hydracrypt

Sharing

General

Target

Batch_5.zip
Size

10.7MB
Sample

241122-dz7tmazlan
MD5

840ef805274a90a6354a0f5d1c6f05f1
SHA1

856f756302fb8559edac0804324c6fec97382d84
SHA256

51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598
SHA512

a1dbedebf1dc9007ea6781116d3b92e052d5110b34bcc83e87d7ba8736d1b9353bfaeb88de6b53f11ea661ef60231ae2280a4a7e54c4c3bd06cbe7f1aa864904
SSDEEP

196608:1iAo5dAtwAQT+rrxa/kHpuI7c/hDU9EPh3VkXI599o9kDD8xCO:1jCAtwAy+rrakDcpDU9uFNgaDQCO

Score

10^/10

Malware Config

Targets

- Target
  
  AES-NI.exe
- Size
  
  999KB
- MD5
  
  83e824c998f321a9179efc5c2cd0a118
- SHA1
  
  16b84004778505afbcc1032d1325c9bed8679b79
- SHA256
  
  4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76
- SHA512
  
  d1c9fdb653d6b028c16a9d82895b7f03b6f96aecc802ab5104d6a762091e71502e407feea3d3d64f19b9f7c2888b1fb2b1dd5f2909b6e29414d4e4a78b56917b
- SSDEEP
  
  24576:xMhc8sFdkS6BEeL8xYSCy3vIyzlueaBLxGLJe3:Ghc8sFB6WeIYSPAyUHxGLJe3
Score

7^/10

discovery upx
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  Abrechnung.exe
- Size
  
  103KB
- MD5
  
  81ff324d2023d8ecb98a127b87d51450
- SHA1
  
  acd24c80f6a02f7fe7a388a6779ea49be64674bc
- SHA256
  
  7d9fc496bc0ade736bf75e05564e9c93167362ef18450d75222deef0664f9ed5
- SHA512
  
  38b17683e835e7259a6972d0f920f9ac7f5823591962c624aa795c39c3213d0735bacd76c72b7255be1cefeb9c298ffc31266513f088684969e5e18ad4e0a139
- SSDEEP
  
  1536:o7ZrIoIlP/A765noAXMoiCQ/5NSDy+Ud1IE9vpFARgHsjoCje6fLCy:odIp/A0noAcoiCQ/5NS6ERnECnfLCy
Score

8^/10

discovery evasion persistence upx
- Disables RegEdit via registry modification
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  Box (2).exe
- Size
  
  438KB
- MD5
  
  1bb4dd43a8aebc8f3b53acd05e31d5b5
- SHA1
  
  54cd1a4a505b301df636903b2293d995d560887e
- SHA256
  
  a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02
- SHA512
  
  94c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce
- SSDEEP
  
  3072:rE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWWmZ:ImVa8/tmswUB36G9ZvGZQ49jRF
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Box.exe
- Size
  
  440KB
- MD5
  
  698746928e12831d6982b4e260a9da3a
- SHA1
  
  c87945b0f3f19d3fa07f64b5454f588f568a94e7
- SHA256
  
  63a6c3864b0a51c790d8d0312137995eb16710178aaaebfe34fa5e57caff9b36
- SHA512
  
  8680e690337afa911471680aeb0ea6242e7cf68d83043e83b91bd6ffbe0af1af8aac140ecec8958ac6831a4b9f8401ac086e8322d6638144e5501df949594ea0
- SSDEEP
  
  3072:LE+rnVvKX8/tmssEDUbPwBIK6xDq3bnBZvG1BpTU41zjhkkxbNWOc:omVa8/tmswUB36G9ZvGZQ49jR
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
- Size
  
  212KB
- MD5
  
  c697914b3e3c115391e5a32e6d8d3a98
- SHA1
  
  b61335cc60ff37680e82c7245ec268d206fc21e2
- SHA256
  
  a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43
- SHA512
  
  dbdd230a9829eeae3cbb7ba7cead7b378661275ca3a97bef7c4d60a7c8a5a475120bda551c2e2d81e69f9cc4f0dc798f9160d2e94d11f1ed3cc9cdf4752ae35b
- SSDEEP
  
