sodinokibi | 139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

General

Target

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
Size

157KB
Sample

200617-ayaa2se9dj
MD5

b488bdeeaeda94a273e4746db0082841
SHA1

5dac89d5ecc2794b3fc084416a78c965c2be0d2a
SHA256

139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
SHA512

2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score

10^/10

Malware Config

Extracted

Family

sodinokibi

C2

lyricalduniya.com

theboardroomafrica.com

chris-anne.com

ownidentity.com

web865.com

paradigmlandscape.com

envomask.com

scentedlair.com

jlgraphisme.fr

andrealuchesi.it

mursall.de

letterscan.de

metcalfe.ca

dentourage.com

chomiksy.net

yayasanprimaunggul.org

opticahubertruiz.com

affligemsehondenschool.be

zealcon.ae

craftingalegacy.com

Attributes

net
false
pid
10
ransom_oneliner
Your files are encrypted! Open {EXT}.info.txt!
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
7

Extracted

Path

C:\Recovery\588j13f.info.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 588j13f extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6D33E591A976E8C7 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/6D33E591A976E8C7 Page will ask you for the key, here it is: B2NyD8K2kcJJBstE3Jb7K5n/Vw/UlLdYSqD7jt+IdxTyVDqwfi2JphpVlHFCgSZ0 KTftiqfCoAosekdvlLdAZC6cStrvJihpQ96I7muv5fhoZC9nY/Zwc5MROEHVd4fZ tsWjD+3rX38T3ANSIYaiRDxde8zqIFARD8Ram1t04ORdFVNoUS9j1It63y8bds9Q ZDuEIy8iCGssw5M4b7Uj6AXy6je3wadT4SB9I4u5ArMnCIE8KBFuswCOxLQWOgFF y6krz4kT88SX+sstHJrcZymZvBEseY1akpMFhyNCFofvmefi9XHxajuS1wjZgfD7 rs7I2AYWFUhpu0iFFZZROQ/4S75Med0jVy0AyTSYR3Up+Lslf5RXUXvL8RX1jOeF x2c5IPxBTqE/uGpkme7Vt4kxhCWZWyWxIzYnpTmjLqrIO09NdeedQvDf59XUi/ox Nh+7jqDA1RJIZPrNYT/6glalgQaTjg0VKUmtWrjLSp13lsP347lAJVa1y9yYF8vr 3V7Og+anKSGfiCJFTMlrJcaBwB/JMdYsK3nnz78VX3fVbXhfTrxtoPO6bfYKC8VZ cL8SGRShaN7+/mHcvRNo0jFKK5XwuECMDCeDdNPQX9aG2msvjatRwc8fUeNpy7T7 TESpze5v9iGWnUylah3hZcmsEuojJv41NZIIJpyb58QWmtJmgbhd42ew1lYx/pHy yORP9oSlQYJA+kjJWPVzWcLeAQOZfCdLqQcRYuYNKxIunctzkyaTmLR5nPYgMKbP AbDQQAzFdTIXU4VLSSqbIKH6mGyoAB916fV6//PmvO2hYcL8vJu/2c2MS77e4KPs nbc4GM+zykLSW3pSsDSKx3klkYDHz4m6q/xGBEahB4x7SM5Cqi4PN3FM1+LwVVJf 9oJfLg3hiViQLUEpudl4LseEl/agmvscaDcLxaDkQLWXWh2wjwkSDQEZ2GiY0uv5 GCd1HMvWGRGnVDnKTXyMoNWFhI7FdgA7wNBmPrLv4x1JrTV/+KJIHDDnRN2DZpI5 8jLH7J3OEvSZEObfveMwaJnapQR62lBuV0DSAnmOj1K2h9U/aasu9a+Bk0iMiNvC Ht5vRr5k/Cv/kqknODIPcazc7JlE+XbE

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6D33E591A976E8C7

http://decryptor.top/6D33E591A976E8C7

Extracted

Path

C:\odt\ft1f70ek6.info.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got ft1f70ek6 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B27EB9CE81FBDF32 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/B27EB9CE81FBDF32 Page will ask you for the key, here it is: TXk0I4eYGzGSKHXX7ohor7JegrwVMODrCYk8olaqaSdFFBsbe7j5z2UNYzZm6mXH 5Btp/Fnwj4Ula2xkaSUPUgDq8YieXtmlP7WwM42HP7HN2T3Re1oI7qGnLogXsYpn BG3SEbxRIZPE8FbVSjyLaBE/QsgPAfEGaGpefKqeDjH314FKx9TC+OQv6nhGMobw crSJCS2uQtudq8OAtmX5A1JmWZaquAUPtCTfN2ekqyeg4EWbL0l3mZrj3VAtm3XX MHcyQdfee1ETnigu/GHkSwWJbEn36Hqx31K4I6sGZF7db6zNGWvz6+gtrSh6jjWS iWasG401XqQwVxMSMcj4ppnf63QdgnDdqeQvlqtI+6crmopRf7Br20vbvXDzJzmd yiwb3HDk/2ci6W8hj7c/x9kgTjV7N4srfwqC0Dn7pk7AKglad1NWEj4Ld576swCe 61Fy2kI6OGNl/XVPd5RTgBnrOhrLh6Ireg39BPmS1BEPP1bcuKrjbP7Vuz1OP3nd GNu/jrEp9tAsEf5JpL7dVE2n+ho2XTZ65lYuqr5qhyClSeCdeTVnCLRBpxpmqZKa AK0ZVBXD/nKzdF5yvThMGBaUYJ6+Ulr+w6cA80hG3eqpRoVuyy/HAreiQ2b8kLLo 0HLxws9dZ8w2SqSEoQw7qPPtn64+Md3cI5R1IFNraUxmGmrSE5wLdSrujUWQlCpT JLi7HDI/zvIlPCYaywDoIDiTd8hxBKuK87r3gQTKJP5cZWYgVHsJ/CmJiUf5xUyq nsOeAlKEmQiF/HkXWuBAI4mKNsxa4AvYJgXCsXrNJglUJP0th4X1oZ5mA50+wvTW bO/WJND2Clm5A0P9/9q6ua7V4Tq4jxBEC+u9b4r89LE+8u8EC/33ALa1iImX14Cw xaPmv0+pTSNnQ0U1uTvXIj30XdKsv1KR+q6EXFMCaewU9meM6edXQ5hA7wFoNxXn IPsaZiIdubCqcpBf7K745mUdPdN/JdauzuK3m2POlx3h7SI6ZYJ/TcQko0wT/IBx PxFF7N+X1GO+9Ad8SKJLnQUIHgsUkaZRDwqXz+3PdfrdrLAjzAggG5QN59KsE049 WlzMhtBAKGY=

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B27EB9CE81FBDF32

http://decryptor.top/B27EB9CE81FBDF32

Targets

- Target
  
  139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
- Size
  
  157KB
- MD5
  
  b488bdeeaeda94a273e4746db0082841
- SHA1
  
  5dac89d5ecc2794b3fc084416a78c965c2be0d2a
- SHA256
  
  139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
- SHA512
  
  2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284
Score

10^/10

ransomware spyware evasion trojan sodinokibi persistence
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Enumerates connected drives
- Modifies system certificate store
  evasion spyware trojan
- Modifies service
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2