{ "id": "c635a66d-ac6f-4511-9519-f573d9190936", "created_at": "2026-04-06T00:14:55.972555Z", "updated_at": "2026-04-10T03:36:17.349614Z", "deleted_at": null, "sha1_hash": "597502602df9b03c54f3f1940033d0a9964933f7", "title": "UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2472465, "plain_text": "UNC2447 SOMBRAT and FIVEHANDS Ransomware: A\r\nSophisticated Financial Threat | Mandiant\r\nBy Mandiant\r\nPublished: 2021-04-29 · Archived: 2026-04-02 12:08:29 UTC\r\nWritten by: Tyler McLellan, Justin Moore, Raymond Leong\r\nMandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN\r\nzero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by\r\nother vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which\r\nhas not been previously reported publicly.\r\nUNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by\r\naggressively applying pressure through threats of media attention and offering victim data for sale on hacker\r\nforums. UNC2447 has been observed targeting organizations in Europe and North America and has consistently\r\ndisplayed advanced capabilities to evade detection and minimize post-intrusion forensics.\r\nMandiant has observed evidence of UNC2447 affiliated actors previously using RAGNARLOCKER ransomware.\r\nBased on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant\r\nsuspects that HELLOKITTY may have been used by an overall affiliate program from May 2020 through\r\nDecember 2020, and FIVEHANDS since approximately January 2021.\r\nBackground\r\nIn November 2020, Mandiant created UNC2447, an uncategorized group observed using the novel WARPRISM\r\nPowerShell dropper to install BEACON at two Mandiant Managed Defense clients. Mandiant Managed Defence\r\nquicky neutralized these intrusions and did not observe attempts to deploy ransomware.\r\nIn January and February 2021, Mandiant Consulting observed a novel rewrite of DEATHRANSOM—dubbed\r\nFIVEHANDS—along with SOMBRAT at multiple victims that were extorted. During one of the ransomware\r\nintrusions, the same WARPRISM and BEACON samples previously clustered under UNC2447 were observed.\r\nMandiant was able to forensically link the use of WARPRISM, BEACON, SOMBRAT and FIVEHANDS to the\r\nsame actor.\r\nMandiant suspects that HELLOKITTY activity in late-2020 may be related to the overall affiliate program and\r\nthat usage shifted to FIVEHANDS ransomware beginning in January 2021.\r\nIn April 2021, Mandiant observed a private FIVEHANDS TOR chat using a HELLOKITTY favicon\r\n(Figure 1).\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 1 of 16\n\nFigure 1: FIVEHANDS Hello Kitty icon\r\nWhen affiliate-based ransomware is observed by Mandiant, uncategorized clusters are assigned based on the\r\ninfrastructure used, and in the case of UNC2447 were based on the SOMBRAT and Cobalt Strike BEACON\r\ninfrastructure used across 5 intrusions between November 2020 and February 2021. Generally, Mandiant uses\r\ncaution even with novel malware such as SOMBRAT and WARPRISM and clusters each use rigorously according\r\nto all observed activity. For more information on uncategorized threats, refer to our post, \"DebUNCing\r\nAttribution: How Mandiant Tracks Uncategorized Threat Actors.\"\r\nSonicWall SMA 100 Series Appliance Vulnerability\r\nCVE-2021-20016 is a critical SQL injection vulnerability that exploits unpatched SonicWall Secure Mobile\r\nAccess SMA 100 series remote access products. A remote, unauthenticated attacker could submit a specially\r\ncrafted query in order to exploit the vulnerability. Successful exploitation would grant an attacker the ability to\r\naccess login credentials (username, password) as well as session information that could then be used to log into a\r\nvulnerable unpatched SMA 100 series appliance. This vulnerability only impacted the SMA 100 series and was\r\npatched by SonicWall in February 2021. For more information on this vulnerability, please refer to SonicWall\r\nPSIRT advisory SNWLID-2021-0001.