SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hive (Back to overview)

Hive


Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.
In 2022 there was a switch from GoLang to Rust.

References
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-07-26YoroiLuigi Martire, Carmelo Ragusa
@online{martire:20220726:footsteps:cd2ba49, author = {Luigi Martire and Carmelo Ragusa}, title = {{On the FootSteps of Hive Ransomware}}, date = {2022-07-26}, organization = {Yoroi}, url = {https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/}, language = {English}, urldate = {2022-07-28} } On the FootSteps of Hive Ransomware
Hive Hive
2022-07-22YoroiLuigi Martire, Carmelo Ragusa
@techreport{martire:20220722:footsteps:138e516, author = {Luigi Martire and Carmelo Ragusa}, title = {{On The Footsteps of Hive Ransomware}}, date = {2022-07-22}, institution = {Yoroi}, url = {https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf}, language = {English}, urldate = {2022-07-28} } On The Footsteps of Hive Ransomware
Hive Hive
2022-07-05MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
@online{mstic:20220705:hive:840b6e9, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Hive ransomware gets upgrades in Rust}}, date = {2022-07-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/}, language = {English}, urldate = {2022-07-13} } Hive ransomware gets upgrades in Rust
Hive
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-15ThreatStopOfir Ashman
@online{ashman:20220615:first:a157972, author = {Ofir Ashman}, title = {{First Conti, then Hive: Costa Rica gets hit with ransomware again}}, date = {2022-06-15}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again}, language = {English}, urldate = {2022-06-27} } First Conti, then Hive: Costa Rica gets hit with ransomware again
Conti Hive Conti Hive
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-03CiscoKendall McKay, Paul Eubanks., JAIME FILSON
@online{mckay:20220503:conti:c764c61, author = {Kendall McKay and Paul Eubanks. and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-03}, organization = {Cisco}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: Leveraging victim chats for insights
Conti Hive
2022-05-03Talos IntelligenceJON MUNSHAW
@online{munshaw:20220503:conti:ae16fc1, author = {JON MUNSHAW}, title = {{Conti and Hive ransomware operations: What we learned from these groups' victim chats}}, date = {2022-05-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: What we learned from these groups' victim chats
Conti Hive
2022-05-02Cisco TalosKendall McKay, Paul Eubanks, JAIME FILSON
@techreport{mckay:20220502:conti:330e34b, author = {Kendall McKay and Paul Eubanks and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-02}, institution = {Cisco Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-21Sentinel LABSAntonis Terefos
@online{terefos:20220421:nokoyawa:72ae5e2, author = {Antonis Terefos}, title = {{Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise}}, date = {2022-04-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/}, language = {English}, urldate = {2022-04-24} } Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-19VaronisNadav Ovadia
@online{ovadia:20220419:hive:51c5eb7, author = {Nadav Ovadia}, title = {{Hive Ransomware Analysis}}, date = {2022-04-19}, organization = {Varonis}, url = {https://www.varonis.com/blog/hive-ransomware-analysis}, language = {English}, urldate = {2022-04-25} } Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-04-12ConnectWiseConnectWise CRU
@online{cru:20220412:threat:ea9a60f, author = {ConnectWise CRU}, title = {{Threat Profile: Hive}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/hive-profile}, language = {English}, urldate = {2022-04-13} } Threat Profile: Hive
Hive
2022-03-31SC MediaSC Staff
@online{staff:20220331:novel:ef704af, author = {SC Staff}, title = {{Novel obfuscation leveraged by Hive ransomware}}, date = {2022-03-31}, organization = {SC Media}, url = {https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware}, language = {English}, urldate = {2022-04-05} } Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive
2022-03-30The RecordJonathan Greig
@online{greig:20220330:hive:b23a103, author = {Jonathan Greig}, title = {{Hive ransomware shuts down California health care organization}}, date = {2022-03-30}, organization = {The Record}, url = {https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/}, language = {English}, urldate = {2022-03-31} } Hive ransomware shuts down California health care organization
Hive Hive
2022-03-30Bleeping ComputerBill Toulas
@online{toulas:20220330:hive:2c0ba4d, author = {Bill Toulas}, title = {{Hive ransomware uses new 'IPfuscation' trick to hide payload}}, date = {2022-03-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/}, language = {English}, urldate = {2022-03-31} } Hive ransomware uses new 'IPfuscation' trick to hide payload
Hive
2022-03-29SentinelOneJames Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, Shai Tilias
@online{haughom:20220329:from:5e4b8cc, author = {James Haughom and Antonis Terefos and Jim Walter and Jeff Cavanaugh and Nick Fox and Shai Tilias}, title = {{From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection}}, date = {2022-03-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/}, language = {English}, urldate = {2022-03-31} } From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive
2022-03-27Bleeping ComputerLawrence Abrams
