Hibijyon-sc-6.rar File

If any behaviour was not observed, note “Not observed” to differentiate from “Not applicable.” | Type | Value | Source | |------|-------|--------| | File hash (SHA‑256) | <<INSERT>> | Static analysis | | File hash (MD5) | <<INSERT>> | Static analysis | | Malicious IP | <<IP>> | Network capture | | Domain | <malicious‑domain>.com | DNS query | | C2 URL | http://<malicious‑domain>.com/api/key | HTTP request | | Bitcoin address | <<BTC>> | Ransom note | | Registry key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svc | Runtime | | File path | %APPDATA%\svc.exe | Runtime | | Process name | svc.exe | Runtime |

All analysis was performed in an isolated, air‑gapped environment with no access to production networks. | Attribute | Value | |-----------|-------| | Container format | RAR v5 (solid archive, password‑protected: yes/no ) | | Number of entries | <<COUNT>> | | Embedded files | List each entry (e.g., setup.exe , readme.txt , config.dat ). Include size and timestamps. | | Compression ratio | <<RATIO>> | | Password protection | Yes – password: <<PROVIDED OR NOT>> (if known) | | Suspicious artifacts | • Presence of executable(s) with mismatched extensions • Dropped DLLs or scripts (e.g., PowerShell, VBScript) • Encrypted payloads (e.g., .bin , .dat ) | 4. Static Analysis Findings | Item | Observation | Indicator | |------|-------------|-----------| | File header | Correct RAR signature ( 52 61 72 21 1A 07 00 ) | – | | Embedded executable(s) | setup.exe – PE32+ (64‑bit) with packer UPX / custom stub | YARA rule: packer_upx | | Strings | • “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup” • “http://<malicious‑domain>.com/payload” • “crypt‑key‑” | IOC: http://<malicious‑domain>.com | | Resources | Icon with “?”, version info “File description: Installer” | – | | Certificates | Signed with self‑signed certificate – CN=Hibijyon Corp (expires 2025) | – | | Embedded scripts | install.vbs – creates scheduled task “Updater” | – | | Obfuscation | Base64‑encoded data block of ~12 KB in config.dat | – | hibijyon-SC-6.rar

All suspicious indicators should be cross‑checked against threat‑intel feeds. | Behaviour | Description | Observed Artifacts | |-----------|-------------|--------------------| | Process creation | setup.exe spawns svchost.exe with hidden window | PID, command line | | File system | Writes to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svc.exe | Persistence mechanism | | Registry | Adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svc → "C:\Users\<user>\AppData\Roaming\svc.exe" | Registry persistence | | Network | HTTP GET to http://<malicious‑domain>.com/api/key (TLS 1.2) DNS query for *.badhost.net | Destination IP: <<IP>> | | Encryption | Generates RSA‑2048 key pair; encrypts files in Documents folder, appends .hibi extension | Encrypted file sample: report.docx.hibi | | Ransom note | Drops README.txt containing ransom instructions (Bitcoin address <<BTC>> ) | – | | Anti‑analysis | Checks for debugger ( IsDebuggerPresent ), sleeps for 30 s if sandbox detected | – | If any behaviour was not observed, note “Not