SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hakbit (Back to overview)

Hakbit

aka: Thanos Ransomware
VTCollection    

Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server.
The ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.

Contact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent "KiraLock" has kiraransom@ (among others of course).

References
2022-05-16Department of Justice
Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals (APPLICATION FOR AN ARREST WARRANT)
Hakbit
2022-03-23Security BoulevardRajdeepsinh Dodia
Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants
Hakbit Midas
2022-03-23ZscalerRajdeepsinh Dodia
Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants
Hakbit Midas
2022-02-17Sekoiasekoia
The story of a ransomware builder: from Thanos to Spook and beyond (Part 1)
Hakbit
2021-11-01IBMAaron Gdanski, Limor Kessem
From Thanos to Prometheus: When Ransomware Encryption Goes Wrong
Hakbit Prometheus
2021-10-07KasperskyFedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2021-07-22S2W LAB Inc.TALON
Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)
Avaddon Hakbit
2021-07-15CybereasonCybereason Nocturnus
cybereason vs. prometheus ransomware
Hakbit Prometheus
2021-06-09Palo Alto Networks Unit 42Doel Santos
Prometheus Ransomware Gang: A Group of REvil?
Hakbit Prometheus REvil
2021-06-05Cybleinccybleinc
Prometheus: An Emerging Ransomware Group Using Thanos Ransomware To Target Organizations
Hakbit
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-11-18SeqritePriyanka Shinde
Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic
Hakbit
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-09-04Palo Alto Networks Unit 42Robert Falcone
Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
PowGoop Hakbit
2020-06-22ProofpointProofpoint Threat Research Team, Sherrod DeGrippo
Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-15VMWare Carbon BlackA C
TAU Threat Analysis: Relations to Hakbit Ransomware
Hakbit
2020-06-10Recorded FutureInsikt Group®
New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit
Hakbit
2020-06-08VMWare Carbon BlackA C
TAU Threat Analysis: Hakbit Ransomware
Hakbit
2019-11-04ID RansomwareAndrew Ivanov
Hakbit Ransomware
Hakbit
Yara Rules
[TLP:WHITE] win_hakbit_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_hakbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 40 c1e004 8b4dfc 8d740104 8b45e4 c1e004 8b4dfc }
            // n = 7, score = 300
            //   40                   | inc                 eax
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8d740104             | lea                 esi, [ecx + eax + 4]
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_1 = { 8bec 51 51 c745f8010000c0 e8???????? 58 }
            // n = 6, score = 300
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   c745f8010000c0       | mov                 dword ptr [ebp - 8], 0xc0000001
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_2 = { 40 8945f4 837df403 7377 8b45f4 8b4dfc }
            // n = 6, score = 300
            //   40                   | inc                 eax
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df403             | cmp                 dword ptr [ebp - 0xc], 3
            //   7377                 | jae                 0x79
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_3 = { ff7508 8b45fc 83c018 ffd0 8945f8 837df800 0f8ca8000000 }
            // n = 7, score = 300
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c018               | add                 eax, 0x18
            //   ffd0                 | call                eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   0f8ca8000000         | jl                  0xae

        $sequence_4 = { 8b4dfc 8b44810c 2b450c 8945f0 8365ec00 eb07 8b45ec }
            // n = 7, score = 300
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b44810c             | mov                 eax, dword ptr [ecx + eax*4 + 0xc]
            //   2b450c               | sub                 eax, dword ptr [ebp + 0xc]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8365ec00             | and                 dword ptr [ebp - 0x14], 0
            //   eb07                 | jmp                 9
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_5 = { 88040a ebd2 e9???????? 8b45f8 5e c9 c21400 }
            // n = 7, score = 300
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   ebd2                 | jmp                 0xffffffd4
            //   e9????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c21400               | ret                 0x14

        $sequence_6 = { 8364010c00 8b45e8 c1e004 8b4dfc c644010800 8b45e8 c1e004 }
            // n = 7, score = 300
            //   8364010c00           | and                 dword ptr [ecx + eax + 0xc], 0
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c644010800           | mov                 byte ptr [ecx + eax + 8], 0
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e004               | shl                 eax, 4

        $sequence_7 = { 51 c745f8010000c0 e8???????? 58 2500f0ffff 8945fc 837d1400 }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   c745f8010000c0       | mov                 dword ptr [ebp - 8], 0xc0000001
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0

        $sequence_8 = { 33c9 8b55fc 66894c020a 8b45e8 c1e004 8b4dfc 8364010c00 }
            // n = 7, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   66894c020a           | mov                 word ptr [edx + eax + 0xa], cx
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c1e004               | shl                 eax, 4
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8364010c00           | and                 dword ptr [ecx + eax + 0xc], 0

        $sequence_9 = { 0f8ca8000000 ff7508 8b45fc ff10 }
            // n = 4, score = 300
            //   0f8ca8000000         | jl                  0xae
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff10                 | call                dword ptr [eax]

    condition:
        7 of them and filesize < 656384
}
Download all Yara Rules