@online{abrams:20220327:hive:4b2408f, author = {Lawrence Abrams}, title = {{Hive ransomware ports its Linux VMware ESXi encryptor to Rust}}, date = {2022-03-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/}, language = {English}, urldate = {2022-03-29} } Hive ransomware ports its Linux VMware ESXi encryptor to Rust
BlackCat Hive Hive
2022-03-18Trend MicroTrend Micro Research
@online{research:20220318:ransomware:db77bd2, author = {Trend Micro Research}, title = {{Ransomware Spotlight: Hive}}, date = {2022-03-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive}, language = {English}, urldate = {2022-03-28} } Ransomware Spotlight: Hive
Hive Hive
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-24LIFARSVlad Pasca
@online{pasca:20220224:how:77b74bc, author = {Vlad Pasca}, title = {{How to Decrypt the Files Encrypted by the Hive Ransomware}}, date = {2022-02-24}, organization = {LIFARS}, url = {https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/}, language = {English}, urldate = {2022-03-01} } How to Decrypt the Files Encrypted by the Hive Ransomware
Hive Hive
2022-02-21Security AffairsPierluigi Paganini
@online{paganini:20220221:flaw:0b723b0, author = {Pierluigi Paganini}, title = {{A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files}}, date = {2022-02-21}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html}, language = {English}, urldate = {2022-02-26} } A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files
Hive Hive
2022-02-19The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220219:master:8d77715, author = {Ravie Lakshmanan}, title = {{Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm}}, date = {2022-02-19}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html}, language = {English}, urldate = {2022-02-26} } Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm
Hive Hive
2022-02-18The RecordCatalin Cimpanu
@online{cimpanu:20220218:academics:d2f3045, author = {Catalin Cimpanu}, title = {{Academics publish method for recovering data encrypted by the Hive ransomware}}, date = {2022-02-18}, organization = {The Record}, url = {https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/}, language = {English}, urldate = {2022-02-19} } Academics publish method for recovering data encrypted by the Hive ransomware
Hive Hive
2022-02-18Kookmin UniversityGiyoon Kim, Soram Kim, Soojin Kang, Jongsung Kim
@techreport{kim:20220218:method:4b41876, author = {Giyoon Kim and Soram Kim and Soojin Kang and Jongsung Kim}, title = {{A Method for Decrypting Data Infected with Hive Ransomware}}, date = {2022-02-18}, institution = {Kookmin University}, url = {https://arxiv.org/pdf/2202.08477.pdf}, language = {English}, urldate = {2022-02-19} } A Method for Decrypting Data Infected with Hive Ransomware
Hive Hive
2021-12-16INCIBE-CERTINCIBE
@techreport{incibe:20211216:hive:22d0add, author = {INCIBE}, title = {{Hive Analysis Study}}, date = {2021-12-16}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf}, language = {Spanish}, urldate = {2022-01-25} } Hive Analysis Study
Hive
2021-12-09Group-IBDmitry Shestakov, Andrey Zhdanov
@online{shestakov:20211209:inside:2dc8bd6, author = {Dmitry Shestakov and Andrey Zhdanov}, title = {{Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples}}, date = {2021-12-09}, organization = {Group-IB}, url = {https://blog.group-ib.com/hive}, language = {English}, urldate = {2022-01-24} } Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples
Hive Hive
2021-12-03Github (rivitna)Andrey Zhdanov
@online{zhdanov:20211203:hive:7d25585, author = {Andrey Zhdanov}, title = {{Hive Demo and IoCs}}, date = {2021-12-03}, organization = {Github (rivitna)}, url = {https://github.com/rivitna/Malware/tree/main/Hive}, language = {English}, urldate = {2021-12-22} } Hive Demo and IoCs
Hive Hive
2021-09-10NetskopeGustavo Palazolo
@online{palazolo:20210910:hive:e875859, author = {Gustavo Palazolo}, title = {{Hive Ransomware: Actively Targeting Hospitals}}, date = {2021-09-10}, organization = {Netskope}, url = {https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals}, language = {English}, urldate = {2021-09-14} } Hive Ransomware: Actively Targeting Hospitals
Hive
2021-08-25FBIFBI
@techreport{fbi:20210825:mc000150mw:39f2584, author = {FBI}, title = {{MC-000150-MW: Indicators of Compromise Associated with Hive Ransomware}}, date = {2021-08-25}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210825.pdf}, language = {English}, urldate = {2021-08-30} } MC-000150-MW: Indicators of Compromise Associated with Hive Ransomware
Hive
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-08-23Sentinel LABSJim Walter, Juan Andrés Guerrero-Saade
@online{walter:20210823:hive:5a17aae, author = {Jim Walter and Juan Andrés Guerrero-Saade}, title = {{Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare}}, date = {2021-08-23}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/}, language = {English}, urldate = {2021-08-25} } Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare
Hive
Yara Rules
[TLP:WHITE] win_hive_auto (20220808 | Detects win.hive.)
rule win_hive_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.hive."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 31c0 b9aa000000 31d2 31db }
            // n = 4, score = 300
            //   31c0                 | shl                 edx, 6
            //   b9aa000000           | movzx               eax, bl
            //   31d2                 | add                 eax, edx
            //   31db                 | add                 edx, ecx

