# ON THE FOOTSTEPS OF HIVE RANSOMWARE 22/07/2022 ----- 2 ----- ## DEFENCE BELONGS TO HUMANS…. 3 ----- 22/07/2022 Report delivery Luigi Martire, Carmelo Ragusa |Date|Activity|Author| |---|---|---| |22/07/2022|Report delivery|Luigi Martire, Carmelo Ragusa| |||| |||| |||| |||| 4 ----- ## Table of Content Table of Content ........................................................................................................................................................................ 5 Introduction ............................................................................................................................................................................... 6 About Hive .................................................................................................................................................................................. 6 Timeline of the development of Hive Ransomware .............................................................................................................. 7 Victimology ................................................................................................................................................................................. 9 Hive v1 ...................................................................................................................................................................................... 11 Hive v2 ...................................................................................................................................................................................... 14 Hive v3 ...................................................................................................................................................................................... 17 Linux/FreeBSD version ........................................................................................................................................................... 17 Hive v3 ESXI .............................................................................................................................................................................. 19 Hive v4 ...................................................................................................................................................................................... 21 Hive v5 ...................................................................................................................................................................................... 21 Conclusion ................................................................................................................................................................................ 26 Appendix .................................................................................................................................................................................. 27 Indicators of Compromise .................................................................................................................................................. 27 Yara Rules ............................................................................................................................................................................. 28 5 ----- ## Introduction Hive ransomware is one of the most active financially motivated threat actors of this period, adopting the current Double Extorsion model. They started their malicious activities in June of the past year, and just in a year of activity they collected a big number of victims, demonstrating the capability to hit even critical infrastructures. The criminal group distinguished from other ones also for attacking healthcare organization during the 2021 when [we had to face off the Covid-19 pandemic. It was emblematic that one of the first victims was the Memorial Health](https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/) System in August 2021. For these reasons, Yoroi’s Malware ZLab decided to keep track of this