{
	"id": "0341068f-4acf-464c-9c2b-90c0a00fbec5",
	"created_at": "2026-04-10T03:20:00.665751Z",
	"updated_at": "2026-04-10T03:22:17.700322Z",
	"deleted_at": null,
	"sha1_hash": "51f7c9205ffee204098353ca1b159bb68fda8952",
	"title": "GitHub - reecdeep/HiveV5_file_decryptor: Hive v5 file decryption algorithm",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 406452,
	"plain_text": "GitHub - reecdeep/HiveV5_file_decryptor: Hive v5 file decryption\r\nalgorithm\r\nBy reecdeep\r\nArchived: 2026-04-10 02:34:43 UTC\r\nHiveV5 file decryptor PoC\r\nIntroduction\r\nThe work done in the last few months has been necessary to reveal the malicious file encryption mechanism of\r\nHive v5-5.2. The work was divided into two parts\r\n1. Keystream decryption\r\n2. File decryption using the decrypted keystream\r\nI would like to thank the great @rivitna for the support, dialogue and advices of these months of work! Please take\r\nnote of rivitna's github full of useful informations about Hive ransomware and more.\r\nIn this readme you will find some information about the file decryption algorithm, referring you to the PoC for a\r\nmore complete picture of how it works. A keystream is an encrypted cleartext. A cleartext is a set of 0xA00000\r\nbytes to which the first 0x2FFF00 bytes have been appended, for a total of 0xCFFF00 bytes. These bytes were\r\ncreated with the weak algorithm already discussed in the first part released in July 2022. Here below is a example\r\nof cleartext:\r\nhttps://github.com/reecdeep/HiveV5_file_decryptor\r\nPage 1 of 4\n\nThe Hive sample analyzed and referred to in this document was chosen from this list created by @rivitna to which\r\nmy warmest thanks go. To get an idea of the complexity of ransomware, please take a look at this analysis\r\npublished by Microsoft Threat Intelligence Center (MSTIC).\r\nFile encryption algorithm\r\nThe cleartext (a decrypted keystream) is used by Hive ransomware when encrypting each file. When encrypting a\r\nfile, Hive ransomware calculates two integers referring to precise positions in the cleartext (offsets) to be used to\r\nencrypt the file according to the following formula:\r\nwhere c = i % 0x2FFF00 e d = i % 0x2FFD00 , with i as a byte counter.\r\nThe encrypted file extension\r\nThe preliminary operations before writing a file are:\r\nRenaming the file using MoveFileExW and changing its extension;\r\nWriting the renamed file with the result of the xor operation shown above.\r\nhttps://github.com/reecdeep/HiveV5_file_decryptor\r\nPage 2 of 4\n\nAlso in this case the cleartext plays a fundamental role. In fact it is used for:\r\n1. Determine the keystream ID (first 6 bytes) using a hash function\r\n2. Encrypt the positions (offsets) used to extract bytes from the cleartext However, the first offset is encrypted\r\nusing a fixed position of the cleartext and is different for each Hive 5/5.1/5.2 sample. A kind of magical\r\nvalue. In many Hive 5/5.1 artifacts this magic value is shown explicitly inside a memory reference, like in\r\nthis case 0x98072A :\r\nOr this case 0x7539D:\r\nBut in the next evidence the for loop is slightly different and has been written in such a way as not to explicit the\r\nmagic value that we need to identify. This concerns an artifact belonging to Hive 5.2:\r\nhttps://github.com/reecdeep/HiveV5_file_decryptor\r\nPage 3 of 4\n\nIn this case it is possible to use the offset bruteforce function present in the released tool, using a file with a known\r\nextension and the relative decrypted keystream. Using the header of the encrypted file and the header of the\r\nunencrypted file it is possible to understand what is the offset from which the decryptor must start to decrypt the\r\nfile.\r\nThe file encryption mode can have two values: 0xFB or 0xFF\r\n0xFB means that the ransomware encrypted the entire file without leaving any portion of the file\r\nunencrypted.\r\n0xFF means that the ransomware calculated a NCB (not encrypted block) for each file and encrypting\r\nblocks of 0x100000 bytes. For further information regarding the calculation of the size of the unencrypted\r\nblocks and the cleartext offset, please refer to the PoC code.\r\nUsage\r\nThe program offers two options:\r\n1. Decryption of files using the decrypted keystream. You need to enter the special offset present in the\r\nsample that encrypted the files.\r\n2. Given a file with a known header (PDF, JPG, PNG, Office files) brute the possible value of the special\r\noffset by decrypting the first bytes and looking for a match with the known signature\r\nReferences\r\nhttps://github.com/rivitna/Malware/blob/main/Hive/Hive_samples.txt\r\nSource: https://github.com/reecdeep/HiveV5_file_decryptor\r\nhttps://github.com/reecdeep/HiveV5_file_decryptor\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/reecdeep/HiveV5_file_decryptor"
	],
	"report_names": [
		"HiveV5_file_decryptor"
	],
	"threat_actors": [],
	"ts_created_at": 1775791200,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/51f7c9205ffee204098353ca1b159bb68fda8952.pdf",
		"text": "https://archive.orkl.eu/51f7c9205ffee204098353ca1b159bb68fda8952.txt",
		"img": "https://archive.orkl.eu/51f7c9205ffee204098353ca1b159bb68fda8952.jpg"
	}
}