\r\nWARPRISM\r\nWARPRISM is a PowerShell dropper that has been observed by Mandiant delivering SUNCRYPT, BEACON, and\r\nMIMIKATZ. WARPRISM is used to evade endpoint detection and will load its payload directly into memory.\r\nWARPRISM may be used by multiple groups.\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 2 of 16\n\nFOXGRABBER\r\nFOXGRABBER is a command line utility used to harvest FireFox credential files from remote systems. It\r\ncontains the PDB path: C:\\Users\\kolobko\\Source\\Repos\\grabff\\obj\\Debug\\grabff.pdb. FOXGRABBER has also\r\nbeen observed in DARKSIDE ransomware intrusions.\r\nBEACON Malleable Profiles\r\nIn the initial stages of an intrusion, UNC2447 uses the Cobalt Strike BEACON HTTPSSTAGER implant for\r\npersistence to communicate with command-and-control (C2) servers over HTTPS and has been observed using\r\n‘chches_APT10’ and ‘Havex’ Malleable profiles.\r\nUNC2447 Toolbox\r\nDuring the recon and exfiltration stage of intrusions, UNC2447 has been observed using the following tools:\r\nADFIND, BLOODHOUND, MIMIKATZ, PCHUNTER, RCLONE, ROUTERSCAN, S3BROWSER, ZAP and\r\n7ZIP. UNC2447 may tamper with windows security settings, firewall rules, and antivirus protection.\r\nSOMBRAT Overview\r\nSOMBRAT was first reported by Blackberry Cylance in November 2020 as \"The CostaRicto Campaign: Cyber-Espionage Outsourced\" as a potential espionage-for-hire criminal group. Mandiant has now observed SOMBRAT\r\nalongside FIVEHANDS ransomware intrusions.\r\nThe SOMBRAT backdoor is packaged as a 64-bit Windows executable. It communicates with a configurable\r\ncommand and control (C2) server via multiple protocols, including DNS, TLS-encrypted TCP, and potentially\r\nWebSockets. Although the backdoor supports dozens of commands, most of them enable the operator to\r\nmanipulate an encrypted storage file and reconfigure the implant. The backdoor's primary purpose is to download\r\nand execute plugins provided via the C2 server. In contrast to the SOMBRAT version published in November\r\n2020, Mandiant observed additional obfuscation and armoring to evade detection, this SOMBRAT variant has\r\nbeen hardened to discourage analysis. Program metadata typically included by the compiler has been stripped and\r\nstrings have been inlined and encoded via XOR-based routines.\r\nThe SOMBRAT Launcher\r\nThis SOMBRAT backdoor variant must be deployed alongside four additional resources that serve as launchers.\r\nThey are typically installed to the hardcoded directory path `C:\\ProgramData\\Microsoft`.\r\npath: `C:\\programdata\\Microsoft\\WwanSvc.bat` - launcher for `WwanSvc.txt`\r\npath: `C:\\programdata\\Microsoft\\WwanSvc.txt` - decoder and launcher for `WwanSvc.c`\r\npath: `C:\\programdata\\Microsoft\\WwanSvc.c` - decoder and launcher for `WwanSvc.b`\r\npath: `C:\\programdata\\Microsoft\\WwanSvc.a` - XOR key\r\npath: `C:\\programdata\\Microsoft\\WwanSvc.b` - encoded SOMBRAT backdoor\r\npath: `%TEMP%\\\u003cpossibly unique random name\u003e` - encrypted storage file\r\npath: `%TEMP%\\\u003cpossibly unique random name _\u003cinteger\u003e` - encrypted storage file\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 3 of 16\n\npath: `C:\\ProgramData\\\u003cpossibly unique random name ` - encrypted configuration file\r\nOther variations of the filenames were observed such as ntuser and wapsvc.