infamous threat actor and observe any modification of its modus operandi, in order to provide a guideline focusing on the evolution of the locker sample of the cyber gang. ## About Hive Hive (TH-313) is a Ransomware group firstly spotted in June 2021 and it gathered a big popularity inside the cybersecurity community because it was able to attack a large variety of sectors, starting from healthcare facilities and arriving to critical infrastructures, passing through manufacturers during just a year of activity. In addition, the group was able to refine its toolkit and then its TTPs with a surprising speed: the business model is the Double-Extorsion and Ransomware-as-a-Service, with a self-made ransomware payload. Figure 1: Hive (TH-313) 6 ----- So, in this report we have decided to focus our attention on the ransomware payload evolution, providing a timeline of the development of Hive Ransomware Payloads. ## Timeline of the development of Hive Ransomware Inside the criminal group, there is surely a high-profile development team, with deep knowledge of programming in both newer and older programming languages. The first versions of the encryptor payload are written in Golang, then, starting from the v5 version, the dev team of Hive switched into Rust. Figure 2: Leak site In the following timeline, we provide a quick overview of the evolution of the malware and how the cyber gang adopted an incremental development process on its TTPs: 7 ----- Figure 3: Hive Timeline In the same way, even the Ransom Note changed during the evolution: first, the credentials were hardcoded inside the sample, but now the operators pass them as a parameter when the locker process is launched. Below a comparison between an earlier version and a later one: Figure 4: Ransom note comparison 8 ----- ## Victimology During its activity, Hive Group hit a large number of victims and during that period some of them paid the ransom, after that the victims were removed from the “walk of shame”. We tracked a total of 130 victims listed on their leak site, the affected companies belong to different sectors and nations. However, we have evidence that occasionally some victims of the group, despite being attacked by the threat actor, are never reported onto the site. Moreover, the group does not exclude hospitals, companies that provide medical equipment and non-profit organizations. An example is the attack on the "Memorial Health System" in August 2021 or more recently on the "Partnership HealthPlan of California", a non-profit organization. The following graph shows the total progress of the victims so far, indicating that the group is consolidating its role as one of the principal threats in the panorama. Figure 5: Hive Ransomware Victims Progress over time Another view of the same information is represented in the following graph, where the focus is pointed to highlight the month in which most victims were published on their leak site, which turns out to be July 2021, shortly after the group started. So, it means that the ransomware operators gathered a consistent number of victims during the startup phase, in order to create a solid placement inside the threat landscape. After that phase, the gang continued to threaten with huge aggression. 9 ----- Figure 6: Hive Victims Per Month 10 ----- ## Hive v1 Hash 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1 Threat Ransomware Brief Description Hive Ransomware v1 SSDEEP 12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67 jM4v4kCSPDjlLtbwt8IQLH Table 1: Hive v1 The first version, written in Golang, was a sophisticated encryptor program, but, due to the newness of the malicious activity, there is no track of obfuscation, and the strings can be easily seen, the following figure shows some of the available parameters: Figure 7: Available parameters The initial effort of the gang was to make a product quite customizable according to the infection and the encryption process to perform. In this way, the malware writers provided a series of parameters to launch an ad hoc infection