{
	"id": "09c005f3-0be4-4dcb-b902-537d5e885f2d",
	"created_at": "2026-04-06T01:31:59.953114Z",
	"updated_at": "2026-04-10T13:11:57.257366Z",
	"deleted_at": null,
	"sha1_hash": "8b31212578cb24c7ff28bd92fae571cc42acd6b1",
	"title": "Deep Dive Into HERMES Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1526484,
	"plain_text": "Deep Dive Into HERMES Ransomware\r\nBy Anonymous\r\nPublished: 2021-01-23 · Archived: 2026-04-06 00:09:27 UTC\r\nQuick Overview:\r\nHERMES is a Ransomware which spreads by spear-phising emails. It was first detected on October 2017. Its\r\nattributed to the Lazurus APT group it has high connections to Ryuk Ransomware and its believed that they are\r\nwritten by the same author. Among most Ransomwares, it's common that it encrypts the files using AES and\r\nEncrypts the AES Random Key using RSA , in the upcoming parts we will include some more insights into it.\r\nIn Depth-Reversing:\r\n. HERMES Drops A Copy From its Self under Name \"svchosta.exe\" in the Temp Folder\r\nAnd it executes using this command\r\nInhibit System Recovery:\r\n. Similarly like most ransomwares it deletes shadow copies to acheive this it drops a batch file similar to the Ryuk\r\none , which strengthens it's similarity to Ryuk\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 1 of 18\n\nAnd it executes using this command\r\nUnpacking and API Resolving:\r\nHERMES allocates a section in memory for the unpacked PE file , this technique can be defined as Self Injection .\r\nThis image explains it very well \u0026 quick , credits goes to OALabs for the fantastic explanation\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 2 of 18\n\nWhat we need to do is to fire up the debugger and put 2 break points on:\r\n[+] VirtualAlloc\r\n[+] VirtualProtect\r\nWhile setting a breakpoint on VirtualAlloc() , make sure to press execute till return , the return value of\r\nVirtualAlloc() is stored in EAX so Right click on it and follow in dump\r\nNow Press F9 Again\r\nYay! A Nice PE File. Now Just follow in memory map and dump the file :)\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 3 of 18\n\nWhile opening the file in PE Studio on imports , but sadly there are just 5 imports :( , so there must be a function\r\nthat should resolve those imports.\r\nNow let's Fire Up IDA. Go to the imports Click \"X\" on LoadLibraryA to see where its called.\r\nGo for the First One..\r\nAnd Bingo We Found it :)\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 4 of 18\n\nSo It looks like its passing the API to a decryption or deobfsucation function. Now Just take this Address and and\r\nset a Break Point on it. when u break on it click execute till return. U may found sth! ECX holds our API.\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 5 of 18\n\nSo Now Right Click on ECX and Follow in Dump U must find all the APIs\r\nNow we have 3 choices first one is to dump the file using scylla, second is to rename the imports manually and\r\nthird is to write a script. will leave it as an excercise for u ;)\r\nMutex Creation:\r\nHERMES Creates a Mutex with the name \"tech\". As U Can See the APIs related to mutex's are dynamiclly\r\nresolved.\r\nU may ask what is a mutex and why does the malware uses it ?. So let me explain. First What is a Mutex is an\r\nobject that allows mutliple threads to share the same resource but in order. as shown in the figure:\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 6 of 18\n\ncomplicated right ? so let me explain why we need mutexes, when u have two threads sharing the same resource\r\nsay if the Thread \"A\" Reads From this Resource and Thread \"B\" Writes to this resource this resource maybe\r\nanything like a file for example. This Behavior is Called \"Race Condition\" this must not happens because if\r\nThread \"B\" Writes to the File for ex Thread \"A\" will get corrupted data. So we need a Mechanism to scheduale\r\nthis behavior and that's what a mutex is a mutex aquires a lock for the Thread this says oh ok now Thread \"A\" for\r\nex u have the ability to read or write to the file or any other operation and Thread \"B\" Cannot Do any operation on\r\nthat file before Thread \"A\" Releases This Lock or Mutex and It will be given to Thread \"B\". ok but u may also ask\r\nso also how all of this story relates to malware. ok malware uses mutexes for mutiple things one of them is not\r\ninfecting the host twice.\r\nLanguage Checks:\r\nHERMES Checks for the System language. Every language on this planet has a code this code is just a number for\r\nexample 0409 is the code for english. The code of the system language can be found under the a registry key:\r\n[+] Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\r\nAs u can see the third value is the system language code. now lets see how it utlizes this feature.\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 7 of 18\n\nIt opens the Registry key I mentioned above and then it queries the value of InstallLanguage and Compares it with\r\nthree values:\r\n [+] 0419 --\u003e Russian\r\n [+] 0422 --\u003e Ukrainian\r\n [+] 0423 --\u003e Belarusian\r\nAnd if it matches it exits the process (malware) using ExitProcess.