\r\nSOMBRAT Technical Details\r\nThe SOMBRAT backdoor is written in modern C++ and implemented as a collection of \"plugins\" that interoperate\r\nwith one another. There are five plugins distributed with this variant: `core`, `network`, `storage`, `taskman`, and\r\n`debug` (the `config` plugin described by Blackberry is not present). The core plugins communicate with the C2\r\nserver via messages sent over a common networking layer; each plugin supports its own set of messages, and the\r\nbackdoor protocol can be extended by dynamically loaded plugins.\r\nThe `core` plugin coordinates state tracking, such as network connectivity, and dynamic plugin loading and\r\nunloading. The `network` plugin configures the networking layer used to communicate with the C2 server, for\r\nexample enabling the operator to switch between DNS and TCP protocols. The `storage` plugin exposes logical\r\noperations, such as read and write, for an encrypted file used to store plugins, resources, and arbitrary data. The\r\n`taskman` plugin enables the operator to list and kill processes on the compromised system. Finally, the\r\n`debuglog` plugin supports a single command to records debug messages.\r\nGiven that the core plugins do not enable an operator directly execute arbitrary commands or reconfigure the\r\nsystem, the primary function of the SOMBRAT backdoor is to load plugins provided via the C2 server. These\r\nplugins may be shellcode or DLL modules to be dynamically loaded. The C2 server may instruct the backdoor to\r\nload the plugins directly or persist them into the encrypted storage file, where they may subsequently be reloaded,\r\nsuch as after upgrading the backdoor.\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 4 of 16\n\nFigure 2: Malware author mark “No one is perfect except me.”\r\nSOMBRAT evades forensic analysis by patching the process memory used to record command line arguments. It\r\nreplaces the initial command line with the base filename of the program executable, removing any arguments.\r\nThis means that investigators that inspect a process listing via memory forensics will see the innocuous-looking\r\ncommand line `powershell.exe` rather than references to the uncommon filename such as `WwanSvc.c`.\r\nSOMBRAT Network Communications\r\nThe SOMBRAT backdoor can communicate with its C2 server using both DNS and a proxy-aware, TLS-encrypted stream protocol. By default, the backdoor uses the DNS protocol; however, this can be reconfigured by\r\nthe C2 server. Mandiant observed the domains feticost[.]com and celomito[.]com used for DNS C2\r\ncommunications.\r\nWhen the backdoor communicates via its DNS protocol, it constructs and resolves FQDNs, interpreting the DNS\r\nresults to extract C2 messages. The authoritative DNS server embeds data within the IP address field of DNS A\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 5 of 16\n\nrecord results and within the Name Administrator field of DNS TEXT record results. By making many requests to\r\nunique subdomains of the C2 domain, the backdoor can slowly transmit information a few bytes at a time.\r\nRansomware Similarities\r\nBeginning in October 2020, Mandiant observed samples of a customized version of DEATHRANSOM. This\r\nnewly modified version removed the language check feature (Figure 3 shows the language check of\r\nDEATHRANSOM).\r\nHELLOKITTY ransomware—used to target Polish video game developer CD Projekt Red—is reportedly\r\nbuilt from DEATHRANSOM.\r\nHELLOKITTY is named after a mutex named ‘HELLOKITTYMutex,’ used when the malware\r\nexecutable is launched (see Figure 4).\r\nFigure 4: HELLOKITTY mutex shown in Process Explorer\r\nCEMIG (Companhia Energética de Minas Gerais), a Brazilian electric power company, revealed on\r\nFacebook in late December 2020 that it was a victim of HELLOKITTY cyber attack.\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 6 of 16\n\nIn January 2021, Mandiant observed a new ransomware deployed against a victim and assigned the name\r\nFIVEHANDS.\r\nAnalysis of FIVEHANDS revealed high similarity to DEATHRANSOM, sharing several features,\r\nfunctions, and coding similarities. Absent in FIVEHANDS is a language check, similar to HELLOKITTY\r\nBoth DEATHRANSOM and FIVEHANDS drops a ransom note in all non-excluded directories\r\nTechnical Comparison of FIVEHANDS, HELLOKITTY and DEATHRANSOM\r\nDEATHRANSOM is written in C while the other two families are written in C++. DEATHRANSOM uses a\r\ndistinct series of do/while loops to enumerate through network resources, logical drives, and directories. It also\r\nuses QueueUserWorkItem to implement thread pooling for its file encryption threads.\r\nHELLOKITTY is written in C++, but reimplements a significant portion of DEATHRANSOM's functionality\r\nusing similar loop operations and thread pooling via QueueUserWorkItem. The code structure to enumerate\r\nnetwork resources, logical drives, and perform file encryption is very similar. Additionally, HELLOKITTY and\r\nDEATHRANSOM share very similar functions to check for the completion status of their encryption threads\r\nbefore exiting.\r\nFIVEHANDS is written in C++ and although high level functionality is similar, the function calls and code\r\nstructure to implement the majority of the functionality is written differently. Also, instead of executing threads\r\nusing QueueUserWorkItem, FIVEHANDS uses IoCompletionPorts to more efficiently manage its encryption\r\nthreads. FIVEHANDS also uses more functionality from the C++ standard template library (STL) than does\r\nHELLOKITTY.\r\nDeletion of Volume Shadow Copies\r\nDEATHRANSOM, HELLOKITTY, and FIVEHANDS use the same code to delete volume shadow copies via\r\nWMI by performing the query select * from Win32_ShadowCopy and then deleting each instance returned by its\r\nid.\r\nEncryption Operations\r\nEach of these three malware families utilizes a similar encryption scheme. An asymmetric public key is either\r\nhard-coded or generated. A unique symmetric key is generated for each encrypted file.\r\nAfter each file is encrypted, the asymmetric key will encrypt the symmetric key and append it to the\r\nencrypted file. Additionally, a unique four byte magic value is appended to the end of the encrypted file.\r\nThe malware checks for these magic bytes to ensure it does not encrypt a previously encrypted file again.\r\nDEATHRANSOM and HELLOKITTY implement the file encryption operations using a very similar code\r\nstructure and flow.\r\nFIVEHANDS implements its file encryption with a differing code structure and uses different embedded\r\nencryption libraries.\r\nIn addition to the symmetric key, HELLOKITTY and FIVEHANDS also encrypts file metadata with the\r\npublic key and appends this to the encrypted file.\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 7 of 16\n\nDEATHRANSOM generates an RSA key pair while HELLOKITTY and FIVEHANDS use an embedded\r\nRSA or NTRU public key.\r\nDEATHRANSOM Encryption\r\nDEATHRANSOM creates an RSA-2048 public and private key pair. Using an Elliptic-curve Diffie–\r\nHellman (ECDH) routine implemented with Curve25519, it computes a shared secret using two input\r\nvalues: 1) 32 random bytes from a RtlGenRandom call and 2) a hardcoded 32 byte value (attacker's public\r\nkey). It also create a Curve25519 public key. The shared secret is SHA256 hashed and used as the key to\r\nSalsa20 encrypt the RSA public and private keys.