profile. The following table describes all the available parameters found in this version: 11 |BERSECURITY Hive v1|Y ANNUAL REPORT| |---|---| |Hash|88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1| |Threat|Ransomware| |Brief Description|Hive Ransomware v1| |SSDEEP|12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67 jM4v4kCSPDjlLtbwt8IQLH| ----- |Parameter|Description| |---|---| |-kill|Regex, names of the processes to kill. Default values: “mspub|msdesktop”| |-no-clean|Skip clean disk space stage| |-skip|Regex, names of the files to skip. Default values: “\\.lnk”| |-skip-before|Skip files before a specific date. Defaut value: “03.09.2016”| |-stop|Regex, names of the services to stop. Default values: "bmr|sql|oracle|postgres|redis|vss|backup|sstp"| |-t|Number of threads| Table 2: Hive v1 Parameters Once the parameters are parsed, creating the desired infection profile, the control flow passes to the core malicious operations. Figure 8: Hive core function The locker sample proceeds to export the key, to kill the processes and services specified and to remove the shadow copies then it iterates the directories and starts encrypting the files. 12 ----- The core of the encryption scheme of Hive ransomware is a union of XOR+RSA algorithms. In the figure below we can see the XOR related routine: Figure 9: Usage of XOR algorithm Then, in this first version, it uses “.hive” as extension to the encrypted files, later it is used a unique ID instead. Moreover, the RemoveItself routine drops “hive.bat” to remove itself. But, since the second version of the malware calls the related function after the encryption is complete: Figure 10: hive.bat **RemoveShadowCopies drops “shadow.bat” to remove the shadow copies, from the second version will directly** execute the command instead of dropping a .bat: Figure 11: shadow.bat 13 ----- ## Hive v2 Hash 25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5 Threat Ransomware Brief Description Hive Ransomware v2 SSDEEP 12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgV:dod1HDmlD dkZ4YXPpaTTXMw Table 3: Hive v2 With the second version of Hive, the malware writers started to complicate the code in order to make the analysis more difficult for the analyst. The initial step is to obfuscate the “Go Build ID” header present in all golang- written binaries. Figure 12: Strings comparison The simple trick causes that, when opening a disassembler, like IDA, the analyst can immediately see Golang not being recognized. However, a simple fix provides the overwriting of the build-id with a legit one. Figure 13: “Go Build ID” patch In addition, now the strings are obfuscated, and the names of the functions present inside the main are not visible in cleartext: 14 |BERSECURITY Hive v2|Y ANNUAL REPORT| |---|---| |Hash|25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5| |Threat|Ransomware| |Brief Description|Hive Ransomware v2| |SSDEEP|12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgV:dod1HDmlD dkZ4YXPpaTTXMw| ----- Figure 14: Obfuscated parameters In the following screen two different routines for the strings obfuscation is provided: Figure 15: Strings decryption routines 15 ----- The help command has also changed, it has more default values, the “-t” and “-skip” parameters have been removed, “-grant” has been added and “-no-clean” renamed to “-no-wipe” **Parameter** **Description** -grant Grant permissions to all files -kill Regex, names of the processes to kill. Default values: "agntsvc|sql|CNTAoSMgr|dbeng50|dbsnmp|encsvc|excel|firefoxconfig|infopath|mbamtray|msaccess |mspub|mydesktop|Ntrtscan|ocautoupds|ocomm|ocssd|onenote|oracle|outlook|PccNTMon|powerp nt|sqbcoreservice|steam|synctime|tbirdconfig|thebat|thunderbird|tmlisten|visio|word|xfssvccon|zo olz" -no-wipe Skip wipe of free space -stop Regex, names of the services to stop. Default values: "acronis|AcrSch2Svc|Antivirus|ARSM|AVP|backup|bedbg|CAARCUpdateSvc|CASAD2DWebSvc|ccEvtMg r|ccSetMgr|Culserver|dbeng8|dbsrv12|DCAgent|DefWatch|EhttpSrv|ekrn|Enterprise Client