General
-
Target
2025-06-02_96fbb98b1f722ae5f49ab63da0f74cf2_akira_black-basta_cobalt-strike_satacom
-
Size
1.0MB
-
Sample
250602-sknjrssybw
-
MD5
96fbb98b1f722ae5f49ab63da0f74cf2
-
SHA1
d917008db31eefeac52c72813d7668e4e05e853e
-
SHA256
a3410e5e4003361ccd1f4417ab7b36e1faed98abd248f85a21f4f74007c8ba0e
-
SHA512
7e1adb6f6015c2b948ac6ee4042f58a6ddddac511d3db4be62f5fd2b0a203b363541db38dc3785bce6c7a974fd0dd90e5c2bb77e67d5dd6b5940373d7925c13d
-
SSDEEP
12288:Vpp+QIEmDzuImC01vbUE98pik+2i1NkshdMMK+AX99etq2dTdUf:Vpp+Q+u5bUI8pij1NkshdMf99etb5S
Static task
static1
Behavioral task
behavioral1
Sample
2025-06-02_96fbb98b1f722ae5f49ab63da0f74cf2_akira_black-basta_cobalt-strike_satacom.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-06-02_96fbb98b1f722ae5f49ab63da0f74cf2_akira_black-basta_cobalt-strike_satacom.exe
Resource
win11-20250502-en
Malware Config
Extracted
C:\Users\akira_readme.txt
akira
https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/si
Targets
-
-
Target
2025-06-02_96fbb98b1f722ae5f49ab63da0f74cf2_akira_black-basta_cobalt-strike_satacom
-
Size
1.0MB
-
MD5
96fbb98b1f722ae5f49ab63da0f74cf2
-
SHA1
d917008db31eefeac52c72813d7668e4e05e853e
-
SHA256
a3410e5e4003361ccd1f4417ab7b36e1faed98abd248f85a21f4f74007c8ba0e
-
SHA512
7e1adb6f6015c2b948ac6ee4042f58a6ddddac511d3db4be62f5fd2b0a203b363541db38dc3785bce6c7a974fd0dd90e5c2bb77e67d5dd6b5940373d7925c13d
-
SSDEEP
12288:Vpp+QIEmDzuImC01vbUE98pik+2i1NkshdMMK+AX99etq2dTdUf:Vpp+Q+u5bUI8pij1NkshdMf99etb5S
-
Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
-
Akira family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (9642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell command to delete shadowcopy.
-
Drops startup file
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-