General
-
Target
2025-06-04_2a549608d1d79cca830a76db077069e8_akira_black-basta_cobalt-strike_satacom
-
Size
1.0MB
-
Sample
250604-lnbk2svmt6
-
MD5
2a549608d1d79cca830a76db077069e8
-
SHA1
4e6b567ec79748bfd589a2d1162ba8b89a23dae9
-
SHA256
4d982fe04c19515e57192bdc57b147bad0aa46634d916ee2918a6282c84ff364
-
SHA512
0dcd3ef697f37331a35b85bca0809900aee86682780967f1e5f01729823c5f4a7a05eee9193aad71e4ed9365f30cd9c95376383e9b0908c9c51dde8da51a37d0
-
SSDEEP
24576:zQagXrs6xiS7Ay/i4NBqThb23KAwcCcoVJqs:zQa36bg4NBqT1VAwfcoVp
Static task
static1
Behavioral task
behavioral1
Sample
2025-06-04_2a549608d1d79cca830a76db077069e8_akira_black-basta_cobalt-strike_satacom.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-06-04_2a549608d1d79cca830a76db077069e8_akira_black-basta_cobalt-strike_satacom.exe
Resource
win11-20250502-en
Malware Config
Extracted
C:\f21fae8705b262c53286e8\akira_readme.txt
akira
https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/9798701123-VSMBK
Targets
-
-
Target
2025-06-04_2a549608d1d79cca830a76db077069e8_akira_black-basta_cobalt-strike_satacom
-
Size
1.0MB
-
MD5
2a549608d1d79cca830a76db077069e8
-
SHA1
4e6b567ec79748bfd589a2d1162ba8b89a23dae9
-
SHA256
4d982fe04c19515e57192bdc57b147bad0aa46634d916ee2918a6282c84ff364
-
SHA512
0dcd3ef697f37331a35b85bca0809900aee86682780967f1e5f01729823c5f4a7a05eee9193aad71e4ed9365f30cd9c95376383e9b0908c9c51dde8da51a37d0
-
SSDEEP
24576:zQagXrs6xiS7Ay/i4NBqThb23KAwcCcoVJqs:zQa36bg4NBqT1VAwfcoVp
-
Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
-
Akira family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Renames multiple (9711) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell command to delete shadowcopy.
-
Drops startup file
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-