Service|EPSecurityService|EPUpdateService|EraserSvc11710|EsgShKernel|ESHASRV|FA_Scheduler|fireb ird|IISAdmin|IMAP4Svc|Intuit|KAVFS|KAVFSGT|kavfsslp|klnagent|macmnsvc|masvc|MBAMService|MB EndpointAgent|McAfee|McShield|McTaskManager|memtas|mepocs|mfefire |mfemms|mfevtp|MMS|MsDtsServer|MsDtsServer100|MsDtsServer110|msexchange|msmdsrv|MSOL AP|MVArmor|MVarmor64|NetMsmqActivator|ntrtscan|oracle|PDVFSService|POP3Svc|postgres|QBCF MonitorService|QBFCService|QBIDPService|redis|report|RESvc|RTVscan|sacsvr|SamSs|SAVAdminServi ce|SavRoam|SAVService|SDRSVC|SepMasterService|ShMonitor|Smcinst|SmcService|SMTPSvc|SNAC|S ntpService|sophos|sql|SstpSvc|stc_raw_agent|^svc|swi_|Symantec|TmCCSF|tmlisten|tomcat|TrueKey |UI0Detect|veeam|vmware|vss|W3Svc|wbengine|WebClient|wrapper|WRSVC|WSBExchange|YooIT|z hudongfangyu|Zoolz" Table 4: Hive v2 parameters The string obfuscation process does not impact the structure of the main function, following a comparison of these two versions. Figure 16: Functions name comparison 16 |Parameter|Description| |---|---| |-grant|Grant permissions to all files| |-kill|Regex, names of the processes to kill. Default values: "agntsvc|sql|CNTAoSMgr|dbeng50|dbsnmp|encsvc|excel|firefoxconfig|infopath|mbamtray|msaccess |mspub|mydesktop|Ntrtscan|ocautoupds|ocomm|ocssd|onenote|oracle|outlook|PccNTMon|powerp nt|sqbcoreservice|steam|synctime|tbirdconfig|thebat|thunderbird|tmlisten|visio|word|xfssvccon|zo olz"| |-no-wipe|Skip wipe of free space| |-stop|Regex, names of the services to stop. Default values: "acronis|AcrSch2Svc|Antivirus|ARSM|AVP|backup|bedbg|CAARCUpdateSvc|CASAD2DWebSvc|ccEvtMg r|ccSetMgr|Culserver|dbeng8|dbsrv12|DCAgent|DefWatch|EhttpSrv|ekrn|Enterprise Client Service|EPSecurityService|EPUpdateService|EraserSvc11710|EsgShKernel|ESHASRV|FA_Scheduler|fireb ird|IISAdmin|IMAP4Svc|Intuit|KAVFS|KAVFSGT|kavfsslp|klnagent|macmnsvc|masvc|MBAMService|MB EndpointAgent|McAfee|McShield|McTaskManager|memtas|mepocs|mfefire |mfemms|mfevtp|MMS|MsDtsServer|MsDtsServer100|MsDtsServer110|msexchange|msmdsrv|MSOL AP|MVArmor|MVarmor64|NetMsmqActivator|ntrtscan|oracle|PDVFSService|POP3Svc|postgres|QBCF MonitorService|QBFCService|QBIDPService|redis|report|RESvc|RTVscan|sacsvr|SamSs|SAVAdminServi ce|SavRoam|SAVService|SDRSVC|SepMasterService|ShMonitor|Smcinst|SmcService|SMTPSvc|SNAC|S ntpService|sophos|sql|SstpSvc|stc_raw_agent|^svc|swi_|Symantec|TmCCSF|tmlisten|tomcat|TrueKey |UI0Detect|veeam|vmware|vss|W3Svc|wbengine|WebClient|wrapper|WRSVC|WSBExchange|YooIT|z hudongfangyu|Zoolz"| ----- ## Hive v3 Hash 8a461e66ae8a53ffe98d1e2e1dc52d015c11d67bd9ed09eb4be2124efd73ccd5 Threat Ransomware Brief Description Hive Ransomware v3 SSDEEP 49152:gWVNVvSGbjmrb/T6vO90dL3BmAFd4A64nsfJuhQ8jmp4S3C5CEg+eNgiQJfOqAD:gWYQjPhQC mppnMfO Table 5: Hive v3 In this version the “-skip” parameter has been restored and, in another sample (3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21), we found a new parameter named “scan”: **Parameter** **Description** -scan Scan local network for shares Table 6: Hive v3 Additional parameters Comparing the logs from the v1 we can spot the following differences: - The key name is longer and it has a random extension - It shows the time elapsed for the encryption of each file Figure 17: Comparison of logs ## Linux/FreeBSD version The third version of the development of Hive ransomware saw the porting of the codebase for other operating systems, such as Linux/FreeBSD and ESXi. The Linux (12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185) and FreeBSD (bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3) versions are almost identical to the Windows one, despite the obvious OS differences. One of those differences is the following function “KillNonRoot” aimed at killing all non-root processes: 17 |BERSECURIT Hive v3|TY ANNUAL REPORT| |---|---| |Hash|8a461e66ae8a53ffe98d1e2e1dc52d015c11d67bd9ed09eb4be2124efd73ccd5| |Threat|Ransomware| |Brief Description|Hive Ransomware v3| |SSDEEP|49152:gWVNVvSGbjmrb/T6vO90dL3BmAFd4A64nsfJuhQ8jmp4S3C5CEg+eNgiQJfOqAD:gWYQjPhQC mppnMfO| |Parameter|Description| |---|---| |-scan|Scan