        $sequence_1 = { b804000000 b9df000000 31d2 31db }
            // n = 4, score = 300
            //   b804000000           | inc                 eax
            //   b9df000000           | movzx               ecx, bh
            //   31d2                 | add                 ecx, eax
            //   31db                 | shl                 ecx, 6

        $sequence_2 = { b803000000 b9b6000000 31d2 31db }
            // n = 4, score = 300
            //   b803000000           | inc                 eax
            //   b9b6000000           | movzx               edx, dh
            //   31d2                 | add                 edx, ecx
            //   31db                 | add                 edx, ecx

        $sequence_3 = { b807000000 b9d4000000 31d2 31db }
            // n = 4, score = 300
            //   b807000000           | inc                 eax
            //   b9d4000000           | movzx               edx, dh
            //   31d2                 | add                 eax, ecx
            //   31db                 | shl                 eax, 6

        $sequence_4 = { 31c0 31c9 31d2 bb06000000 }
            // n = 4, score = 300
            //   31c0                 | test                edi, edi
            //   31c9                 | add                 edx, ecx
            //   31d2                 | shl                 edx, 6
            //   bb06000000           | movzx               eax, bl

        $sequence_5 = { 89d1 e8???????? b802000000 e8???????? }
            // n = 4, score = 200
            //   89d1                 | add                 eax, edx
            //   e8????????           |                     
            //   b802000000           | dec                 ebp
            //   e8????????           |                     

        $sequence_6 = { 31c0 31db 31f6 31ff e9???????? e8???????? }
            // n = 6, score = 200
            //   31c0                 | xor                 edi, edi
            //   31db                 | jmp                 0x20
            //   31f6                 | xor                 eax, eax
            //   31ff                 | xor                 ecx, ecx
            //   e9????????           |                     
            //   e8????????           |                     

        $sequence_7 = { 0fb6b40495000000 89d7 31f2 01c2 90 }
            // n = 5, score = 200
            //   0fb6b40495000000     | xor                 ecx, ecx
            //   89d7                 | xor                 edx, edx
            //   31f2                 | mov                 ebx, 0x8e
            //   01c2                 | xor                 eax, eax
            //   90                   | xor                 ecx, ecx

        $sequence_8 = { 31c0 31c9 31db 31ff eb31 }
            // n = 5, score = 200
            //   31c0                 | xor                 edx, edx
            //   31c9                 | mov                 ebx, 0x8e
            //   31db                 | xor                 esi, esi
            //   31ff                 | xor                 eax, eax
            //   eb31                 | xor                 ecx, ecx

