SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hive (Back to overview)

Hive

Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.
In 2022 there was a switch from GoLang to Rust.

References
2023-05-16KrebsOnSecurityBrian Krebs
@online{krebs:20230516:russian:b526450, author = {Brian Krebs}, title = {{Russian Hacker “Wazawaka” Indicted for Ransomware}}, date = {2023-05-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/}, language = {English}, urldate = {2023-05-21} } Russian Hacker “Wazawaka” Indicted for Ransomware
Babuk Hive LockBit LockBit Babuk Hive LockBit
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-02-02KrollStephen Green, Elio Biasiotto
@online{green:20230202:hive:4624808, author = {Stephen Green and Elio Biasiotto}, title = {{Hive Ransomware Technical Analysis and Initial Access Discovery}}, date = {2023-02-02}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery}, language = {English}, urldate = {2023-04-22} } Hive Ransomware Technical Analysis and Initial Access Discovery
BATLOADER Cobalt Strike Hive
2023-01-11Rapid7 LabsEoin Miller
@online{miller:20230111:increasing:b0201c6, author = {Eoin Miller}, title = {{Increasing The Sting of HIVE Ransomware}}, date = {2023-01-11}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/}, language = {English}, urldate = {2023-01-13} } Increasing The Sting of HIVE Ransomware
Hive
2022-11-28Github (reecdeep)reecdeep
@online{reecdeep:20221128:hivev5:ddd645c, author = {reecdeep}, title = {{HiveV5 file decryptor PoC}}, date = {2022-11-28}, organization = {Github (reecdeep)}, url = {https://github.com/reecdeep/HiveV5_file_decryptor}, language = {English}, urldate = {2022-12-29} } HiveV5 file decryptor PoC
Hive Hive
2022-11-21MalwarebytesMalwarebytes
@techreport{malwarebytes:20221121:20221121:f4c6d35, author = {Malwarebytes}, title = {{2022-11-21 Threat Intel Report}}, date = {2022-11-21}, institution = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf}, language = {English}, urldate = {2022-11-25} } 2022-11-21 Threat Intel Report
404 Keylogger Agent Tesla Formbook Hive Remcos
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-07-26YoroiLuigi Martire, Carmelo Ragusa
@online{martire:20220726:footsteps:cd2ba49, author = {Luigi Martire and Carmelo Ragusa}, title = {{On the FootSteps of Hive Ransomware}}, date = {2022-07-26}, organization = {Yoroi}, url = {https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/}, language = {English}, urldate = {2022-07-28} } On the FootSteps of Hive Ransomware
Hive Hive
2022-07-22YoroiLuigi Martire, Carmelo Ragusa
@techreport{martire:20220722:footsteps:138e516, author = {Luigi Martire and Carmelo Ragusa}, title = {{On The Footsteps of Hive Ransomware}}, date = {2022-07-22}, institution = {Yoroi}, url = {https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf}, language = {English}, urldate = {2022-07-28} } On The Footsteps of Hive Ransomware
Hive Hive
2022-07-05MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
@online{mstic:20220705:hive:840b6e9, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{Hive ransomware gets upgrades in Rust}}, date = {2022-07-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/}, language = {English}, urldate = {2022-07-13} } Hive ransomware gets upgrades in Rust
Hive
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-15ThreatStopOfir Ashman
@online{ashman:20220615:first:a157972, author = {Ofir Ashman}, title = {{First Conti, then Hive: Costa Rica gets hit with ransomware again}}, date = {2022-06-15}, organization = {ThreatStop}, url = {https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again}, language = {English}, urldate = {2022-06-27} } First Conti, then Hive: Costa Rica gets hit with ransomware again
Conti Hive Conti Hive
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-03CiscoKendall McKay, Paul Eubanks., JAIME FILSON
@online{mckay:20220503:conti:c764c61, author = {Kendall McKay and Paul Eubanks. and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-03}, organization = {Cisco}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: Leveraging victim chats for insights
Conti Hive
2022-05-03Talos IntelligenceJON MUNSHAW