local network for shares| ----- Figure 18: “KillNonRoot” Function 18 ----- ## Hive v3 ESXI Hash 822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25 Threat Ransomware Brief Description Hive Ransomware v3 SSDEEP 3072:3Zp7gZzdfvjRCMj1Yk36ioyJ1zgjIlOhXYopNL+V7o0xvvkB/37Nt7xhew8A2Mz:P7g Dj8S1Hlx14+opNClvk977ew8A2M Table 7: Hive v3 ESXI In this case, the malware is written in C/C++, in order to have a better compatibility with the target operating system, the strings are not obfuscated, and we have found some new parameters: **Parameter** **Description** -no-stop Don’t stop virtual machines -low-cpu Single thread encryption Table 8: Hive v3 ESXI Parameters After the routine of exporting the keys already seen in the previous paragraphs, the sample stops all the running virtual machines in order to encrypt them without problems: Figure 19: “Stopping virtual machines The ransom note contains also a reference to not delete or reinstall the virtual machines: 19 |Hash|822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25| |---|---| |Threat|Ransomware| |Brief Description|Hive Ransomware v3| |SSDEEP|3072:3Zp7gZzdfvjRCMj1Yk36ioyJ1zgjIlOhXYopNL+V7o0xvvkB/37Nt7xhew8A2Mz:P7g Dj8S1Hlx14+opNClvk977ew8A2M| |Parameter|Description| |---|---| |-no-stop|Don’t stop virtual machines| |-low-cpu|Single thread encryption| ----- Figure 20: Ransom note As said, the objective of this version is to encrypt the virtual machines hosted on the ESXi server, so, the malware goes to find the virtual machines deployed on the server, by using a custom regex aimed at finding the words “vm” or “vs”. Figure 21: Regex for ESXI version 20 ----- ## Hive v4 Hash 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277 Threat Ransomware Brief Description Hive Ransomware v4 SSDEEP 49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA:e2ANB04yIa0h sirubO Table 9: Hive v4 The fourth version of Hive locker is an effort to obfuscate also the code. We haven’t noticed new features or upgrades except for a more serious obfuscation of the code and changes in the details of the key generation and encryption. In detail, this version adopts the control flow flattering obfuscation technique, which is largely adopted by many attackers, thanks to its actual effectiveness. Below an example of that technique: Figure 22: Control flattening obfuscation ## Hive v5 The fifth version of hive represents a sort of revolution inside the entire codebase. In this version, the major differences include the changing of the base programming language and the refinement encryption algorithm. Hash b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b Threat Ransomware Brief Description Hive Ransomware v5.2 SSDEEP 12288:BLF6OtM1z8JLbA689tSfvTvFSYIzp4yzhrWbttQfaa4Gxjzgdlo/AhwN/eh9z/E:BLF6 gb0xqx9z/EO3BxhR Table 10: Hive v5 Hive is now written in Rust and for this reason the difficulty has increased, along with a complex encryption scheme makes the analysis harder even for experienced analysts. The refinement of the encryption process considers the passing from “XOR+RSA” of the previous versions, arriving to “ECDH+Curve25519+XChaCha20-Poly1305” 21 |BERSECURIT Hive v4|TY ANNUAL REPORT| |---|---| |Hash|33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277| |Threat|Ransomware| |Brief Description|Hive Ransomware v4| |SSDEEP|49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA:e2ANB04yIa0h sirubO| |Hash|b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b| |---|---| |Threat|Ransomware| |Brief Description|Hive Ransomware v5.2| |SSDEEP|12288:BLF6OtM1z8JLbA689tSfvTvFSYIzp4yzhrWbttQfaa4Gxjzgdlo/AhwN/eh9z/E:BLF6 gb0xqx9z/EO3BxhR| ----- For this version we found the following parameters: **Parameter** **Description** -no-local Don’t encrypt local files -no-mounted Don’t encrypt on mounted network volumes -no-discovery Don’t discover network volumes -local-only Encrypt only local files -network-only Encrypt only network volumes -explicit-only Encrypt specified folders -min-size Minimum file size -timerze-only N/A -da N/A Table 11: Hive v5 parameters Once