Keypoints
- Encryptor is a Visual C++ Windows PE32 (49.5 KB) first seen on VirusTotal on 2024-03-16 (SHA256 provided).
- Deletes Windows shadow copies and clears the recycle bin to inhibit system recovery.
- Enumerates local volumes and network shares (including attempts to find ADMIN$) before recursion.
- Recursively discovers files using FindFirstFile/FindNextFile with tail recursion to avoid stack overflow.
- Renames files by appending the .afire extension and uses Restart Manager (RmStartSession, RmRegisterResource, RmGetList) to identify and terminate processes locking files.
- Implements Curve25519 for encryption, showing overlap with Babuk; YARA rule and notable strings (Restore.txt, .afire, Zdravstvuy) included.
MITRE Techniques
- [T1490] Inhibit System Recovery – The encryptor deletes shadow copies and disables recovery using the command ‘vssadmin.exe delete shadows /all /quiet’ to prevent restoration.
- [T1135] Network Share Discovery – The malware enumerates network shares with the ‘NetShareEnum’ API and inspects share names to locate shares like ‘ADMIN$’.
- [T1083] File and Directory Discovery – File-system traversal is performed via ‘FindFirstFile’ and ‘FindNextFile’ with recursive calls to process subdirectories.
- [T1486] Data Encrypted for Impact – Files are renamed with the ‘.afire’ extension and encrypted using a Curve25519-based routine (‘Curve25519 algorithm was identified for the encryption process’).
- [T1489] Service Stop – The encryptor stops services and terminates processes by obtaining process handles and calling ‘TerminateProcess’ (used after ‘RmGetList’ to remove locks).
Indicators of Compromise
- [File Hash] sample identification – 3656c44fd59366700f9182278faf2b6b94f0827f62a8aac14f64b987141bb69b (SHA256)
- [File Extension / Filename] artifact – ‘.afire’ extension used on encrypted files; ‘Restore.txt’ ransom note filename
- [Emails / Contact] ransom note contacts – keemail.me, onionmail.org
- [PDB / Build Path] developer artifact – ‘Zdravstvuy’ and ‘e.pdb’ found in PDB path
- [URLs] context / analysis links – https://www.virustotal.com/gui/file/3656c44fd59366700f9182278faf2b6b94f0827f62a8aac14f64b987141bb69b/details, and https://www.shadowstackre.com/analysis/hellofire
- [YARA] detection artifacts – rule strings include ‘.afire’, ‘Restore.txt’, ‘vssadmin.exe delete shadows /all /quiet’, and mutex ‘MoreMoney’
The sample is a 32-bit Windows PE built with Visual C++ (≈49.5 KB) and was first observed on VirusTotal on 2024-03-16 (SHA256: 3656c44f…). On startup it acquires a cryptographic context and RNG handles, then executes pre-encryption impact steps: it deletes Windows shadow copies, stops specified services/processes, and clears the recycle bin to reduce recovery options.
Before encrypting, the binary enumerates local volumes and network shares (using SetVolumeMountPoint/GetVolumePathNamesForVolumeName and NetShareEnum) and attempts to detect shares such as ADMIN$. It traverses the filesystem with FindFirstFile/FindNextFile in a tail-recursive manner to avoid stack overflow, and spawns a dedicated thread to handle discovery and encryption.
For each target file the payload sets attributes to FILE_ATTRIBUTE_NORMAL, renames the file by appending ‘.afire’ via MoveFileEx, then uses Restart Manager APIs (RmStartSession, RmRegisterResource, RmGetList) to identify processes holding locks. Identified processes are opened and terminated (OpenProcess + TerminateProcess) so files can be encrypted. The encryption routine uses Curve25519, consistent with observed overlap with Babuk; detection strings and a YARA rule include ‘.afire’, ‘Restore.txt’, ‘vssadmin.exe delete shadows /all /quiet’, and ‘Zdravstvuy’ in the PDB path.