        $sequence_9 = { 89c2 e8???????? b801000000 e8???????? }
            // n = 4, score = 200
            //   89c2                 | shl                 edx, 6
            //   e8????????           |                     
            //   b801000000           | movzx               eax, bl
            //   e8????????           |                     

        $sequence_10 = { 01ca c1e206 0fb6c3 01d0 }
            // n = 4, score = 100
            //   01ca                 | mov                 ecx, eax
            //   c1e206               | shr                 ecx, 0x1f
            //   0fb6c3               | dec                 ecx
            //   01d0                 | inc                 ecx

        $sequence_11 = { 01c2 b8ffffff03 21c5 21c3 }
            // n = 4, score = 100
            //   01c2                 | inc                 eax
            //   b8ffffff03           | movzx               edx, dh
            //   21c5                 | add                 edx, ecx
            //   21c3                 | add                 ecx, eax

        $sequence_12 = { 01c8 c1e006 400fb6cf 01c1 }
            // n = 4, score = 100
            //   01c8                 | and                 ecx, eax
            //   c1e006               | inc                 ecx
            //   400fb6cf             | mov                 dword ptr [edi + 0x14], ecx
            //   01c1                 | add                 eax, ecx

        $sequence_13 = { 01c1 c1e106 400fb6d6 01ca }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   c1e106               | shl                 ecx, 6
            //   400fb6d6             | movzx               eax, dl
            //   01ca                 | add                 eax, ecx

        $sequence_14 = { 01c1 83c101 83f90c 0f820fffffff }
            // n = 4, score = 100
            //   01c1                 | je                  0x277
            //   83c101               | add                 eax, eax
            //   83f90c               | inc                 eax
            //   0f820fffffff         | add                 al, bh

        $sequence_15 = { 01c0 4000f8 0fb6c0 48898424b0000000 }
            // n = 4, score = 100
            //   01c0                 | add                 eax, eax
            //   4000f8               | inc                 eax
            //   0fb6c0               | add                 al, bh
            //   48898424b0000000     | movzx               eax, al

        $sequence_16 = { 01c1 c1e106 0fb6c2 01c8 }
            // n = 4, score = 100
            //   01c1                 | jb                  0xfffffe9c
            //   c1e106               | mov                 edx, 5
            //   0fb6c2               | add                 ecx, eax
            //   01c8                 | add                 ecx, 1

        $sequence_17 = { 01c8 89c1 c1e91f ffc9 }
            // n = 4, score = 100
            //   01c8                 | movzx               eax, bl
            //   89c1                 | add                 eax, edx
            //   c1e91f               | add                 edx, eax
            //   ffc9                 | mov                 eax, 0x3ffffff

    condition:
        7 of them and filesize < 7946240
}
[TLP:WHITE] win_hive_w0   (20211222 | Hive v3 ransomware Windows/Linux/FreeBSD payload)
rule win_hive_w0 {
    meta:
        author = "rivitna"
        family = "ransomware.hive"
        description = "Hive v3 ransomware Windows/Linux/FreeBSD payload"
        source = "https://github.com/rivitna/Malware/blob/main/Hive/Hive.yar"
        severity = 10
        score = 100
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20211222"
        malpedia_hash = ""
        malpedia_version = "20211222"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $h0 = { B? 03 52 DA 8D [6-12] 69 ?? 00 70 0E 00 [14-20]
                8D ?? 00 90 01 00 }
        $h1 = { B? 37 48 60 80 [4-12] 69 ?? 00 F4 0F 00 [2-10]
                8D ?? 00 0C 00 00 }
        $h2 = { B? 3E 0A D7 A3 [2-6] C1 E? ( 0F | 2F 4?)
                69 ?? 00 90 01 00 }

        $x0 = { C6 84 24 ?? 00 00 00 FF [0-14] 89 ?? 24 ?? 00 00 00 [0-6]
                89 ?? 24 ?? 0? 00 00 [0-20] C6 84 24 ?? 0? 00 00 34 }
        $x1 = { C6 44 24 ?? FF [0-14] 89 ?? 24 ?? [0-6] 89 ?? 24 ?? [0-12]
                C6 84 24 ?? 00 00 00 34 }

    condition:
        (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
         (uint32(0) == 0x464C457F)) and
        (
            (2 of ($h*)) or (1 of ($x*))
        )
}
Download all Yara Rules