executed, the sample checks for the parameter “-u”, which should contain the “username:password” used as credentials for the victim and written in the ransom note, if this unique parameter is missing, the program exits. + Figure 23: -u parameter Even the routine to decrypt the ransom note changed. In this case, the protection of the ransom note relies on a XOR key. Figure 24: Decrypted Ransom Note 22 |Parameter|Description| |---|---| |-no-local|Don’t encrypt local files| |-no-mounted|Don’t encrypt on mounted network volumes| |-no-discovery|Don’t discover network volumes| |-local-only|Encrypt only local files| |-network-only|Encrypt only network volumes| |-explicit-only|Encrypt specified folders| |-min-size|Minimum file size| |-timerze-only|N/A| |-da|N/A| ----- Another update is the expansion on the other drives. The sample generates an array of drive labels and uses **GetDriveTypeW to check if the path is invalid:** Figure 25: Finding of logical drives Once the attached volumes are found, it calls FindFirstVolumeW and SetVolumeMountPointW to mount eventual unmounted volumes: Figure 26: Mounting available volumes 23 ----- After that, the operation of privilege escalation is performed though abusing the “TrustedInstaller” service to recover its access token. In this way, the malware is able to read and write files with the same privileges of TrustedInstaller Group. Figure 27: Retrieving TrustedInstaller access token Moreover, in the previous versions, we saw bat files and other escamotages for the erasing of the backup mechanisms provided by the Microsoft Environment. In the fifth version analyzed, there are the following tricks: - vssadmin.exe delete shadows /all /quiet Figure 28: vssadmin - bcedit /set {default} bootstatuspolicy ignoreallfailures Figure 29: bcedit - wbadmin delete systemstatebackup –keepversions:3 24 ----- Figure 30: wbadmin 25 ----- ## Conclusion Hive threat actor is one of the most sophisticated active threats. It does not care about the target, the only objective is to maximize the illicit profits, even by causing the interruption of critical services. The continuous development of the ransomware payload should not be underestimated, and in the same way organizations must upgrade their cyber protections. We at Yoroi ZLab believe that collaboration and sharing more information possible about attackers is the right way to pursue to defend these entities. We know that having to deal with these threats is challenging, so we are pointing to create the best expertise needed to handle such incidents whether they happen. In conclusion, we need to create a solid and reliable strategy to defend our customers. we encourage our customers to make assessments and awareness campaigns for their employees. The goal of the Defence Center of Yoroi is to guarantee the best protection in every phase of the attack, starting from the continuous monitoring arriving to the Incident Response engagements. 26 ----- ## Appendix ### Indicators of Compromise Hive v1 - 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1 (Sample) - d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8 (shadow.bat) Hive v2: - 25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5 Hive v3 - 8a461e66ae8a53ffe98d1e2e1dc52d015c11d67bd9ed09eb4be2124efd73ccd5 Hive v3 Linux/FreeBSD - 12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185 (Linux) - Bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3 (FreeBSD) Hive v3 ESXI - 822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25 Hive v4 - 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277 Hive v5.2 - b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b 27 ----- ### Yara Rules rule hive_v1_32_win { strings: $1 = {648b0d140000008b89000000003b61080f86e401000083ec40e8?2f?feff8b04248b4c240485c90f8556010000b941000000 31d231db8d2d?4??6300eb0341d1e883f95a0f8f29010000a90100000074ed895c2434896c243c894c242489542430894424 288d44242c} condition: $1 and uint16(0) == 0x5A4D } rule hive_v1_64_win { strings: $1 = { 65 4? 8b 0c ?5 28 00 00 00 4? 8b 89 00 00 00 00 4? 