Extracted

• • Target

    2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch

  • Size

    4.8MB

  • MD5

    82a36fb2b9eaf1d539bd1f47519d33f0

  • SHA1

    0eecdc1b8ecd03fa8cad841e9a81497c025575a3

  • SHA256

    88d3e05c1207189ee80f554e7462ca58a69c1c19657aa977904f7ce0047e5505

  • SHA512

    6da93231bf189a1b9fe4e6e477d92714c709982548f9ce22e0d0a3dfeeefa06fe481539f01d60cd1e3849873e01c24b25e41d78117e6a9c1ec7343821344abcf

  • SSDEEP

    49152:w2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWAG:w2ANB04yIa0hsirubOWx4+

  Score

  10^/10

  hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

  • Deletes Windows Defender Definitions

    Uses mpcmdrun utility to delete all AV definitions.

    defense_evasion

  • Disables service(s)

    defense_evasionexecution

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive

  • Hive family

    hive

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • Modifies security service

    defense_evasion

  • Clears Windows event logs

    defense_evasionransomware

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Renames multiple (1901) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Deletes itself

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Modifies Security services

    Modifies the startup behavior of a security service.

    defense_evasion
  behavioral1behavioral2