Hibijyon-sc-6.rar < FAST >

Prepared for: <<INTENDED RECIPIENT / TEAM>> This report template is intended for use by authorized security personnel. Ensure that any analysis of potentially malicious samples is conducted within a properly isolated environment and in accordance with your organization’s policies and applicable laws. If you require deeper technical details (e.g., disassembly of the embedded PE, memory dump artefacts), please provide the relevant artefacts or request a full forensic investigation.

If any behaviour was not observed, note “Not observed” to differentiate from “Not applicable.” | Type | Value | Source | |------|-------|--------| | File hash (SHA‑256) | <<INSERT>> | Static analysis | | File hash (MD5) | <<INSERT>> | Static analysis | | Malicious IP | <<IP>> | Network capture | | Domain | <malicious‑domain>.com | DNS query | | C2 URL | http://<malicious‑domain>.com/api/key | HTTP request | | Bitcoin address | <<BTC>> | Ransom note | | Registry key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svc | Runtime | | File path | %APPDATA%\svc.exe | Runtime | | Process name | svc.exe | Runtime | hibijyon-SC-6.rar

All suspicious indicators should be cross‑checked against threat‑intel feeds. | Behaviour | Description | Observed Artifacts | |-----------|-------------|--------------------| | Process creation | setup.exe spawns svchost.exe with hidden window | PID, command line | | File system | Writes to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svc.exe | Persistence mechanism | | Registry | Adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svc → "C:\Users\<user>\AppData\Roaming\svc.exe" | Registry persistence | | Network | HTTP GET to http://<malicious‑domain>.com/api/key (TLS 1.2) DNS query for *.badhost.net | Destination IP: <<IP>> | | Encryption | Generates RSA‑2048 key pair; encrypts files in Documents folder, appends .hibi extension | Encrypted file sample: report.docx.hibi | | Ransom note | Drops README.txt containing ransom instructions (Bitcoin address <<BTC>> ) | – | | Anti‑analysis | Checks for debugger ( IsDebuggerPresent ), sleeps for 30 s if sandbox detected | – | If any behaviour was not observed, note “Not

All analysis was performed in an isolated, air‑gapped environment with no access to production networks. | Attribute | Value | |-----------|-------| | Container format | RAR v5 (solid archive, password‑protected: yes/no ) | | Number of entries | <<COUNT>> | | Embedded files | List each entry (e.g., setup.exe , readme.txt , config.dat ). Include size and timestamps. | | Compression ratio | <<RATIO>> | | Password protection | Yes – password: <<PROVIDED OR NOT>> (if known) | | Suspicious artifacts | • Presence of executable(s) with mismatched extensions • Dropped DLLs or scripts (e.g., PowerShell, VBScript) • Encrypted payloads (e.g., .bin , .dat ) | 4. Static Analysis Findings | Item | Observation | Indicator | |------|-------------|-----------| | File header | Correct RAR signature ( 52 61 72 21 1A 07 00 ) | – | | Embedded executable(s) | setup.exe – PE32+ (64‑bit) with packer UPX / custom stub | YARA rule: packer_upx | | Strings | • “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup” • “http://<malicious‑domain>.com/payload” • “crypt‑key‑” | IOC: http://<malicious‑domain>.com | | Resources | Icon with “?”, version info “File description: Installer” | – | | Certificates | Signed with self‑signed certificate – CN=Hibijyon Corp (expires 2025) | – | | Embedded scripts | install.vbs – creates scheduled task “Updater” | – | | Obfuscation | Base64‑encoded data block of ~12 KB in config.dat | – | Include size and timestamps