@online{munshaw:20220503:conti:ae16fc1, author = {JON MUNSHAW}, title = {{Conti and Hive ransomware operations: What we learned from these groups' victim chats}}, date = {2022-05-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: What we learned from these groups' victim chats
Conti Hive
2022-05-02Cisco TalosKendall McKay, Paul Eubanks, JAIME FILSON
@techreport{mckay:20220502:conti:330e34b, author = {Kendall McKay and Paul Eubanks and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-02}, institution = {Cisco Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-21Sentinel LABSAntonis Terefos
@online{terefos:20220421:nokoyawa:72ae5e2, author = {Antonis Terefos}, title = {{Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise}}, date = {2022-04-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/}, language = {English}, urldate = {2022-04-24} } Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-19VaronisNadav Ovadia
@online{ovadia:20220419:hive:51c5eb7, author = {Nadav Ovadia}, title = {{Hive Ransomware Analysis}}, date = {2022-04-19}, organization = {Varonis}, url = {https://www.varonis.com/blog/hive-ransomware-analysis}, language = {English}, urldate = {2022-04-25} } Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-04-12ConnectWiseConnectWise CRU
@online{cru:20220412:threat:ea9a60f, author = {ConnectWise CRU}, title = {{Threat Profile: Hive}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/hive-profile}, language = {English}, urldate = {2022-04-13} } Threat Profile: Hive
Hive
2022-03-31SC MediaSC Staff
@online{staff:20220331:novel:ef704af, author = {SC Staff}, title = {{Novel obfuscation leveraged by Hive ransomware}}, date = {2022-03-31}, organization = {SC Media}, url = {https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware}, language = {English}, urldate = {2022-04-05} } Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive
2022-03-30The RecordJonathan Greig
@online{greig:20220330:hive:b23a103, author = {Jonathan Greig}, title = {{Hive ransomware shuts down California health care organization}}, date = {2022-03-30}, organization = {The Record}, url = {https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/}, language = {English}, urldate = {2022-03-31} } Hive ransomware shuts down California health care organization
Hive Hive
2022-03-30Bleeping ComputerBill Toulas
@online{toulas:20220330:hive:2c0ba4d, author = {Bill Toulas}, title = {{Hive ransomware uses new 'IPfuscation' trick to hide payload}}, date = {2022-03-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/}, language = {English}, urldate = {2022-03-31} } Hive ransomware uses new 'IPfuscation' trick to hide payload
Hive
2022-03-29SentinelOneJames Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, Shai Tilias
@online{haughom:20220329:from:5e4b8cc, author = {James Haughom and Antonis Terefos and Jim Walter and Jeff Cavanaugh and Nick Fox and Shai Tilias}, title = {{From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection}}, date = {2022-03-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/}, language = {English}, urldate = {2022-03-31} } From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive
2022-03-27Bleeping ComputerLawrence Abrams
@online{abrams:20220327:hive:4b2408f, author = {Lawrence Abrams}, title = {{Hive ransomware ports its Linux VMware ESXi encryptor to Rust}}, date = {2022-03-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/}, language = {English}, urldate = {2022-03-29} } Hive ransomware ports its Linux VMware ESXi encryptor to Rust
BlackCat Hive Hive
2022-03-18Trend MicroTrend Micro Research
@online{research:20220318:ransomware:db77bd2, author = {Trend Micro Research}, title = {{Ransomware Spotlight: Hive}}, date = {2022-03-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive}, language = {English}, urldate = {2022-03-28} } Ransomware Spotlight: Hive
Hive Hive
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-24LIFARSVlad Pasca
@online{pasca:20220224:how:77b74bc, author = {Vlad Pasca}, title = {{How to Decrypt the Files Encrypted by the Hive Ransomware}}, date = {2022-02-24}, organization = {LIFARS}, url = {https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/}, language = {English}, urldate = {2022-03-01} } How to Decrypt the Files Encrypted by the Hive Ransomware
Hive Hive
2022-02-21Security AffairsPierluigi Paganini
