Overview

overview

10

Static

static

145ba21333...bd.exe

windows7_x64

10

145ba21333...bd.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    145ba213336bbb05c09d2bcf198aa3bd

  • Size

    416KB

  • Sample

    200622-dbecyrven2

  • MD5

    145ba213336bbb05c09d2bcf198aa3bd

  • SHA1

    517dc0d3d853c09fd7cb69aa85fc8f37b9bf3a87

  • SHA256

    6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986

  • SHA512

    1868d5e625f2fb48f1ca59a34d6b0ebee612d5c657adc349ddc9b5984409e0e9844f5a31f81a1f1e1234e44064f695de07843f1fad3aad54e051e6620127a4b1

Score
10/10
sodinokibievasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Path

C:\Recovery\5xo92-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 5xo92 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1BF78611764D052C Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/1BF78611764D052C Page will ask you for the key, here it is: zo5Sg0rNPv40ehul38X8iUx/+gSMZLr2vkkyJ485AJjFQYAmcLKbZaeS7yQFUjUN qLw4GWkfwa+oDlCfxOJHsNMwytS0kZASsX2FRVA6GRjxneY3JCKaoHtoi8Pz6LQW 90p5d5xFJ8lMzrv8R0TZ7FjOz4ZaRPYAtQS+JmiSWgv2J76klT4v4akYzZuQ8xUM ycXDYGnjQ4c6Wp73C/zxZhoFbC1QlwI/VuOhRUWtrm+2Sz8NLsYhgUF/HS5rDcDv YCJA30lRZoO3Ns26glbtJpWJVNRI/fBJPESCKJhHwJLn4ghHoXDaETrDHSuEV1G6 rCCCkCBDtm1kuSCFKywhhHaWRnUgMvEby8rI9nh+BauPSPeMlUEU1vzDlamh939d /dHyDsRkuxgm92jJAy/Tk47e11UTj3CBjCUQspYPYY/K41sHNX9ZrCWrsHJGvkqM DnrrLkG7F5CctbI7jc3HiqTArXTxyzMcMDojlDBHyWzFhHphnOrE/X1oeFJhf/f3 Vw1A/+L9TIE3zcq7QtRvK6vsrbmne1cBH2CqfpNs4bvdl8UhIbo7BqUdgugRpk8+ 0HXe3Vfd5lKpd/HrfguLjQ0pl2ckSDktUdlpns71Ahl6nGysqzniUudQomxvvYfS uPSPGHTZ1189rI/04f9ZWLln6PXmsezH1GosF+VoVSPqhTy6oyEnZHMIZZJhgsym AhOGBOeZpJc9gm16KSL5Cp7DVK+gsDh5WWIV7vxn3WQFXj2voo+4AA6+C8GnTwVc f6nEonwdJ2UNCTvUMo6r+o63jAku9OrEklF/jk1ibqsI84dAoVo+7oL4PiDZopKm QpKYF7kogTZv58THWkYshoiBU/ItUfMoxqENKPj6dtQidkIjTzzdIIvn+R6qsDcp U3w6h2mQLyKqU5FIEj1Z/rrQ9bDPSB2tsYbFV6RVmvNV84o5+KROZjewkFgyC1ia FJbtA6dSNh3MziWzeUfz3FKOACZJPBMs+yKz7g50zxTRm9WIw19qG/Xfq2KgYjlU 9HNomJo+gNY6OeD/tL90RUAQMHcDFzvCPfQIuCexGmrQ0EWik+psgHU+ek/mqCJ/ puJFRpcuLrnJ9XNBKhLDNp60ErsxARDWTgY=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1BF78611764D052C

http://decryptor.top/1BF78611764D052C

Extracted

Path

C:\odt\d31985o9-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got d31985o9 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/79BD66702E965ACE Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/79BD66702E965ACE Page will ask you for the key, here it is: JRDayGbe4RBJmccs8epn4K8BzP6EUBtRiYrfiJ04hmreG756doEHVZ1pwrVbJ+2V yIP2FN/RA3m8okChclenjwk0NFfdyI+Lqf3YiaeiT/IeT5fZlHnszCBaQU7FGOlP /1b0I4ll5Y99qJP5TbQaWZ9W5K9KhNFyzbFzR6M4i77EKvo6kQoEpV170qbVDmVv TxB0MHED5dsJCT/Ub69nrQVwowalkP1xiDCArLiyvqdrsc3MVHDuNkOx9xDDRPj1 mD5fIgdS6vwhxSWdulvmv7qBCkMmOWyH3IWYjmVknRsZEr2/xSbYNXbHsQrvGGRB 8c0IqyIWJZhvXKPyI9UpGRO9lSkdhPgNTWcgm9JZ0OCyH8B/kBChRZsb7RYQ0bZt lBlu8d7T3yDAZroTje19qDn/F9fnUy2tiLKkUwsvRhJbwPm3eG/U3qgnURySHv01 bNYV3Wsa2hHY9cLyMX4jxSwhmr8wB3h6R+eqfbmUM02J84z1PvzrFv6z+YthN0jR s0uAramER2tyAvMEtxrmyuzOILpmmbsMMNNtMuRHNTiB6HARm3Sl6jWjFIvdn47R EZFt/oe4KRxS/U33cy+dxTtOh4wnlDDQ7BMjDcFj1rTWHHCB7mALd/yHOSyXDnFD pewfYyYLb+Wd5HTUB6unCCrFdPyEedlOWQTLnO/sig7MNLRIg1MsQkXtOemQIxLJ zsSjYFP93GnSHgdeRcsf++fL9RzbUglSM3c3xUTE2nx0Iy4EDfbnEefF+ow42JyO Za1ePDAxdGDIq7wgh8BKQX2Y/JZw1O5+t14IA1wTPwSe3KbkNhtbcUQNHYywXDXH zXEk83XaIscaf9xPqDkHbZ9JqmfI0F4VrVuHnz8qf8N9/wMK1G+Hwykq9wuBhHb5 Voi025RK5m8MLCY7bxYSmsevkGxx4qrROjW1CXBSIqYaF7f4KhqtLNr4gRqJdqS0 hux3NjWQrJwbYpQIqWxt1hlBMwmO+iTrMxr2UTOSmK+POXdmou7BEEeTW9INVM3v ZB+AebK5HILzzvc7QLY5quz04+QHvPSUz2gjkNBwLiICfK08DB/ioOD2Z6aPmnFX pcoyPXuDYuWTqg==
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/79BD66702E965ACE

http://decryptor.top/79BD66702E965ACE

Targets

    • Target

      145ba213336bbb05c09d2bcf198aa3bd

    • Size

      416KB

    • MD5

      145ba213336bbb05c09d2bcf198aa3bd

    • SHA1

      517dc0d3d853c09fd7cb69aa85fc8f37b9bf3a87

    • SHA256

      6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986

    • SHA512

      1868d5e625f2fb48f1ca59a34d6b0ebee612d5c657adc349ddc9b5984409e0e9844f5a31f81a1f1e1234e44064f695de07843f1fad3aad54e051e6620127a4b1

    Score
    10/10
    ransomwarespywaresodinokibipersistenceevasiontrojan

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Enumerates connected drives

    • Modifies system certificate store

      evasionspywaretrojan

    • Modifies service

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks