hive

General

Target

2025-03-12_f5d7efaec3c1274b0aaa704a6caa1671_frostygoop_hive_sliver_snatch
Size

3.1MB
Sample

250312-cfhvqasrw7
MD5

f5d7efaec3c1274b0aaa704a6caa1671
SHA1

ec5c25e1cee1dca5c75baf5a6e3bec69441959dc
SHA256

5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d
SHA512

dab0a8060e9012706ae6ba46adeb2f18e5edecdc187e856989236dd0edb46ed7912cee97cee1c9fb075724c5d736b07e418991d1a3793bee6770d51618dd607f
SSDEEP

49152:imfcJ4D5NnqxkGcfxPxZHPlCJKC732T4rOB3IJ2LL8JcL8LBetlyQ1D11:imfcO1Nq6GcfRdF

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\GyDM_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: 7nVm318mZGHq Password: yDfdV72zJcLft6fDRx3y To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.jhps7 files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Targets

- Target
  
  2025-03-12_f5d7efaec3c1274b0aaa704a6caa1671_frostygoop_hive_sliver_snatch
- Size
  
  3.1MB
- MD5
  
  f5d7efaec3c1274b0aaa704a6caa1671
- SHA1
  
  ec5c25e1cee1dca5c75baf5a6e3bec69441959dc
- SHA256
  
  5baa791a0bcaff60080472bfa434631bc7524b8a10989ed6e7b200f010cb8e1d
- SHA512
  
  dab0a8060e9012706ae6ba46adeb2f18e5edecdc187e856989236dd0edb46ed7912cee97cee1c9fb075724c5d736b07e418991d1a3793bee6770d51618dd607f
- SSDEEP
  
  49152:imfcJ4D5NnqxkGcfxPxZHPlCJKC732T4rOB3IJ2LL8JcL8LBetlyQ1D11:imfcO1Nq6GcfRdF
Score

10^/10

hive defense_evasion discovery evasion execution impact ransomware spyware stealer trojan
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  defense_evasion
- Disables service(s)
  defense_evasion execution
- Hive
  A ransomware written in Golang first seen in June 2021.
  ransomware hive
- Hive family
  hive
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies security service
  defense_evasion
- Clears Windows event logs
  defense_evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Modifies Security services
  Modifies the startup behavior of a security service.
  defense_evasion
behavioral1 behavioral2