@online{paganini:20220221:flaw:0b723b0, author = {Pierluigi Paganini}, title = {{A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files}}, date = {2022-02-21}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html}, language = {English}, urldate = {2022-02-26} } A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files
Hive Hive
2022-02-19The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220219:master:8d77715, author = {Ravie Lakshmanan}, title = {{Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm}}, date = {2022-02-19}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html}, language = {English}, urldate = {2022-02-26} } Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm
Hive Hive
2022-02-18The RecordCatalin Cimpanu
@online{cimpanu:20220218:academics:d2f3045, author = {Catalin Cimpanu}, title = {{Academics publish method for recovering data encrypted by the Hive ransomware}}, date = {2022-02-18}, organization = {The Record}, url = {https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/}, language = {English}, urldate = {2022-02-19} } Academics publish method for recovering data encrypted by the Hive ransomware
Hive Hive
2022-02-18Kookmin UniversityGiyoon Kim, Soram Kim, Soojin Kang, Jongsung Kim
@techreport{kim:20220218:method:4b41876, author = {Giyoon Kim and Soram Kim and Soojin Kang and Jongsung Kim}, title = {{A Method for Decrypting Data Infected with Hive Ransomware}}, date = {2022-02-18}, institution = {Kookmin University}, url = {https://arxiv.org/pdf/2202.08477.pdf}, language = {English}, urldate = {2022-02-19} } A Method for Decrypting Data Infected with Hive Ransomware
Hive Hive
2021-12-16INCIBE-CERTINCIBE
@techreport{incibe:20211216:hive:22d0add, author = {INCIBE}, title = {{Hive Analysis Study}}, date = {2021-12-16}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf}, language = {Spanish}, urldate = {2022-01-25} } Hive Analysis Study
Hive
2021-12-09Group-IBDmitry Shestakov, Andrey Zhdanov
@online{shestakov:20211209:inside:2dc8bd6, author = {Dmitry Shestakov and Andrey Zhdanov}, title = {{Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples}}, date = {2021-12-09}, organization = {Group-IB}, url = {https://blog.group-ib.com/hive}, language = {English}, urldate = {2022-01-24} } Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples
Hive Hive
2021-12-03Github (rivitna)Andrey Zhdanov
@online{zhdanov:20211203:hive:7d25585, author = {Andrey Zhdanov}, title = {{Hive Demo and IoCs}}, date = {2021-12-03}, organization = {Github (rivitna)}, url = {https://github.com/rivitna/Malware/tree/main/Hive}, language = {English}, urldate = {2021-12-22} } Hive Demo and IoCs
Hive Hive
2021-09-10NetskopeGustavo Palazolo
@online{palazolo:20210910:hive:e875859, author = {Gustavo Palazolo}, title = {{Hive Ransomware: Actively Targeting Hospitals}}, date = {2021-09-10}, organization = {Netskope}, url = {https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals}, language = {English}, urldate = {2021-09-14} } Hive Ransomware: Actively Targeting Hospitals
Hive
2021-08-25FBIFBI
@techreport{fbi:20210825:mc000150mw:39f2584, author = {FBI}, title = {{MC-000150-MW: Indicators of Compromise Associated with Hive Ransomware}}, date = {2021-08-25}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210825.pdf}, language = {English}, urldate = {2021-08-30} } MC-000150-MW: Indicators of Compromise Associated with Hive Ransomware
Hive
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-08-23Sentinel LABSJim Walter, Juan Andrés Guerrero-Saade
@online{walter:20210823:hive:5a17aae, author = {Jim Walter and Juan Andrés Guerrero-Saade}, title = {{Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare}}, date = {2021-08-23}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/}, language = {English}, urldate = {2021-08-25} } Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare
Hive
Yara Rules
[TLP:WHITE] win_hive_auto (20230407 | Detects win.hive.)
rule win_hive_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.hive."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 31c0 b91d000000 31d2 31db }
            // n = 4, score = 300
            //   31c0                 | inc                 eax
            //   b91d000000           | movzx               ecx, bh
            //   31d2                 | add                 ecx, eax
            //   31db                 | shl                 ecx, 6

