme.txt

Filesize
2KB

MD5
e26537dbddfa873daf8deaa2189ec9c2

SHA1
7ac11620294efb9a5d86e02279a76280c1571673

SHA256
9fbac2437f93a640d7c0402a6312b2626744624cb01414c2ea9238d498f04d77

SHA512
ffe876c3400bd93caac6a46538b9281213a74d1cf180419ced1d056f08ada35c08c306a7d4541cfe09a9c5eda33b6bd0dcf6ae5cf29a17c6f42a1819bda8e723

Download Submit