SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hakbit (Back to overview)

Hakbit

aka: Thanos Ransomware

Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server.
The ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.

Contact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent "KiraLock" has kiraransom@ (among others of course).

References
2020-09-04Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20200904:thanos:b5eb551, author = {Robert Falcone}, title = {{Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa}}, date = {2020-09-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thanos-ransomware/}, language = {English}, urldate = {2020-09-06} } Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
Hakbit
2020-06-22ProofpointSherrod DeGrippo, Proofpoint Threat Research Team
@online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-15VMWare Carbon BlackA C
@online{c:20200615:tau:c60e41f, author = {A C}, title = {{TAU Threat Analysis: Relations to Hakbit Ransomware}}, date = {2020-06-15}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/}, language = {English}, urldate = {2020-06-16} } TAU Threat Analysis: Relations to Hakbit Ransomware
Hakbit
2020-06-10Recorded FutureInsikt Group®
@techreport{group:20200610:new:fbd9342, author = {Insikt Group®}, title = {{New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit}}, date = {2020-06-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf}, language = {English}, urldate = {2020-06-11} } New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit
Hakbit
2020-06-08VMWare Carbon BlackA C
@online{c:20200608:tau:f5b25ff, author = {A C}, title = {{TAU Threat Analysis: Hakbit Ransomware}}, date = {2020-06-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/}, language = {English}, urldate = {2020-06-10} } TAU Threat Analysis: Hakbit Ransomware
Hakbit
2019-11-04ID RansomwareAndrew Ivanov
@online{ivanov:20191104:hakbit:473fb88, author = {Andrew Ivanov}, title = {{Hakbit Ransomware}}, date = {2019-11-04}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html}, language = {Russian}, urldate = {2020-01-10} } Hakbit Ransomware
Hakbit
Yara Rules
[TLP:WHITE] win_hakbit_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_hakbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 40 c1e004 8b4dfc 8d740104 8b45e4 c1e004 8b4dfc }
            // n = 7, score = 300
            //   40                   | inc                 eax
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8d740104             | lea                 esi, [ecx + eax + 4]
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_1 = { 8bec 51 51 c745f8010000c0 e8???????? 58 }
            // n = 6, score = 300
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   c745f8010000c0       | mov                 dword ptr [ebp - 8], 0xc0000001
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_2 = { 40 8945f4 837df403 7377 8b45f4 8b4dfc }
            // n = 6, score = 300
            //   40                   | inc                 eax
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df403             | cmp                 dword ptr [ebp - 0xc], 3
            //   7377                 | jae                 0x79
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_3 = { ff7508 8b45fc 83c018 ffd0 8945f8 837df800 0f8ca8000000 }
            // n = 7, score = 300
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c018               | add                 eax, 0x18
            //   ffd0                 | call                eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   0f8ca8000000         | jl                  0xae

        $sequence_4 = { 8b4dfc 8b44810c 2b450c 8945f0 8365ec00 eb07 8b45ec }
            // n = 7, score = 300
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b44810c             | mov                 eax, dword ptr [ecx + eax*4 + 0xc]
            //   2b450c               | sub                 eax, dword ptr [ebp + 0xc]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8365ec00             | and                 dword ptr [ebp - 0x14], 0
            //   eb07                 | jmp                 9
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_5 = { 88040a ebd2 e9???????? 8b45f8 5e c9 c21400 }
            // n = 7, score = 300
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   ebd2                 | jmp                 0xffffffd4
            //   e9????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c21400               | ret                 0x14

        $sequence_6 = { 8364010c00 8b45e8 c1e004 8b4dfc c644010800 8b45e8 c1e004 }
            // n = 7, score = 300
            //   8364010c00           | and                 dword ptr [ecx + eax + 0xc], 0
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c644010800           | mov                 byte ptr [ecx + eax + 8], 0
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e004               | shl                 eax, 4

        $sequence_7 = { 51 c745f8010000c0 e8???????? 58 2500f0ffff 8945fc 837d1400 }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   c745f8010000c0       | mov                 dword ptr [ebp - 8], 0xc0000001
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0

        $sequence_8 = { 33c9 8b55fc 66894c020a 8b45e8 c1e004 8b4dfc 8364010c00 }
            // n = 7, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   66894c020a           | mov                 word ptr [edx + eax + 0xa], cx
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8364010c00           | and                 dword ptr [ecx + eax + 0xc], 0

        $sequence_9 = { 0f8ca8000000 ff7508 8b45fc ff10 }
            // n = 4, score = 300
            //   0f8ca8000000         | jl                  0xae
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff10                 | call                dword ptr [eax]

    condition:
        7 of them and filesize < 656384
}
Download all Yara Rules