        $sequence_1 = { b807000000 b9d4000000 31d2 31db }
            // n = 4, score = 300
            //   b807000000           | inc                 eax
            //   b9d4000000           | movzx               edx, dh
            //   31d2                 | add                 eax, ecx
            //   31db                 | shl                 eax, 6

        $sequence_2 = { 31c0 eb17 0fb6940482000000 0fb674041c }
            // n = 4, score = 200
            //   31c0                 | xor                 eax, eax
            //   eb17                 | jmp                 0x2b
            //   0fb6940482000000     | movzx               edx, byte ptr [esp + eax + 0x93]
            //   0fb674041c           | movzx               esi, byte ptr [esp + eax + 0x1e]

        $sequence_3 = { 89d1 e8???????? b801000000 e8???????? }
            // n = 4, score = 200
            //   89d1                 | movzx               eax, bl
            //   e8????????           |                     
            //   b801000000           | add                 eax, edx
            //   e8????????           |                     

        $sequence_4 = { 31c0 eb16 0fb69404a6000000 0fb674041c }
            // n = 4, score = 200
            //   31c0                 | xor                 eax, eax
            //   eb16                 | xor                 eax, eax
            //   0fb69404a6000000     | jmp                 0x10
            //   0fb674041c           | xor                 edx, edx

        $sequence_5 = { 31c0 eb0c 31d2 31c0 }
            // n = 4, score = 200
            //   31c0                 | jne                 0xc
            //   eb0c                 | mov                 ecx, ebx
            //   31d2                 | mov                 ecx, edx
            //   31c0                 | nop                 

        $sequence_6 = { 89d1 e8???????? b802000000 e8???????? }
            // n = 4, score = 200
            //   89d1                 | movzx               eax, bl
            //   e8????????           |                     
            //   b802000000           | add                 eax, edx
            //   e8????????           |                     

        $sequence_7 = { 89d0 b90d000000 e8???????? b90d000000 }
            // n = 4, score = 200
            //   89d0                 | dec                 ebp
            //   b90d000000           | test                edi, edi
            //   e8????????           |                     
            //   b90d000000           | add                 edx, ecx

        $sequence_8 = { 39b100000000 750a e8???????? e8???????? }
            // n = 4, score = 200
            //   39b100000000         | shl                 edx, 6
            //   750a                 | movzx               eax, bl
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_9 = { 31c9 31d2 31db 31f6 31ff eb09 }
            // n = 6, score = 200
            //   31c9                 | xor                 eax, eax
            //   31d2                 | lea                 eax, [edx + 1]
            //   31db                 | cmp                 eax, 0x41
            //   31f6                 | xor                 eax, eax
            //   31ff                 | mov                 ecx, 0xaa
            //   eb09                 | xor                 edx, edx

        $sequence_10 = { 89d9 e8???????? e8???????? e8???????? }
            // n = 4, score = 200
            //   89d9                 | add                 eax, edx
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_11 = { 89d9 e8???????? 31c0 e8???????? }
            // n = 4, score = 200
            //   89d9                 | dec                 ebp
            //   e8????????           |                     
            //   31c0                 | test                edi, edi
            //   e8????????           |                     

        $sequence_12 = { 31c9 31d2 bb01000000 beae000000 }
            // n = 4, score = 200
            //   31c9                 | add                 edx, esi
            //   31d2                 | xor                 eax, eax
            //   bb01000000           | jmp                 0x1a
            //   beae000000           | movzx               edx, byte ptr [esp + eax + 0x93]

        $sequence_13 = { 31c0 eb16 0fb6940493000000 0fb674041e }
            // n = 4, score = 200
            //   31c0                 | mov                 ecx, 0x1d
            //   eb16                 | xor                 edx, edx
            //   0fb6940493000000     | xor                 ebx, ebx
            //   0fb674041e           | xor                 eax, eax

