SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hakbit (Back to overview)

Hakbit

aka: Thanos Ransomware

Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server.
The ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.

Contact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent "KiraLock" has kiraransom@ (among others of course).

References
2021-07-22S2W LAB Inc.TALON
@online{talon:20210722:quick:7951b68, author = {TALON}, title = {{Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)}}, date = {2021-07-22}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4}, language = {English}, urldate = {2021-07-26} } Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)
Avaddon Hakbit
2021-07-15CybereasonCybereason Nocturnus
@online{nocturnus:20210715:cybereason:06113e5, author = {Cybereason Nocturnus}, title = {{cybereason vs. prometheus ransomware}}, date = {2021-07-15}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware}, language = {English}, urldate = {2021-08-03} } cybereason vs. prometheus ransomware
Hakbit Prometheus
2021-06-09Palo Alto Networks Unit 42Doel Santos
@online{santos:20210609:prometheus:e4fdf9e, author = {Doel Santos}, title = {{Prometheus Ransomware Gang: A Group of REvil?}}, date = {2021-06-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/prometheus-ransomware/}, language = {English}, urldate = {2021-06-09} } Prometheus Ransomware Gang: A Group of REvil?
Hakbit Prometheus REvil
2021-06-05Cybleinccybleinc
@online{cybleinc:20210605:prometheus:bf079f6, author = {cybleinc}, title = {{Prometheus: An Emerging Ransomware Group Using Thanos Ransomware To Target Organizations}}, date = {2021-06-05}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/}, language = {English}, urldate = {2021-07-20} } Prometheus: An Emerging Ransomware Group Using Thanos Ransomware To Target Organizations
Hakbit
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-11-18SeqritePriyanka Shinde
@online{shinde:20201118:thanos:4a211b9, author = {Priyanka Shinde}, title = {{Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic}}, date = {2020-11-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/}, language = {English}, urldate = {2021-01-01} } Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic
Hakbit
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-09-04Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200904:thanos:b5eb551, author = {Robert Falcone}, title = {{Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa}}, date = {2020-09-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thanos-ransomware/}, language = {English}, urldate = {2020-09-06} } Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
PowGoop Hakbit
2020-06-22ProofpointSherrod DeGrippo, Proofpoint Threat Research Team
@online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-15VMWare Carbon BlackA C
@online{c:20200615:tau:c60e41f, author = {A C}, title = {{TAU Threat Analysis: Relations to Hakbit Ransomware}}, date = {2020-06-15}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/}, language = {English}, urldate = {2020-06-16} } TAU Threat Analysis: Relations to Hakbit Ransomware
Hakbit
2020-06-10Recorded FutureInsikt Group®
@techreport{group:20200610:new:fbd9342, author = {Insikt Group®}, title = {{New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit}}, date = {2020-06-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf}, language = {English}, urldate = {2020-06-11} } New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit
Hakbit
2020-06-08VMWare Carbon BlackA C
@online{c:20200608:tau:f5b25ff, author = {A C}, title = {{TAU Threat Analysis: Hakbit Ransomware}}, date = {2020-06-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/}, language = {English}, urldate = {2020-06-10} } TAU Threat Analysis: Hakbit Ransomware
Hakbit
2019-11-04ID RansomwareAndrew Ivanov
@online{ivanov:20191104:hakbit:473fb88, author = {Andrew Ivanov}, title = {{Hakbit Ransomware}}, date = {2019-11-04}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html}, language = {Russian}, urldate = {2020-01-10} } Hakbit Ransomware
Hakbit
Yara Rules
[TLP:WHITE] win_hakbit_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_hakbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 40 c1e004 8b4dfc 8d740104 8b45e4 c1e004 8b4dfc }
            // n = 7, score = 300
            //   40                   | inc                 eax
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8d740104             | lea                 esi, [ecx + eax + 4]
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_1 = { 8bec 51 51 c745f8010000c0 e8???????? 58 }
            // n = 6, score = 300
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   c745f8010000c0       | mov                 dword ptr [ebp - 8], 0xc0000001
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_2 = { 40 8945f4 837df403 7377 8b45f4 8b4dfc }
            // n = 6, score = 300
            //   40                   | inc                 eax
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df403             | cmp                 dword ptr [ebp - 0xc], 3
            //   7377                 | jae                 0x79
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_3 = { ff7508 8b45fc 83c018 ffd0 8945f8 837df800 0f8ca8000000 }
            // n = 7, score = 300
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c018               | add                 eax, 0x18
            //   ffd0                 | call                eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   0f8ca8000000         | jl                  0xae

        $sequence_4 = { 8b4dfc 8b44810c 2b450c 8945f0 8365ec00 eb07 8b45ec }
            // n = 7, score = 300
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b44810c             | mov                 eax, dword ptr [ecx + eax*4 + 0xc]
            //   2b450c               | sub                 eax, dword ptr [ebp + 0xc]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8365ec00             | and                 dword ptr [ebp - 0x14], 0
            //   eb07                 | jmp                 9
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_5 = { 88040a ebd2 e9???????? 8b45f8 5e c9 c21400 }
            // n = 7, score = 300
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   ebd2                 | jmp                 0xffffffd4
            //   e9????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c21400               | ret                 0x14

        $sequence_6 = { 8364010c00 8b45e8 c1e004 8b4dfc c644010800 8b45e8 c1e004 }
            // n = 7, score = 300
            //   8364010c00           | and                 dword ptr [ecx + eax + 0xc], 0
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c644010800           | mov                 byte ptr [ecx + eax + 8], 0
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e004               | shl                 eax, 4

        $sequence_7 = { 51 c745f8010000c0 e8???????? 58 2500f0ffff 8945fc 837d1400 }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   c745f8010000c0       | mov                 dword ptr [ebp - 8], 0xc0000001
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0

        $sequence_8 = { 33c9 8b55fc 66894c020a 8b45e8 c1e004 8b4dfc 8364010c00 }
            // n = 7, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   66894c020a           | mov                 word ptr [edx + eax + 0xa], cx
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8364010c00           | and                 dword ptr [ecx + eax + 0xc], 0

        $sequence_9 = { 0f8ca8000000 ff7508 8b45fc ff10 }
            // n = 4, score = 300
            //   0f8ca8000000         | jl                  0xae
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff10                 | call                dword ptr [eax]

    condition:
        7 of them and filesize < 656384
}
Download all Yara Rules