\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 8 of 18\n\nU may ask why this is important well this might be important in targetted attacks so it looks like it didn't want to\r\ntarget those countries. so luckily these three countires won't get infected ;). Read this for more info Malware\r\nTrying to Avoid Some Contries\r\nPercistance:\r\nHERMES Achieves Percistance by Dropping the \"start.bat\" batchfile in the startup folder to start the malware\r\nevery time the computer starts why ?? doesn't it encrypt the files and everything is fine ? ok but what if it missed a\r\nfile or if u have new files\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 9 of 18\n\nIt Drops this batch file in the StartUp Folder. The StartUp Folder in it the programs that are executed automaticly\r\nevery time the user logs in or when the computer starts.\r\nAnd U Simply Can Disable this File or simply delete it from the start folder.\r\nIf U tried restarting the VM u will see the command being executed but it didn't \r\nEncryption:\r\nHERMES Encrypts The Files using AES-256 Algorithm and Encrypts the AES Random Key with RSA, And It\r\nutlizes the Windows CryptAPI.\r\nIt uses:\r\n[+] CryptEncrypt\r\n[+] CryptGenKey\r\n[+] CryptExportKey\r\n[+] CryptImportKey\r\n[+] CryptAcquireContextW\r\n. It Drops two Files used for Encryption \"PUBLIC\" and \"UNIQUE_ID_DONT_REMOVE\".\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 10 of 18\n\nThe First one is a Public RSA Blob. These Blobs are used to store RSA Public Keys.\r\nAnd the second one is the private key which means its for the attacker only and its encrypted. Take alook at the\r\nfirst 8 bytes from offset 0 to 7 actually these bytes has great meaning the 0x7 means that its a private key blob,\r\n0x2 is the blob version and 0xA400 is the algorithm so this will tell that its RSA or any other algorithm for our\r\ncase its RSA.\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 11 of 18\n\nHERMES Uses \"HERMES\" Marker at the end of the file to identify if the file is encrypted or not\r\nby CodeAnalysis it uses ReadFile and Checks for the marker as shown here\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 12 of 18\n\nIt Generates a AES-256 Key\r\nHERMES Encrypts the File in chunks it reads the files and Encrypts it 1000000 bytes each\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 13 of 18\n\nHERMES Does Some Drive Checking using GetLogicalDrives() and GetDriveType()\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 14 of 18\n\nIt First Gets the Drives on the Systems and Then Calls to GetDriveType If Return value of it is 5 means its (CD-ROM) it skips it.\r\nIt Also Skips Some Folders\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 15 of 18\n\nIOC's:\r\nHashes:\r\n [+] MD5:254caeddba73aa4d1bb425c5274176d2 (Packed)\r\n [+] SHA1:728711076a9e04b5e1e0010045e477d3515356b5\r\n \r\n [+] SHA256:a5a0964b1308fdb0aeb8bd5b2a0f306c99997c7c076d66eb3ebcdd68405b1da2\r\n \r\n [+] MD5:4f99ef502992d9ef9be6dc4ff27b1e95 (Unpacked)\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 16 of 18\n\nDropped Files:\r\n [+] svchosta.exe (main payload)\r\n \r\n [+] UNIQUE_ID_DONT_REMOVE (Private RSA Key)\r\n \r\n [+] PUBLIC (Public RSA Key)\r\n \r\n [+] windows.bat (deletes shadow copies)\r\n \r\n [+] start.bat (starts the malware everytime the computer starts)\r\n \r\n [+] DECRYPT_INFORMATION.html (Ransomware Note)\r\nTTP's:\r\n[+] Command-Line Interface T1059\r\n[+] Registry Run Keys / Startup Folder T1060\r\n[+] Data Encrypted for Impact T1486\r\n[+] Execution through API T1106\r\n[+] Modify Registry T1112\r\n[+] File Permissions Modification T1222\r\n[+] Inhibit System Recovery T1490\r\n[+] Query Registry T1012\r\nEmails:\r\n [+] primary email: pretty040782@gmail.com\r\n [+] reserve email: pretty040782@keemail.me\r\nSkipped Folders:\r\n[+] Windows\r\n[+] AhnLab\r\n[+] Chrome\r\n[+] Microsoft\r\n[+] Mozilla\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 17 of 18\n\n[+] $Recycle.Bin\r\n[+] WINDOWS\r\nRansomware Note:\r\nReferences:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/\r\nhttps://app.any.run/tasks/29fd99e4-7087-45bc-8105-2746d44a46d9\r\nhttps://analyze.intezer.com/analyses/4c6a208b-d5b6-4954-b144-9254d7dfc5ac\r\nhttps://www.youtube.com/watch?v=WthvahlAYFY\u0026t=225s\r\nhttps://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/\r\nhttps://www.autoitscript.com/autoit3/docs/appendix/OSLangCodes.htm\r\nhttps://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/\r\nGoodBye!\r\nSo That's It Hope u Enjoy and Thanks for AXIAL For Letting me in the team we will be making more inshallah\r\ndon't forget to follow me astro and @AXI4L\r\nSource: https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nhttps://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html\r\nPage 18 of 18\n\nThe First one And the second is a Public RSA one is the Blob. These private key which Blobs are used means its for to store RSA the attacker Public Keys. only and its encrypted. Take alook at the\nfirst 8 bytes from offset 0 to 7 actually these bytes has great meaning the 0x7 means that its a private key blob,\n0x2 is the blob version and 0xA400 is the algorithm so this will tell that its RSA or any other algorithm for our\ncase its RSA.       \n   Page 11 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html"
	],
	"report_names": [
		"deep-dive-into-hermes-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439119,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b31212578cb24c7ff28bd92fae571cc42acd6b1.pdf",
		"text": "https://archive.orkl.eu/8b31212578cb24c7ff28bd92fae571cc42acd6b1.txt",
		"img": "https://archive.orkl.eu/8b31212578cb24c7ff28bd92fae571cc42acd6b1.jpg"
	}
}