Hibijyon-sc-6.rar đ Direct Link
If any behaviour was not observed, note âNot observedâ to differentiate from âNot applicable.â | Type | Value | Source | |------|-------|--------| | File hash (SHAâ256) | <<INSERT>> | Static analysis | | File hash (MD5) | <<INSERT>> | Static analysis | | Malicious IP | <<IP>> | Network capture | | Domain | <maliciousâdomain>.com | DNS query | | C2 URL | http://<maliciousâdomain>.com/api/key | HTTP request | | Bitcoin address | <<BTC>> | Ransom note | | Registry key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svc | Runtime | | File path | %APPDATA%\svc.exe | Runtime | | Process name | svc.exe | Runtime |
All suspicious indicators should be crossâchecked against threatâintel feeds. | Behaviour | Description | Observed Artifacts | |-----------|-------------|--------------------| | Process creation | setup.exe spawns svchost.exe with hidden window | PID, command line | | File system | Writes to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svc.exe | Persistence mechanism | | Registry | Adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svc â "C:\Users\<user>\AppData\Roaming\svc.exe" | Registry persistence | | Network | HTTP GET to http://<maliciousâdomain>.com/api/key (TLS 1.2) DNS query for *.badhost.net | Destination IP: <<IP>> | | Encryption | Generates RSAâ2048 key pair; encrypts files in Documents folder, appends .hibi extension | Encrypted file sample: report.docx.hibi | | Ransom note | Drops README.txt containing ransom instructions (Bitcoin address <<BTC>> ) | â | | Antiâanalysis | Checks for debugger ( IsDebuggerPresent ), sleeps for 30 s if sandbox detected | â | hibijyon-SC-6.rar
All analysis was performed in an isolated, airâgapped environment with no access to production networks. | Attribute | Value | |-----------|-------| | Container format | RAR v5 (solid archive, passwordâprotected: yes/no ) | | Number of entries | <<COUNT>> | | Embedded files | List each entry (e.g., setup.exe , readme.txt , config.dat ). Include size and timestamps. | | Compression ratio | <<RATIO>> | | Password protection | Yes â password: <<PROVIDED OR NOT>> (if known) | | Suspicious artifacts | ⢠Presence of executable(s) with mismatched extensions ⢠Dropped DLLs or scripts (e.g., PowerShell, VBScript) ⢠Encrypted payloads (e.g., .bin , .dat ) | 4. Static Analysis Findings | Item | Observation | Indicator | |------|-------------|-----------| | File header | Correct RAR signature ( 52 61 72 21 1A 07 00 ) | â | | Embedded executable(s) | setup.exe â PE32+ (64âbit) with packer UPX / custom stub | YARA rule: packer_upx | | Strings | ⢠â%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startupâ ⢠âhttp://<maliciousâdomain>.com/payloadâ ⢠âcryptâkeyââ | IOC: http://<maliciousâdomain>.com | | Resources | Icon with â?â, version info âFile description: Installerâ | â | | Certificates | Signed with selfâsigned certificate â CN=Hibijyon Corp (expires 2025) | â | | Embedded scripts | install.vbs â creates scheduled task âUpdaterâ | â | | Obfuscation | Base64âencoded data block of ~12 KB in config.dat | â | If any behaviour was not observed, note âNot
Prepared for: <<INTENDED RECIPIENT / TEAM>> This report template is intended for use by authorized security personnel. Ensure that any analysis of potentially malicious samples is conducted within a properly isolated environment and in accordance with your organizationâs policies and applicable laws. If you require deeper technical details (e.g., disassembly of the embedded PE, memory dump artefacts), please provide the relevant artefacts or request a full forensic investigation. Include size and timestamps