{"id":2747,"date":"2024-09-25T19:48:52","date_gmt":"2024-09-25T19:48:52","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2747"},"modified":"2025-07-29T06:37:08","modified_gmt":"2025-07-29T06:37:08","slug":"how-to-save-your-files-from-hitler-ransomware","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/how-to-save-your-files-from-hitler-ransomware\/","title":{"rendered":"How to save your files from Hitler ransomware"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Hitler Ransomware was first discovered last year, and since then it has continued to target European Windows users with its destructive brand of malware.\u00a0

Upon successful infection, it extracts the following files into the system\u2019s %Temp% folder: chrst.exe, ErOne.vbs, and firefox32.exe.\u00a0

“firefox32.exe” is also copied into the Windows startup folder so it can be automatically launched upon system reboot.\u00a0

Upon reboot, the ransomware checks for the existence of the following processes, and, if found running, kills them: taskmgr, utilman, sethc, and cmd.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This malware removes the extensions for all files in various directories, displays a lock screen with a one-hour countdown message, and demands you enter a cash code for a 25 Euro Vodafone Card as payment before the timer runs out. Failing to enter the code within an hour leads the system to reboot, which in turn deletes most files on the victim computer.\u00a0

File Details \u00a0<\/strong><\/p>\n\n\n\n

File Type <\/td>Portable Executable (PE) File<\/td><\/tr>
Md5 hash <\/td>e64dbe09fc1805177d9058a40807e128(packed)
57381bc089724b9ee6fa65bf7a56800a(unpacked)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis<\/strong>

This first thing our static analysis uncovered was that Hitler ransomware is packed with a UPX packer (unpacked as shown below):<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Unpacking the malware revealed the below strings and functionality:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

\u00a0 \u00a0 \u00a0

Dynamic Analysis<\/strong>\u00a0

Our researchers executed the ransomware in a virtual environment to see how it behaves in the real world.\u00a0

The first thing we noticed was the sample scanning the computer for particular file attributes, using the following command:

\u00a0\u00a0 \u00a0\u201cicacls.exe icacls . \/grant Everyone:F \/T \/C \/Q\u201d

It then accesses Windows command line utility (cmd.exe), and uses vssadmin.exe to delete volume shadow copies of the system (as shown below):\u00a0

cmd.exe cmd \/c vssadmin delete shadow \/all \/quiet & wmic shadowcopy delete & bcdedit \/set {default} boostatuspolicy ignoreallfailures & bcdedit \/set {default} recoveryenabled no & wbadmin delete catalog \u2013quiet

Now the \u2018encryption\u2019 phase begins, with the following pop-up displayed onto the victim\u2019s PC<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next, all the victim\u2019s files have their extensions replaced with .AdolfHitler: \u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Below are the network activity observations:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The ransomware also adds the following registries to ensure persistence:

\u2022\u00a0\u00a0 \u00a0HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Adolf Hitler: “C:\\Users\\<user-name>\\Desktop\\sample.exe”

\u2022\u00a0\u00a0 \u00a0HKU\\S-1-5-21-1265348393-3129211107-4082868339-1000\\Software\\Classes\\VirtualStore\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Adolf Hitler: “C:\\Users\\<user-name>\\test\\Desktop\\sample.exe”

\u2022\u00a0\u00a0 \u00a0HKU\\S-1-5-21-1265348393-3129211107-4082868339-1000\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Audio\\PolicyConfig\\PropertyStore\\8bd7da89_0\\: “{0.0.0.00000000}.{90a75006-e5fb-494e-8926-42d3ba714ca7}|\\Device\\HarddiskVolume2\\Users\\<user-name>\\\\Desktop\\sample.exe%b{00000000-0000-0000-0000-000000000000}”

Indicators of Compromise\u00a0<\/strong>

Command and Control:\u00a0

\u2022\u00a0\u00a0 \u00a0103.235.46.40

\u2022\u00a0\u00a0 \u00a0baidu[.]com

\u2022\u00a0\u00a0 \u00a0163[.]com

\u2022\u00a0\u00a0 \u00a0123.125.93.50

\u2022\u00a0\u00a0 \u00a0183.238.101.233

\u2022\u00a0\u00a0 \u00a02017[.]ip138[.]com

MD5 file hashes<\/strong>\u00a0

\u2022\u00a0\u00a0 \u00a0e64dbe09fc1805177d9058a40807e128

\u2022\u00a0\u00a0 \u00a057381bc089724b9ee6fa65bf7a56800a

Mitigation<\/strong>\u00a0

Unfortunately, the Hitler ransomware\u2019s distribution method is currently unknown.\u00a0

However, some specific tips for what to do after you\u2019ve been infected (and before the countdown timer runs out) include:\u00a0

As the malware relies on the system being rebooted, you should boot your system in \u201cSafe Mode with Networking\u201d, then find and delete the following entry:

C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\firefox32.exe;

Then, delete the following entries, which are stored in the %Temp% folder:

\u2022\u00a0\u00a0 \u00a0chrst.exe

\u2022\u00a0\u00a0 \u00a0firefox32.exe

\u2022\u00a0\u00a0 \u00a0ErOne.vbs

Although this strain\u2019s specific distribution method is unknown, general cyber hygiene (such as keeping antivirus updated with the latest virus definitions and including the IOCs in endpoint devices) will help reduce the risk of infection.\u00a0

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

Hitler Ransomware was first discovered last year, and since then it has continued to target European Windows users with its destructive brand of malware.  Upon successful infection, it extracts the following files into the system’s %Temp% folder: chrst.exe, ErOne.vbs, and firefox32.exe.  “firefox32.exe” is also copied into the Windows startup folder so it can be automatically […]<\/p>\n","protected":false},"author":1,"featured_media":2761,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2747","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2747"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2747\/revisions"}],"predecessor-version":[{"id":4309,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2747\/revisions\/4309"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2761"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}