\r\nThe RSA public key is used to encrypt the individual symmetric keys that are used to encrypt each file. A\r\nBase64 encoded version of the encrypted RSA keys and the victim’s Curve25519 public key is included in\r\nthe ransom note, providing the threat actors the information needed to decrypt the victim's files.\r\nFor the symmetric key, DEATHRANSOM calls RtlGenRandom to generate 32 random bytes. This is the\r\n32 byte key used to AES encrypt each file. After the file is encrypted, the AES key is encrypted with the\r\npublic RSA key and appended to the file.\r\nDEATHRANSOM lastly appends the four magic bytes of AB CD EF AB at the end of the encrypted file\r\nand uses this as a check to ensure that it does not encrypt an already encrypted file.\r\nThe analyzed DEATHRANSOM sample used for comparison does not change the file extension.\r\nHELLOKITTY Encryption\r\nHELLOKITTY contains an embedded RSA-2048 public key. This public key is SHA256 hashed and used\r\nas the victim ID within the ransom note. This RSA pubic key is also used to encrypt each file's symmetric\r\nkey.\r\nFor the symmetric key, HelloKitty generates a 32 byte seed value based on the CPU timestamp. A Salsa20\r\nkey is generated and encrypts a second 32 byte seed value. The encrypted result is XOR’d with the first\r\nseed, resulting in a 32 byte key used to AES encrypt each file.\r\nAfter each file is encrypted, the original file size, magic value of DE C0 AD BA, and AES key are\r\nencrypted with the public RSA key and appended to the file. HELLOKITTY and FIVEHANDS appends\r\nthis additional metadata to the encrypted file, while DEATHRANSOM does not.\r\nLastly it appends the four magic bytes DA DC CC AB to the end of the encrypted file.\r\nDepending on the version, HELLOKITTY may or may not change the file extension.\r\nOther samples of HELLOKITTY have used an embedded NTRU public key instead of RSA.\r\nFIVEHANDS Encryption\r\nFIVEHANDS uses an embedded NTRU public key. This NTRU key is SHA512 hashed and the first 32\r\nbytes are used as the victim ID within the ransom note. This NTRU pubic key is also used to encrypt each\r\nfile's symmetric key.\r\nFor the symmetric key, FIVEHANDS uses an embedded generation routine to produce 16 random bytes\r\nused for an AES key to encrypt each file.\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 8 of 16\n\nAfter each file is encrypted, the original file size, magic value of DE C0 AD BA, and AES key are\r\nencrypted with the public NTRU key and appended to the file.\r\nThe four magic bytes DB DC CC AB are appended to the end of the encrypted file.\r\nFIVEHANDS includes additional code not found in DEATHRANSOM and HELLOKITTY to use the\r\nWindows Restart Manager to close a file currently in use so that it can be unlocked and successfully\r\nencrypted.\r\nThe encrypted file extension is changed to .crypt extension\r\nFIVEHANDS's encryption flow and sequence is very different from the other two, partially because it\r\nincorporates asynchronous I/O requests and uses different embedded encryption libraries.\r\nFIVEHANDS Encrypted Dropper\r\nOne significant change between DEATHRANSOM and FIVEHANDS is the use of a memory-only dropper, which\r\nupon execution, expects a command line switch of -key followed by the key value necessary to perform\r\ndecryption of its payload. The payload is stored and encrypted with AES-128 using an IV of\r\n“85471kayecaxaubv”. The decrypted FIVEHANDS payload is immediately executed after decryption. To date,\r\nMandiant has only observed encrypted droppers with a common imphash of\r\n8517cf209c905e801241690648f36a97.