  3072:HTS1pU/dvuuCtCxzxXXQu+pbSCu9P+5qd/o1x3wPWnK:HTeu/Zat6gH9un0ePW
Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  a7768f4973ad7cf8217212a4d12dbae0.exe
- Size
  
  380KB
- MD5
  
  a7768f4973ad7cf8217212a4d12dbae0
- SHA1
  
  143c52e5bf3978c7b1a544ccc9405afd17d77f55
- SHA256
  
  c8ea293b1ad5343dde79c6e095c134e4100fdaf47c84eac5e3012eae0b0125a2
- SHA512
  
  058cc6690f9910ead6441f7128f85cb6669f04a7a949bf0b464b42d7813695cf77f7fff539b742a829464cb1ad41ca0682df120e008095b9739e561f488201d5
- SSDEEP
  
  6144:Uzv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOwIbN8CCg4mnw8:UzcRD02J4Sq2vHGB67KWKKmDzrCg44w8
Score

10^/10

discovery evasion persistence trojan upx
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Drops startup file
- Checks whether UAC is enabled
  evasion trojan
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral11 behavioral12
- Target
  
  aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
- Size
  
  550KB
- MD5
  
  e1e589c2c91ca7563f8fb06cf356bbfc
- SHA1
  
  54ac30e96d237ebed232648d8b484579fd7a33d8
- SHA256
  
  aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e
- SHA512
  
  8c440d514c0e0b4587834e40ebe0603f1214a771f680c1a49d69a3dcf2cb799ff4f056faf06402a4f7243b927a296374fe024ecfbb754aa550ef25ceebfc0261
- SSDEEP
  
  6144:Nb/thbA20Budh1Bbm20BloOVAIqDAYQ+:ltGcAYp
Score

7^/10

discovery persistence
- Drops startup file
- Adds Run key to start application
  persistence
behavioral13 behavioral14
- Target
  
  aace43af8d0932a7b01c5b8fb71c8199.exe
- Size
  
  2.7MB
- MD5
  
  aace43af8d0932a7b01c5b8fb71c8199
- SHA1
  
  56422e5cc2abe198198003d2c5bf009c8652a983
- SHA256
  
  3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
- SHA512
  
  c4fdee4e0041a98eba661b41f521ea393e2cf8a2683d7722ba198bbc5d7620600855a773c849b1a24fb0542a6fdaf478b4e66d2ca709663d5665fac1613de2b3
- SSDEEP
  
  49152:HyhKEGeEWYQAsQ36mE4OZYYIqCGA02Ul0UFi28CdNT0BtT:HygEGTRQAsQ36mE4O6rqCb2i28CdNoBN
Score

8^/10

defense_evasion discovery
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
behavioral15 behavioral16
- Target
  
  ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.exe
- Size
  
  216KB
- MD5
  
  70a377690917a98e6ee682f7941eb565
- SHA1
  
  246b1e0d01772a47a5f2032c8642d33d47a11c57
- SHA256
  
  ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de
- SHA512
  
  c384afb2230222115bffeeb951e6e204e99c44ff8d27af58b5660aa084405b1da3ad25ee75179b9f5db0f1ca7ceab070457d314b001c53cc0faa71dd7dfe9709
- SSDEEP
  
  3072:eowSng9e1zcHHgttb9a1XchykGt8N3mff:1IehkAttb9aFchy3um
Score

10^/10

pony credential_access discovery rat spyware stealer
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral17 behavioral18
- Target
  
  aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
- Size
  
  218KB
- MD5
  
  35f68acc0c3d5761a61975ec77b49cbc
- SHA1
  
  f6d03e713bc9b47265141d9f9b83ae634d43d204
- SHA256
  
  aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1
- SHA512
  
  6a9d131e7c4f310ec77cf3c9c07c75dca279b7ffd6c46b252c559947900f1d754400fc51ce12b8afde86a0fd758e1b68d00a2e5f9144ad019d51bff5c67a4656
- SSDEEP
  
