hive

General

Target

2025-03-31_73b68282286d7613e433b562a9104438_cobalt-strike_frostygoop_hive_sliver_snatch
Size

3.2MB
Sample

250331-1b6b8a1l15
MD5

73b68282286d7613e433b562a9104438
SHA1

d1900a5700d8ba39c741e26d6e80baec350bce19
SHA256

2deb0a4080073f15b2634309ed46e5e57474c52df92f00f81e439764a61c5e7b
SHA512

f3d46b1b0f4ad48ba44b506703382133218ca8a259429483cd72bdc4498ee3bc3e610220373325c7dafab1e3a79ba5bfd13d12879faa74663171e4d40f4b241a
SSDEEP

24576:BUdmG2CcX1qgUVAEmLkcXnLyKEYDCLbteVY3In1vE5iWXkBiVwMEfQDFo9VarcXf:BttVc2/nDF50Ou9C60FRlZ31D14n

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\kKwV_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: n4gDmhMJv5TD Password: CQ8Tu5vERdAMp7SJuWU6 To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.rvqwj files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Targets

- Target
  
  2025-03-31_73b68282286d7613e433b562a9104438_cobalt-strike_frostygoop_hive_sliver_snatch
- Size
  
  3.2MB
- MD5
  
  73b68282286d7613e433b562a9104438
- SHA1
  
  d1900a5700d8ba39c741e26d6e80baec350bce19
- SHA256
  
  2deb0a4080073f15b2634309ed46e5e57474c52df92f00f81e439764a61c5e7b
- SHA512
  
  f3d46b1b0f4ad48ba44b506703382133218ca8a259429483cd72bdc4498ee3bc3e610220373325c7dafab1e3a79ba5bfd13d12879faa74663171e4d40f4b241a
- SSDEEP
  
  24576:BUdmG2CcX1qgUVAEmLkcXnLyKEYDCLbteVY3In1vE5iWXkBiVwMEfQDFo9VarcXf:BttVc2/nDF50Ou9C60FRlZ31D14n
Score

10^/10

hive defense_evasion discovery evasion execution impact ransomware spyware stealer trojan
- Disables service(s)
  defense_evasion execution
- Hive
  A ransomware written in Golang first seen in June 2021.
  ransomware hive
- Hive family
  hive
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies security service
  defense_evasion
- Clears Windows event logs
  defense_evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Modifies Security services
  Modifies the startup behavior of a security service.
  defense_evasion
behavioral1