\r\nCLI arguments\r\nFIVEHANDS can receive a CLI argument for a path, this limits the ransomware's file encryption activities to the\r\nspecified directory. DEATHRANSOM and HELLOKITTY do not accept CLI arguments.\r\nLocale and Mutex checks\r\nDEATHRANSOM performs language ID and keyboard layout checks. If either of these match Russian, Kazakh,\r\nBelarusian, Ukrainian or Tatar it exits. Neither HELLOKITTY or FIVEHANDS perform language ID or keyboard\r\nchecks.\r\nHELLOKITTY performs a mutex check while the other two do not perform mutex checks.\r\nFile Exclusions\r\nDEATHRANSOM and HELLOKITTY both exclude the same directories and files:\r\nprogramdata, $recycle.bin, program files, windows, all users, appdata, read_me.txt, autoexec.bat, desktop.ini,\r\nautorun.inf, ntuser.dat, iconcache.db, bootsect.bak, boot.ini, ntuser.dat.log, or thumbs.db.\r\nThe exclusions for FIVEHANDS are more extensive and contain additional files and directories to ignore.\r\nAdditional Differences\r\nDEATHRANSOM makes an external HTTPS connection to download a file. Neither HELLOKITTY or\r\nFIVEHANDS initiate network connections.\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 9 of 16\n\nHELLOKITTY contains code to set the victims wallpaper to a ransom related image. The other samples do\r\nnot have this functionality\r\nDifferent versions of DEATHRANSOM and HELLOKITTY are known to change the file extension\r\nDifferent versions of HELLOKITTY are known to check for specific processes to terminate.\r\nFeature FIVEHANDS HELLOKITTY DEATHRANSOM\r\nProgramming Language C++ C++ C\r\nSymmetric Encryption AES 128 AES 256 AES 256\r\nAsymmetric Encryption\r\nEmbedded NTRU\r\nKey\r\nEmbedded RSA or\r\nNTRU Key\r\nCurve25519 ECDH and RSA\r\nkey creation\r\nSame directory and file\r\nname exclusions\r\nNo Yes Yes\r\nAccepts CLI Arguments Yes No No\r\nNetwork Connections No No Yes\r\nLocale Check No No Yes\r\nMutex Check No Yes No\r\nBytes Appended to\r\nEncrypted Files\r\nDB DC CC AB DA DC CC AB AB CD EF AB\r\nTable 1: Ransomware feature comparison\r\nConclusion\r\nMandiant observed SOMBRAT and FIVEHANDS ransomware by the same group since January 2021. While\r\nsimilarities between HELLOKITTY and FIVEHANDS are notable, ransomware may be used by different groups\r\nthrough underground affiliate programs. Mandiant will assign an uncategorized cluster based on multiple factors\r\nincluding infrastructure used during intrusions and as such, not all SOMBRAT or FIVEHANDS ransomware\r\nintrusions may have been conducted by UNC2447. WARPRISM and FOXGRABBER have been used in\r\nSUNCRYPT and DARKSIDE ransomware demonstrating additional complexity and sharing between different\r\nransomware affiliate programs.\r\nIndicators\r\nSOMBRAT UNC2447\r\n87c78d62fd35bb25e34abb8f4caace4a\r\n6382d48fae675084d30ccb69b4664cbb (31dcd09eb9fa2050aadc0e6ca05957bf unxored)\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 10 of 16\n\nSOMBRAT Launcher\r\ncf1b9284d239928cce1839ea8919a7af (wwansvc.a XOR key)\r\n4aa3eab3f657498f52757dc46b8d1f11 (wwansvc.c)\r\n1f6495ea7606a15daa79be93070159a8 (wwansvc.bat)\r\n31dcd09eb9fa2050aadc0e6ca05957bf (wwansvc.b)\r\nedf567bd19d09b0bab4a8d068af15572 (wwansvc.b)\r\na5b26931a1519e9ceda04b4c997bb01f (wwansvc.txt)\r\nf0751bef4804fadfe2b993bf25791c49 (4aa3eab3f657498f52757dc46b8d1f11 unxored)\r\n87c78d62fd35bb25e34abb8f4caace4a (edf567bd19d09b0bab4a8d068af15572 unxored)\r\nSOMBRAT domains\r\nCelomito[.]com (unc2447)\r\nFeticost[.]com (unc2447)\r\nCosarm[.]com\r\nPortalcos[.]com\r\nFIVEHANDS\r\n39ea2394a6e6c39c5d7722dc996daf05\r\nf568229e696c0e82abb35ec73d162d5e\r\nFIVEHANDS