General
-
Target
46MBBJZz.bat
-
Size
189B
-
Sample
200501-fzhd6rkjka
-
MD5
c7b71aa9749be55225b17bbaf4b4b9a1
-
SHA1
ec46d8385341aa2152b70d834c898c5fd9c82284
-
SHA256
ca27de823967366e96e0623a33820b1713b1e19439c82d81fe6521e04da48dcb
-
SHA512
3c0c57b1384957bcf30d3c079c6fc7c4a48be99a2148490e078eaa1809dd87d2e5f047f457cc8c9f2e6518f5ef8177d73f739c27076f45ec5deae04be4590e8d
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/46MBBJZz
Extracted
Path
C:\12361-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. OSTEAD. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 12361.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8CCF28A78ADBB62E
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.cc/8CCF28A78ADBB62E
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
khyQ33TSBJ2zrt4nCAP6yGFrdzH07oTR6c1U+E/2gCT125VUlxfIuK4LHghoWXvu
xE9RtbO9tTykyCWfwXCJBizbORFOy8dYN7vFIrTsfJ9KeQnjY9TJbsx2nAimMAk3
kXRjplh4b1y68WQw6IfFFNFw9i5VQQPe33rQP4c+BQNc9VYbLTSB1plbnO1sG/1w
uXZ6xTQmKCXgxT8EhNJ2yr+GKLSOgpFadKSpA3SInXhzSUfAZijxISFszdA6wdOr
yy0z3bUsVBjG3ho6ikVt0icqJWBtUcnha2JQVuhQksK7pAYz5AHQu+JCCH8uQa9O
UPltkkEx9+TJnYvtv7l2SCFC/YfDbqKcytZre6z+uB5SyZejWYBBrNb/BioiOpZ2
huw2zQGWIHigdjm3qjRq1ipi7bzzrYy1qaI/iYtT6eO7YaAcvwf0x+AwhlzV3pU0
X6UbYj075M8sgqAWYN9UbnCEFC3Ct79HYbIASJmhhj0j2QJXClKaKr9Ak5AX3rg9
hDUbP1zf6mb6hjBnHxUf55+PZblIlTmmBMqHwpaBqB17HMjj8kUdxQlWgJTkbkA6
3KSaQpH/4DwCDb3ZBJoBqLyVG2tG6UXPd+WfUuzxS0xs+GNTAuvDObNVhazDUc+s
hU+OAGpX61jJjrFAxUfCrA6GWZroxL96LngwM356En2ifSMQ47vLFXkqj89bOmvd
aU2W5gRqb8TrihlGEeWAsDBXdjBYh0SasAdQLXS6euGkMkeW0xTzzF+0GzgTavJ9
ZRczbHRGtGv9U8IjGH2DiEqq+0Z3bAFjcnQb0ItY3v0ILFwCv1czDo9UUs6bk/1w
w1JmfMfIAmw4b+pTNP43npoM6xvXrsdeO5yYWVZK937PHbBUspafsX3iAwEtwM2n
lPmQNzcWnL9Wij87Hf8wv8CnZZ0tRTt6K35j2FlfYYa2WT04cf4JZCNi2BCkKxCX
LyYSIvGmoOEveFIVhhXNTeOLUe+6WDUsuQPft8qi56WIKmk3X95cou97lnwQaVbT
sl0bI+PEz13z/yc19cOUvyORYyQa5neLBzLTydTEq8ptoeaMz3N7MhZ2nWK9y0Vk
PT8IT1+Jc+8Ocg/+Qg40UF/UXwmv+d4T6RW1uQRJiqOFNFPZRBairlPRMV7RPhX9
JDnldVatv2kXLM4AEnh8hhekPBHyTMw8cJjaFYwqESoqkRyGKd9yseesIvMinimn
ifG/3/nMkU2hAnpjIZ7Kq/Ee1Zrmp/9CVVDnDDXxZO1q5fJ2xkZ6h1oVMFuAEiua
7KNQzdZq/U6JVrAM4iFTHk0s8c+VJNYcGOS0L9ki
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8CCF28A78ADBB62E
http://decryptor.cc/8CCF28A78ADBB62E
Targets
-
-
Target
46MBBJZz.bat
-
Size
189B
-
MD5
c7b71aa9749be55225b17bbaf4b4b9a1
-
SHA1
ec46d8385341aa2152b70d834c898c5fd9c82284
-
SHA256
ca27de823967366e96e0623a33820b1713b1e19439c82d81fe6521e04da48dcb
-
SHA512
3c0c57b1384957bcf30d3c079c6fc7c4a48be99a2148490e078eaa1809dd87d2e5f047f457cc8c9f2e6518f5ef8177d73f739c27076f45ec5deae04be4590e8d
Score10/10-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Blacklisted process makes network request
-
Enumerates connected drives
-
Modifies system certificate store
-
Drops file in System32 directory
-
Modifies service
-
Sets desktop wallpaper using registry
-