{ "id": "95fe6efe-b305-4c0d-b75d-2616faac7c75", "created_at": "2026-04-06T00:12:55.756976Z", "updated_at": "2026-04-10T13:12:40.307667Z", "deleted_at": null, "sha1_hash": "438e0ddb6954cb506ee063fd39316a8792753edd", "title": "Earn-quick-btc-with-hiddentear.mp4 / about open source ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2246969, "plain_text": "Earn-quick-btc-with-hiddentear.mp4 / about open source\r\nransomware\r\nBy f0wL\r\nPublished: 2019-10-26 · Archived: 2026-04-05 21:24:42 UTC\r\nSat 26 October 2019 in Ransomware\r\nNo, this will not be a skiddy Tutorial on how to earn quick crypto but rather an analysis of the Open Source\r\nRansomware \"Hiddentear\".\r\nA general disclaimer as always: downloading and running the samples linked below will lead to the encryption\r\nof your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/\r\nsources might be illegal depending on where you live.\r\n\"Shade Ransomware creater is stupid fxxxxx.exe\" @ Any.Run --\u003e sha256\r\nba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a\r\nBecause HiddenCrypt is Written in C# utilizing the .NET Framework 4 static analysis of the Binary will happen in\r\nProgress Telerik JustDecompile and dnspy. With over 370 Forks and about as many stars on Github at the time of\r\nwriting this, Hiddentear is the arguably the most popular open source Windows Ransomware on the platform.\r\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 1 of 10\n\nThe original Ransomnote that is dropped to the Desktop by Hiddentear:\r\nIt uses the RijndaelManaged class implemented in System.Security.Cryptography for the file encryption routine\r\n(which is just a fancy way of saying, that victim data is encrypted with AES-256-CBC :D).\r\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 2 of 10\n\nBy default Hidden Tear will only spare Folders named Windows, Program Files and Program Files (x86) and\r\nencrypt the contents of every Directory that doesn't match this condition.\r\nif (!directories[j].Contains(\"Windows\") \u0026\u0026 !directories[j].Contains(\"Program Files\") \u0026\u0026 !directories\r\n{\r\n this.encryptDirectory(directories[j], password);\r\n this.messageCreator(directories[j]);\r\n}\r\nAnother common mechanism to disrupt detection and analysis is a self deletion routine. After a timeout to ensure\r\na completed execution it will just remove itself via the Del argument.\r\npublic void selfDestroy()\r\n{\r\n ProcessStartInfo processStartInfo = new ProcessStartInfo()\r\n {\r\n Arguments = string.Concat(\"/C timeout 2 \u0026\u0026 Del /Q /F \", Application.ExecutablePath),\r\n WindowStyle = ProcessWindowStyle.Hidden,\r\n CreateNoWindow = true,\r\n FileName = \"cmd.exe\"\r\n };\r\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 3 of 10\n\nProcess.Start(processStartInfo);\r\n}\r\n4shadow variant available @ Any.Run --\u003e sha256\r\nfd5de1631c95041fde92042dd760e1fe27c7fe217d30e6568cc2e69eb812fb85\r\nThis sample was found on the IIS Webhost of the Mineral Resources Authority of Papua New Guinea and tries to\r\ndisguise as a Vodafone PDF Invoice.\r\nThrowing the dropped binary into Detect it Easy returns the notice that it pretends to be a WinRAR installer\r\nVersion 5.x.\r\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 4 of 10\n\nExtracting the strings out of the mentioned executable (with a relatively new fancy tool by fireeye called\r\nstringsifter) one can see that actually includes three references related to WinRAR, where the first is\r\nD:\\Projects\\WinRAR\\sfx\\build\\sfxrar32\\Release\\sfxrar.pdb . As for a TIL: sfx stands for \"self-extracting\r\narchive\" which is packaged with an executable to extract it so it's (more or less) independent from the hostsystem.\r\nWikipedia's got you hooked up.\r\nThe full string dump can be had here. It also contains a number of messages in a foreign language which are\r\nidentified as turkish by Google Translate:\r\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 5 of 10\n\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 6 of 10\n\nLoading the binary into JustDecompileIt we notice that it was crypted by something called Aika.\r\nThe Assembly Information also gives away that ConfuserEx is involved as well. The payload section confirms\r\nthat hint as we have an encrypted payload that will be fetched in runtime and then executed via RunPE.\r\nBelow you can see a screenshot of the Aika Crypter. As I already mentioned it is based on ConfuserEx and\r\nincludes the other run of the mill evasion techniques and Injections (RunPE or self).\r\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 7 of 10\n\nThis sample also features an anti-debugging check via IsDebuggerPresent. Nothing we haven't seen before either.\r\n(▀̿̿Ĺ̯̿̿▀̿ ̿)\r\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 8 of 10\n\nOpen Source Ransomware (Malware)?\r\nThe main reason why projects like Hidden Tear exist is to use it as a training model and PoC to handle \"real\"\r\nransomware more efficiently. Critics say that OSS Malware will never match real threats - which is definitely true\r\nto some extent - and that it only promotes building weaponized versions of it. On the other hand OSS ransomware\r\nis very useful to get a true baseline reading from a sandbox system since you know for sure what it will do next.\r\nSo what should you think about it know? If you ask me the bad outweighs the good here: Per day multiple new\r\nweaponized versions of Hidden Tear hit AnyRun, VT and Co. that are packed/obfuscated or modified with\r\nnumerous evasion techniques. If it shows us one thing it's that building ransomware isn't hard. Even worse: it is\r\nnot like ransomware is a dual use tool (like e.g. a hammer). Nobody will call you out for build a PoC binary to\r\nbetter understand the inner workings and how to analyse it afterwards. Don't get me wrong: I'm a HUGE advocate\r\nof open source software, but please don't push your \"Proof of Concepts\" to Github if they can literally be turned\r\ninto malware by exchanging a URL and Bitcoin address.\r\nIOCs\r\nHidden Tear (SHA256 / SSDEEP)\r\n454364vodafone-e-fatura.exe\r\nfd5de1631c95041fde92042dd760e1fe27c7fe217d30e6568cc2e69eb812fb85\r\n24576:8NA3R5drXfZAeMQ7MSTlRVHJ88iV4npWuSp008q75pVQNohig1w2YHgLo/:95BAvu7TD1YV0xJYtYOhHdYHr/\r\ncryptoJoker.exe / \"Shade Ransomware creater is stupid fxxxxx.exe\"\r\nba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a\r\n12288:gnSKwjzsZpds2JbrpolSKwjzuZpXs2JTypo:USKwWes6lSKw88s/\r\nURLs\r\nhxxp://fairybreathes.6te[.]net/write.php?info=\r\nAffected File Extensions\r\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 9 of 10\n\n\".txt\", \".doc\", \".docx\", \".xls\", \".xlsx\", \".ppt\", \".pptx\", \".odt\", \"jpeg\", \".png\", \".csv\", \".sql\", \"\r\nSource: https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nhttps://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html" ], "report_names": [ "earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434375, "ts_updated_at": 1775826760, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/438e0ddb6954cb506ee063fd39316a8792753edd.pdf", "text": "https://archive.orkl.eu/438e0ddb6954cb506ee063fd39316a8792753edd.txt", "img": "https://archive.orkl.eu/438e0ddb6954cb506ee063fd39316a8792753edd.jpg" } }