Encrypted Dropper\r\n6c849920155f48d4b4aafce0fc49eb5b\r\n22d35005e926fe29379cb07b810a6075\r\n57824214710bc0cdb22463571a72afd0\r\n87c0b190e3b4ab9214e10a2d1c182153\r\n1b0b9e4cddcbcb02affe9c8124855e58\r\n46ecc24ef6d20f3eaf71ff37610d57d1\r\n1a79b6d169aac719c9323bc3ee4a8361\r\na64d79eba40229ae9aaebbd73938b985\r\nHELLOKITTY\r\n136bd70f7aa98f52861879d7dca03cf2\r\n06ce6cd8bde756265f95fcf4eecadbe9\r\naf568e8a6060812f040f0cb0fd6f5a7b\r\nd96adf82f061b1a6c80699364a1e3208\r\nDEATHRANSOM\r\nc50ab1df254c185506ab892dc5c8e24b\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 11 of 16\n\nWARPRISM\r\nc925822c6d5175c30ba96388b07e9e16 (unc2447)\r\nc171bcd34151cbcd48edbce13796e0ed\r\nd87fcd8d2bf450b0056a151e9a116f72\r\nf739977004981fbe4a54bc68be18ea79\r\ne18b27f75c95b4d50bfcbcd00a5bd6c5\r\ndf6e6b3e53cc713276a03cce8361ae0f\r\n1cd03c0d00f7bfa7ca73f7d73677d8f8\r\n8071f66d64395911a7aa0d2057b9b00d\r\nc12a96e9c50db5f8b0b3b5f9f3f134f0\r\ne39184eacba2b05aaa529547abf41d2b\r\n09a05a2212bd2c0fe0e2881401fbff17\r\n8226d7615532f32eca8c04ac0d41a9fd\r\na01a2ba3ae9f50a5aa8a5e3492891082\r\n29e53b32d5b4aae6d9a3b3c81648653c\r\na809068b052bc209d0ab13f6c5c8b4e7\r\nBEACON UNC2447\r\n64.227.24[.]12 Havex Profile January 2021\r\n157.230.184[.]142 chches_ APT10 Profile November 2020-January 2021\r\n74c688a22822b2ab8f18eafad2271cac\r\n7d6e57cbc112ebd3d3c95d3c73451a38\r\nFOXGRABBER\r\n4d3d3919dda002511e03310c49b7b47f\r\nFireEye Detections\r\nFireEye Network Security\r\nFireEye Email Security\r\nFireEye Detection On\r\nDemand\r\nFireEye Malware Analysis\r\nFireEye Malware File\r\nProtect\r\nFIVEHANDS\r\nFE_Loader_Win32_Generic_162\r\nFE_Ransomware_Win32_FIVEHANDS_1\r\nMalware.Binary.exe\r\nRansomware.Win.Generic.MVX\r\nSOMBRAT\r\nFE_Backdoor_Win64_SOMBRAT_1\r\nBackdoor.Win.SOMBRAT\r\nMalware.Binary.exe\r\nBackdoor.Win.SOMBRAT.MVX\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 12 of 16\n\nFEC_Trojan_PS1_Generic_7\r\nFEC_Trojan_PS1_Generic_8\r\nFEC_Trojan_BAT_Generic_5\r\nHELLOKITTY\r\nRansomware.Win.Generic.MVX\r\nMalware.Binary.exe\r\nRansomware.Win.HELLOKITTY.MVX\r\nFE_Ransomware_Win_HELLOKITTY_1\r\nFE_Ransomware_Win32_HELLOKITTY_1\r\nDEATHRANSOM\r\nFE_Loader_Win32_Generic_92\r\nRansomware.Win.Generic.MVX\r\nMalware.Binary.exe\r\nBEACON\r\nFE_Loader_Win32_BLUESPINE_1\r\nBackdoor.BEACON\r\nMalware.Binary.exe\r\nWARPRISM\r\nFE_Loader_PS1_WARPRISM_1\r\nFEC_Loader_PS1_WARPRISM_1\r\nBackdoor.BEACON\r\nTrojan.Generic\r\nTrojan.Win.SYSTEMBC\r\nBackdoor.Meterpreter\r\nLoader.PS1.WARPRISM.MVX\r\nMalware.Binary.exe\r\nMalware.Binary.ps1\r\nFOXGRABBER\r\nFE_Tool_MSIL_FOXGRABBER_1\r\nFE_Trojan_MSIL_Generic_109\r\nFireEye EndPoint Security Real-Time (IOC)\r\nSOMBRAT (BACKDOOR)\r\nSUSPICIOUS POWERSHELL READ BASE64 DATA\r\n(METHODOLOGY)\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 13 of 16\n\nFIVEHANDS RANSOMWARE (FAMILY)\r\nDEATHRANSOM RANSOMWARE (FAMILY)\r\nHELLOKITTY RANSOMWARE (FAMILY)\r\nBEACON (FAMILY)\r\nMalware Protection (AV/MG)\r\nSOMBRAT \r\nGeneric.mg. 87c78d62fd35bb25\r\nGeneric.mg.6382d48fae675084\r\nTrojan.GenericKD.45750384\r\nTrojan.GenericKD.36367848\r\nGeneric.PwShell.RefA.CB5E962A\r\nFIVEHANDS\r\nGeneric.mg.39ea2394a6e6c39c\r\nGeneric.mg.f568229e696c0e82\r\nGeneric.mg.6c849920155f48d4\r\nGeneric.mg.22d35005e926fe29\r\nGeneric.mg.57824214710bc0cd\r\nGeneric.mg.87c0b190e3b4ab92\r\nGeneric.mg.1b0b9e4cddcbcb02\r\nGeneric.mg.46ecc24ef6d20f3e\r\nGeneric.mg.1a79b6d169aac719\r\nGeneric.mg.a64d79eba40229ae\r\nGen:Variant.Zusy.375932\r\nGen:Variant.Zusy.366866\r\nTrojan.GenericKD.46059492\r\nTrojan.GenericKD.46059131\r\nTrojan.GenericKD.45996121\r\nTrojan.GenericKD.45702783\r\nWARPRISM \r\nGeneric.mg.a01a2ba3ae9f50a5\r\nTrojan.PowerShell.Agent.IJ\r\nTrojan.Agent.EXDR\r\nTrojan.PowerShell.Ransom.E\r\nTrojan.Agent.EUKPTrojan.GenericKD.45856129\r\nHeur.BZC.PZQ.Boxter.829.B5AEB7A6\r\nHeur.BZC.PZQ.Boxter.829.B84D01A7\r\nHeur.BZC.PZQ.Boxter.829.AE76D25C\r\nTrojan.PowerShell.Ransom.F\r\nDropped:Heur.BZC.MNT.Boxter.826.0A2B3A87\r\nHeur.BZC.PZQ.Boxter.829.A15701BD\r\nDEATHRANSOM\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 14 of 16\n\nGeneric.mg.c50ab1df254c1855\r\nTrojan.Ransomware.GenericKD.35760206\r\nHELLOKITTY\r\nGeneric.mg.136bd70f7aa98f52\r\nGeneric.mg.06ce6cd8bde75626\r\nGeneric.mg.af568e8a6060812f\r\nGeneric.mg.d96adf82f061b1a6\r\nGeneric.Malware.PfVPk!12.299C21F3\r\nGen:Variant.Ransom.HelloKitty.1\r\nGeneric.Malware.PfVPk!12.606CCA24\r\nGeneric.Malware.PfVPk!12.1454636C\r\nBEACON\r\nGeneric.mg.74c688a22822b2ab\r\nGeneric.mg.7d6e57cbc112ebd3\r\nTrojan.Agent.DDSN\r\nMITRE ATT\u0026CK\r\nTactic Description\r\nInitial Access T1078 Valid Accounts\r\nExecution\r\nT1047 Windows Management Instrumentation\r\nT1053.005 Scheduled Task / Job: Scheduled Task\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1106 Execution through API\r\nDefense Evasion\r\nT1045 Software Packing\r\nT1055 Process Injection\r\nT1140 Deobfuscate / Decode Files or Information\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 15 of 16\n\nDiscovery\r\nT1012 Query Registry\r\nT1046 Network Service Scanning\r\nT1057 Process Discovery\r\nT1082 System Information Discovery\r\nT1124 System Time Discovery\r\nT1135 Network Share Discovery\r\nCollection T1560.003 Archive Collected Data: Archive via Custom Method\r\nImpact\r\nT1485 Data Destruction\r\nT1486 Data Encrypted for Impact\r\nT1490 Inhibit System Recovery\r\nCommand and Control\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1090.002 Proxy: External Proxy\r\nT1572  Protocol Tunneling\r\nT1573.002 Encrypted Channel: Asymmetric Cryptography\r\nExfiltration T1041 Exfiltration over C2 Channel\r\nAcknowledgements\r\nThanks to Nick Richard for technical review, Genevieve Stark and Kimberly Goody for analytical contributions,\r\nand Jon Erickson, Jonathan Lepore, and Stephen Eckels for analysis incorporated into this blog post.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.htm\r\nl\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" ], "report_names": [ "unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" ], "threat_actors": [ { "id": "c72c09b8-81ba-4e6e-9094-cd84ee4bda79", "created_at": "2022-10-25T15:50:23.667393Z", "updated_at": "2026-04-10T02:00:05.344613Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [ "CostaRicto" ], "source_name": "MITRE:CostaRicto", "tools": [ "PowerSploit", "SombRAT", "PsExec", "PS1", "CostaBricks" ], "source_id": "MITRE", "reports": null }, { "id": "b77f9b40-dca7-449d-819e-115cd2295b41", "created_at": "2022-10-25T16:07:23.502671Z", "updated_at": "2026-04-10T02:00:04.63173Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "ETDA:CostaRicto", "tools": [ "CostaBricks", "PowerSploit", "PsExec", "SombRAT", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "115cf618-02a8-42b8-8d25-305292eafedb", "created_at": "2023-11-21T02:00:07.396534Z", "updated_at": "2026-04-10T02:00:03.478259Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "MISPGALAXY:CostaRicto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434495, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/597502602df9b03c54f3f1940033d0a9964933f7.pdf", "text": "https://archive.orkl.eu/597502602df9b03c54f3f1940033d0a9964933f7.txt", "img": "https://archive.orkl.eu/597502602df9b03c54f3f1940033d0a9964933f7.jpg" } }