        $sequence_14 = { 01c8 89c1 c1e91f ffc9 }
            // n = 4, score = 100
            //   01c8                 | movzx               eax, bl
            //   89c1                 | add                 eax, edx
            //   c1e91f               | add                 edx, eax
            //   ffc9                 | mov                 eax, 0x3ffffff

        $sequence_15 = { 01c2 b8ffffff03 21c5 21c3 }
            // n = 4, score = 100
            //   01c2                 | inc                 eax
            //   b8ffffff03           | movzx               edx, dh
            //   21c5                 | add                 edx, ecx
            //   21c3                 | add                 ecx, eax

        $sequence_16 = { 01c1 83c101 83f90c 0f820fffffff }
            // n = 4, score = 100
            //   01c1                 | je                  0x274
            //   83c101               | add                 eax, eax
            //   83f90c               | inc                 eax
            //   0f820fffffff         | add                 al, bh

        $sequence_17 = { 01c1 c1e106 400fb6d6 01ca }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   c1e106               | shl                 ecx, 6
            //   400fb6d6             | movzx               eax, dl
            //   01ca                 | add                 eax, ecx

        $sequence_18 = { 01c1 c1e106 0fb6c2 01c8 }
            // n = 4, score = 100
            //   01c1                 | jb                  0xfffffe9c
            //   c1e106               | mov                 edx, 5
            //   0fb6c2               | add                 ecx, eax
            //   01c8                 | add                 ecx, 1

        $sequence_19 = { 01c0 4000f8 0fb6c0 48898424b0000000 }
            // n = 4, score = 100
            //   01c0                 | add                 eax, eax
            //   4000f8               | inc                 eax
            //   0fb6c0               | add                 al, bh
            //   48898424b0000000     | movzx               eax, al

        $sequence_20 = { 01ca c1e206 0fb6c3 01d0 }
            // n = 4, score = 100
            //   01ca                 | mov                 ecx, eax
            //   c1e206               | shr                 ecx, 0x1f
            //   0fb6c3               | dec                 ecx
            //   01d0                 | inc                 ecx

        $sequence_21 = { 01c8 c1e006 400fb6cf 01c1 }
            // n = 4, score = 100
            //   01c8                 | and                 ecx, eax
            //   c1e006               | inc                 ecx
            //   400fb6cf             | mov                 dword ptr [edi + 0x14], ecx
            //   01c1                 | add                 eax, ecx

    condition:
        7 of them and filesize < 7946240
}
[TLP:WHITE] win_hive_w0   (20211222 | Hive v3 ransomware Windows/Linux/FreeBSD payload)
rule win_hive_w0 {
    meta:
        author = "rivitna"
        family = "ransomware.hive"
        description = "Hive v3 ransomware Windows/Linux/FreeBSD payload"
        source = "https://github.com/rivitna/Malware/blob/main/Hive/Hive.yar"
        severity = 10
        score = 100
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20211222"
        malpedia_hash = ""
        malpedia_version = "20211222"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $h0 = { B? 03 52 DA 8D [6-12] 69 ?? 00 70 0E 00 [14-20]
                8D ?? 00 90 01 00 }
        $h1 = { B? 37 48 60 80 [4-12] 69 ?? 00 F4 0F 00 [2-10]
                8D ?? 00 0C 00 00 }
        $h2 = { B? 3E 0A D7 A3 [2-6] C1 E? ( 0F | 2F 4?)
                69 ?? 00 90 01 00 }

        $x0 = { C6 84 24 ?? 00 00 00 FF [0-14] 89 ?? 24 ?? 00 00 00 [0-6]
                89 ?? 24 ?? 0? 00 00 [0-20] C6 84 24 ?? 0? 00 00 34 }
        $x1 = { C6 44 24 ?? FF [0-14] 89 ?? 24 ?? [0-6] 89 ?? 24 ?? [0-12]
                C6 84 24 ?? 00 00 00 34 }

    condition:
        (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
         (uint32(0) == 0x464C457F)) and
        (
            (2 of ($h*)) or (1 of ($x*))
        )
}
Download all Yara Rules