Reversing HiddenTear Ransomware !

Analysis of .Net Ransomware of “Ryzerlo” Malware Family.

Intezer Report: https://analyze.intezer.com/analyses/0762ca51-f301-4dc2-9f3c-786cffd0437a#ttp-section .
Signature Overview of File.

File Information

PE Studio View of HiddenTear Ransomware.

Starting off with the Main function present in Program class present in namespace hidden_tear.

dnSpy view of “Main” function followed in Class “Program” followed in the namespace “hidden_tear”.

Further in the main function there are three functions defined:

…:- EnableVisualStyles

…:- SetCompatibleTextRenderingDefault

…:- Run

Three functions called in called in class Application.

called in class Application.

In this class mainly basic operations of running this application are being operated in which mainly operations related to processes, thread, application information all are being operated inside the victim system.

Moving on to the three functions called using Application class.

First function is : EnableVisualStyles

This function sets up visuals for HiddenTear Ransomware.

EnableVisualStyles function.

In the beginning of this function there is the call is made to FileIOPermission is being made in which for crafting confusion for Analyst is being made creating the flag called “m_unrestricted” which is used for the passing the boolean value 1 or 0 to state.

FileIOPermission function.

PermissionState enum defines the State of Permission which is assigned as 1 to Unrestricted and 0 assigned as None.

PermissionState enumeration.

further as we move in the function, we counter with enum FileIOPermissionAccess where is “AllFiles” component is defined. In which the access of Files is defined.

Enum FileIOPermissionAccess.

Then as we move in this function EnableVisualStyles(), there three conditional statements are being executed. try, finally, if . In the finally conditional check what happens is that the exceptions are being created.

lastly in this function call to styling the theme is being activated using the function “EnableVisualStylesInternal” is being done.

EnableVisualStylesInternal function.
Activation code for theme for HiddenTear Ransomware.

Now moving on to the second function “SetCompatibleTextRenderingDefault” called using the class Application. In this function manly what happens is that conditional “if” statement is being created for raising exception.

SetCompatibleTextRenderingDefault function.

In the conditional “if” check the NativeWindow function is being deployed for the disposing the residual from cache memory created due to NativeWindow function after syncing the event handler to C&C server.

NativeWindow function.

Here comes the Main function called “Run”.

Main function of HiddenTear Ransomware.
InitializeComponent of HiddenTear Ransomware.

Main class : Form1:

In this function, main operation like AES algo. encryption ,decryption happens.

Dynamic Analysis(Basic)

MD5: 477e66eb6c969823890eaa56105a3801

SHA-1: 75647c701d04f64dbea02eead7a693ae8b7dcbc8

SHA-256: ab67847cf268c5dba3796b0c022148da53a39b857061fe93a9d704c9844647d8

Attack Mitre TTPs.
VT Detection.

YARA Signature:

Thanks for Reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store