ioc[.]one - OSINT Cyber Threat Intelligence Database

Malware Technical analysis of the HelloFire malware — ShadowStackRE

Tags

cmtmf-attack-pattern:	Masquerading
country:	Russia
attack-pattern:	Data Domains - T1583.001 Domains - T1584.001 File And Directory Discovery - T1420 Inhibit System Recovery - T1490 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 File And Directory Discovery - T1083 Masquerading - T1036 Masquerading

Show in Graph

Common Information

Type	Value
UUID	158403d7-05d6-436d-af77-96592ce8c557
Fingerprint	3e18b8b1b2049618
Analysis status	DONE
Considered CTI value	0
Text language
Published	March 24, 2024, midnight
Added to db	Aug. 31, 2024, 10:56 a.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	HelloFire ransomware
Title	Malware Technical analysis of the HelloFire malware — ShadowStackRE
Detected Hints/Tags/Attributes	39/3/14

Source URLs

	Redirection	Url
Details	Source	https://www.shadowstackre.com/analysis/hellofire

URL Provider

Details	Provider	Source level domain
Details	shadowstackre.com	www.shadowstackre.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	434	✔	ShadowStackRE	https://www.shadowstackre.com/analysis?format=rss	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	68		keemail.me
Details	Domain	85		onionmail.org
Details	Domain	10		shadowstackre.com
Details	Domain	18		opensource.org
Details	File	1		'restore.txt
Details	File	13		'kernel32.dll
Details	File	4		'vssadmin.exe
Details	File	37		'cmd.exe
Details	File	3		restore.txt
Details	File	345		vssadmin.exe
Details	sha256	1		3656c44fd59366700f9182278faf2b6b94f0827f62a8aac14f64b987141bb69b
Details	Pdb	3		e.pdb
Details	Url	10		https://opensource.org/license/mit
Details	Yara rule	1		rule HelloFireRansomware { meta: description = "Rule to detect HelloFire ransomware" author = "ShadowStackRe.com" date = "2024-03-24" Rule_Version = "v1" malware_type = "ransomware" malware_family = "HelloFire" License = "MIT License, https://opensource.org/license/mit/" Hash = "3656c44fd59366700f9182278faf2b6b94f0827f62a8aac14f64b987141bb69b" strings: $strExt = ".afire" wide $strRestore = "Restore.txt" wide $strShadowCopy = "vssadmin.exe delete shadows /all /quiet" wide $strMutex = "MoreMoney" $strPDBPath1 = "Zdravstvuy" $strPDBPath2 = "e.pdb" condition: uint16(0) == 0x5A4D and all of them }