  3072:HfVD9B1hzRAjEdJNCQ4woDZD57Wr3FKajQNR9MiYbuWjqgdcnfKvdHmN5b3SM:/jlVEEbNtoPajxu85cfAG3
Score

6^/10

discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral19 behavioral20
- Target
  
  afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
- Size
  
  164KB
- MD5
  
  08b304d01220f9de63244b4666621bba
- SHA1
  
  b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
- SHA256
  
  afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
- SHA512
  
  162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
- SSDEEP
  
  3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn
Score

10^/10

hydracrypt defense_evasion discovery execution impact persistence ransomware spyware stealer
- HydraCrypt
  Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
  ransomware hydracrypt
- Hydracrypt family
  hydracrypt
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (444) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
- Size
  
  53KB
- MD5
  
  93de5300dabf0711c57cbe31b4c9ef04
- SHA1
  
  4cad182a0cf72c2aff7c1a5b23eb26b352366f63
- SHA256
  
  b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54
- SHA512
  
  52c3e7a2721dac4b65d1b0ca78bd594f96f7adc36dcb9a69515665a039d644b4ce130f73f5eddd452911cac7f60c0af19688cdba57339fdec88c0ddfc574cc00
- SSDEEP
  
  768:4chho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPdxPaq77tio/rM:PjoDMYwEINR8j/Yu2pqOd77hPQoQ
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  0.8476237917779167.exe
- Size
  
  80KB
- MD5
  
  0a2284067bd109885b0597c3a858a88a
- SHA1
  
  7634b3d0ede547c81f93fe570ef3102bf0e0ed14
- SHA256
  
  19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf
- SHA512
  
  6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea
- SSDEEP
  
  1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral25 behavioral26
- Target
  
  zsgblrbrumorwxfizuke.exe
- Size
  
  80KB
- MD5
  
  0a2284067bd109885b0597c3a858a88a
- SHA1
  
  7634b3d0ede547c81f93fe570ef3102bf0e0ed14
- SHA256
  
  19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf
- SHA512
  
  6405bee390d0c1f38ad434116de512cb67171b66ec6e4efbb43f08577597da51ab37fae899a6f8231fa17fa60654572e5141c2dbcebe520124db61e7393f9eea
- SSDEEP
  
  1536:QF7P2btiVYiZ+TX2tbOH3UqCXOOlIoj6Q849X:U7ktiPCH3UqZAhR
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral27 behavioral28
- Target
  
  b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
- Size
  
  518KB
- MD5
  
  4523ccfd191dcceeae8e884f82f5c7ad
- SHA1
  
  00107a6bdc9886e69425b7b0b761dcc8324946d3
- SHA256
  
  b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0
- SHA512
  
  79df12b1abb0d2ddab35e898aa01baaf7ea737fa37331c926b07d0ca478aa9c1c3d14795241e11d7dcff06ec3c5de93b2819cfbc0fd6db5bf6e752c52cfad5a5
- SSDEEP
  
  12288:uPenEoSpi011oQSnRxhmVacKcMxS8JWwEHD1T6hX5IGC2C:SJomi0GnbPcKcNcWwEj1T6hqm
Score

5^/10

discovery upx
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral29 behavioral30
- Target
  
  b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
- Size
  
  33KB
- MD5
  
  d9789bfbc54d5cb6d52c385fd8f5d288
- SHA1
  
  b8f60c64c70f03c263bf9e9261aa157a73864aaf
- SHA256
  
  c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d
- SHA512
  
  21e81d64136897e86362304666cb0a8510ae2280c432c8b768875d5459b527e2cdafe9a61107433d3ff7ccf8092f3bbc226f9366623c1d39f76445fc490dc4c8
- SSDEEP
  
  768:IPXirrjYZp0Tf6yFz5Om5jPwxgjAqJTKV/Z:I/iTYHQCm5DpjhJTKVR
Score

10^/10

xorist discovery persistence ransomware spyware stealer upx
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- Renames multiple (2186) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral31 behavioral32