3b 61 10 0f 86 ?? ?? ?? ?? 4? 83 ec 40 4? 89 6c ?4 38 4? 8d 6c ?4 38 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 08 4? 8b 4c ?4 10 4? 83 7c ?4 08 00 0f 85 ?? ?? ?? ?? 4? 89 44 ?4 20 4? 89 4c ?4 18 4? 8b 44 ?4 48 4? 89 04 ?4 90 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 80 78 48 00 74 ?? 90 0f 57 c0 0f 11 44 ?4 28 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?4 28 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?4 30 4? 8d 44 ?4 28 4? 89 04 ?4 4? c7 44 ?4 08 01 00 00 00 4? c7 44 ?4 10 01 00 00 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 4? 89 44 ?4 50 4? 8b 44 ?4 18 4? 89 44 ?4 58 4? 8b 6c ?4 38 4? 83 c4 40 c3 4? 89 04 ?4 e8 ?? ?? ?? ?? eb ?? 4? 89 44 ?4 50 4? 89 4c ?4 58 4? 8b 6c ?4 38 4? 83 c4 40 c3 } condition: $1 and uint16(0) == 0x5A4D } rule hive_v2_v3_32_win { strings: //prenotify routine $1 = { 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 0f 86 ?? ?? ?? ?? 83 ec ?? c7 44 ?4 04 ?? ?? ?? ?? c7 04 ?4 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b 04 ?4 8b 4c ?4 04 c7 44 ?4 4c 00 00 00 00 c7 44 ?4 50 00 00 00 00 89 04 ?4 89 4c ?4 04 e8 ?? ?? ?? ?? 8b 44 ?4 08 8d 0d ?? ?? ?? ?? 89 4c ?4 4c 89 44 ?4 50 8d 44 ?4 4c 89 04 ?4 c7 44 ?4 04 01 00 00 00 c7 44 ?4 08 01 00 00 00 e8 ?? ?? ?? ?? 8b 44 ?4 68 89 04 ?4 e8 ?? ?? ?? ?? 8b 44 ?4 04 89 44 ?4 48 8b 4c ?4 08 89 4c ?4 38 31 d2 eb ?? } condition: $1 and uint16(0) == 0x5A4D } rule hive_v2_64_win { strings: $1 = {654?8b0c?5280000004?8b89000000004?8d44????4?3b41100f86????????4?81ec????????4?89ac??????????4?8dac??????????4? b8????????????????4?8904?4e8????????e8????????4?8b04?44?8b4c?4080f57c00f1184??????????4?8904?44?894c?408e8???????? 4?8b44?4104?8d0d????????4?898c??????????4?8984??????????4?8d84??????????4?8904?44?c744?408010000004?c744?410010 00000e8????????4?8b84??????????4?8904?40f1f440000e8????????4?8b44?4084?8b4c?4104?85c97e??4?89?c} condition: $1 and uint16(0) == 0x5A4D } 28 ----- rule hive_v3_v4_64_win { strings: $1 = {4? 3b 66 10 0f 86 ?? ?? ?? ?? 4? 83 ec 30 4? 89 6c ?4 28 4? 8d 6c ?4 28 4? 89 44 ?4 20 0f 1f 00 e8 ?? ?? ?? ?? 4? 85 c0 0f 85 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 85 c0 74 ?? 4? 8b 6c ?4 28 4? 83 c4 30 c3 4? 89 44 ?4 10 4? 89 5c ?4 18 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 89 c3 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 90 e8 ?? ?? ?? ?? 4? 8b 44 ?4 10 4? 8b 5c ?4 18 4? 8b 6c ?4 28 4? 83 c4 30 c3 4? 8b 6c ?4 28 4? 83 c4 30 c3} condition: $1 and uint16(0) == 0x5A4D } rule hive_v5_32_win { strings: $1 = {5589e553575681ec440400008b75108b7d0c89d3894dc88d85b0fbffff68000400006a0050e8????????83c40c0fbec3b9abaa aaaa8b0485c0b949008945e889f0f7e1d1ea8d045229c683f60389f0f7e131c9d1ea8d04528d570229c68b45148955cc8975e 48b00} condition: $1 and uint16(0) == 0x5A4D } rule hive_v5_64_win { strings: $1 = {4157415641554154565755534881ec880400004c89cd448844243789d648894c2450488b9c24f0040000488bbc24f804000 0488d8c248800000041b80004000031d2e8??????00480fbec6488d0d??????004c8b24c148b9abaaaaaaaaaaaaaa4889d848f 7e148d1ea488d04524989de4929c64983f6034c89f048f7e148d1ea488d04524929c6488b07} condition: $1 and uint16(0) == 0x5A4D } rule hive_v3_esxi { strings: $s1 = "+ prenotify %s" $s2 = "Stopping VMs" $s3 = "(.+)\\.(.+?)\\.%s$" $s4 = "\\.(vm|vs)\\w+$" $c = {f3 0f 1e fa 55 4? 89 e5 4? 83 ec 20 4? 89 7? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 89 4? ?? 83 7? ?? 00 74 ?? 8b 4? ?? eb ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 89 4? ?? 83 7? ?? 00 74 ?? 4? 8d 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b 4? ?? eb ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? b8 00 00 00 00 c9 c3} condition: (all of ($s*) or $c) and uint32(0) == 0x464C457F } 29 ----- **Yoroi S.r.l.** **www.yoroi.company -** **[info@yoroi.company](mailto:info@yoroi.company)** **Piazza Sallustio, 9** 00187 – Roma (RM) +39 (051) 0301005 Yoroi S.r.l. ® 2014-2021 – Tutti i diritti riservati Yoroi S.r.l. società soggetta ad attività di direzione e coordinamento esercitata dalla Tinexta S.p.A. Yoroi ® è un marchio registrato Registrazione N°: 016792947 30 -----