sodinokibi | 80bbe933cc68fd5837b0ba84f17b9f796918125c52321d3d504468e837239765

General

Target

evil.exe
Size

157KB
Sample

200805-vftdx8jwle
MD5

cbf729eace9735977cf545be8f37a28f
SHA1

a247e58c2671283b0889db953af284517d75668b
SHA256

80bbe933cc68fd5837b0ba84f17b9f796918125c52321d3d504468e837239765
SHA512

115f1f3ae9900eda0d1c19fdb7b7a35d0cf4392831a54190c9c51ffe67463f888a58a4ce4edfd8cea72bd4359be755e82f5b1a6d1ccc2a324b8db37e95b32bb9

Score

10^/10

Malware Config

Extracted

Family

sodinokibi

C2

sjtpo.org

baptistdistinctives.org

ideamode.com

unboxtherapy.site

yourhappyevents.fr

mesajjongeren.nl

suonenjoen.fi

utilisacteur.fr

grafikstudio-visuell.de

elitkeramika-shop.com.ua

bulyginnikitav.000webhostapp.com

netadultere.fr

phoenixcrane.com

successcolony.com.ng

schroederschoembs.com

aberdeenartwalk.org

patassociation.com

alpesiberie.com

arearugcleaningnyc.com

golfclublandgoednieuwkerk.nl

Attributes

net
false
pid
18
ransom_oneliner
All of your files are encrypted! Find {EXT}.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} c) Open our secondary website: http://decryptor.top/{UID} When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
37

Extracted

Path

C:\Recovery\zf3f4.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion zf3f4. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FAB811D0753C7FCD c) Open our secondary website: http://decryptor.top/FAB811D0753C7FCD When you open our website, put the following data in the input form: Key: cjEFJfgFZXS16Z8bARjDswMa2k54Pu4VvSW+13nzbc5iu9cZYdgsLOeU0S8YXWiI tcuJ5575Iy6ypUOy/gh80DCTkEu3Qi9tJZkzB2RryA2ld6j4vcoVb8Z6bi0HmhrF E4jLKChY6rPS+mZ3bk/OQ+5RcQzmN58bGumP45i2w2tEk9cherlNpjUkZD2uZTAy qGjYdP1JR4wc5fNQENoc93a6cfnT2rgsDLDkeDsdcl68zU4H8kBcj51Kam9SphBU OiIddxRNga/1xVVf4F37vVEXns2+/gAu9CXkKfDSuyt24/OZ4eSKiHQjJDSvlymr ClxBgtKop1P1aGrIodv7xajnEFSefsyb3S9ST93CFLgJo/z2QOUHBSgtVzZ7tlSU HW/YbRzd4g8qZP1GssJrPvau+y8sLOwZQYDWEnLyJ1jZ83yt/sANNnkBKHkYYmIS kLrjxExBS9duFJvaBQ6cYXwDSFbfS80k7Ii/ROaX3WRhqBZobtXd5sqgzmWf8RhJ cvDduqYCoVRR33zRvj4A2+XN7Hn5680zTQqqS5hIV9UaOumffZ/ECnIopaxwFaDd iirYqhR6BV/CrkpOBzfQIcuKPKGFUdhDkxhxgawr0gGBlIbj1WjzVjz1mxTaA1QN qCxJtKGWud4ZEPZ2QoSBIAYgdi8yoyAlOTPczd63gwiulpWMIfCln12QsuwoFbFZ KANYNxvjRktb9hP583LsU7gHFZPCcaRPfn6XzXRI4fQNUtJmzU7KOy19fSnv4yyG O9hlGDwFHhAvyDO6lEgA5uEZos+NB9JGSpJL+wXcPHBeHeGVY2UNmIF2nUoe7cM4 l6VS8BaOCSsjQzOcu9INJWniMyhMgo0PKTkZr2VggPekuHOUO6vj+E8aj+YKUxLK H5rfkPzTQBvbhjGZoJhxNgI0B0oQqW7TA0/k3SUUx5r3/lcE+zJfXzGC3S9Bmbv3 s7FaR5ok/FPm3tVsmwjMg4rCzTaYEb8K9KMTuN+xOasY/0AN32tdxx4ZpTb/skSu Qt6aQ0nVF1kXMaXAt7yMXFwWGcBVYejo8hRLpF7bj7MrNQTZPxopoLp85fVN1jmO DbNptAM3RrfUwhVJpDEZ/452T20pm2Kg/FU= Extension name: zf3f4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FAB811D0753C7FCD

Extracted

Path

C:\odt\mof2o3o9.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion mof2o3o9. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/703CE496AE2B5312 c) Open our secondary website: http://decryptor.top/703CE496AE2B5312 When you open our website, put the following data in the input form: Key: 4Tp+nyyx4itIIconZFLf3FRpSG05PprHLeYIQAjLoyw0B9t5h87Dl/tz2SNnF1hg 71lUOSTchBqQDqIyUHSZ+qisyLBk9nyZfj3FhFSl/QS1DmaDpZzFLZMxHHGVLDMK NoMDFJUYncQlaSs++/zH0odDRrNqKqmiDhX6GlIYtg7iSmJPM8x04pckoa2yvmi3 1MUyCi3SLoSDbHF0/NRULNh6xEhLJgqFceFfPOT/i7myQrhFpKlRZX61EQ3XbNCs BwBsUfjGyEWqBica0JIn6c4vbFMaFlwUxqN4y9l0d70Ae4Ub05mCBqxE77uLLljH mdeoG7fnYqXMpMXW0hJPuWi2aHiUYshup2P/CGwXc7evZtsbisxg/ksuq2nh+mRT prHhRAyP4xu9NI8Bcx6Wb0BLg9TclUTPvJwVLKxH1afm0iHD+zzrHsDh8yah9UGg ++wFWRxKX5rIPS+drIOg6DhoHgnH5Fe4FqoeLA5U91XKrTs3gN8PFg9BCky+TxgV bmW1ry6B24SJfc+0z2TnP3M3oiAES+Yr1LJGdtNpPUjwZxohUNbqcoDH5KCQgX+b MSSmNk+C0WZdOmjqZHUgkJZzLpAUkMf4wqfO35PM/SgIeoGZrNt+KYMaxPnJcStU zpppiMs+i1HIdTHsU9eF+BoK6TcfzP8DkXlZA1wYkNcuU06ZepvbAaJVspa/Qoa7 yv7B1ODR5Gp2NykFs3YqyScv50hOam/dGojtvRHC3NCwHeCHpTVQg3KW4ZRDGPNR Rz7wFJrqBFQD+BD0sabCwFL5hi2G6eVj99Bcu5yYYdzcSLpPAcnqiW+KbZTyfCDO sy4PjEPmAt9GEOXXEyEXNDg5mTMumoU8jx8LInN6F5h4KCAamLI9daO7bM+3pU69 mJUiQobsxN0n8X3NsiCCVlqYKqP+2njVQFpVKB4SdkHRcWjLtgqn+AVW20QVosxT kMU/uIy7JM+frv04Pz9TFM6ROzOVmBJhMnqKqxtsBiC0nnxps9gR6I8109Mh/pSG NZfbYZVqgg5Nb96U3RHxjSx91F7ImPfjuJvv0gtj1reuErBUtkmr50z/bcmM5pF0 Pp87Xg1PHS84rQ== Extension name: mof2o3o9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/703CE496AE2B5312

Targets

- Target
  
  evil.exe
- Size
  
  157KB
- MD5
  
  cbf729eace9735977cf545be8f37a28f
- SHA1
  
  a247e58c2671283b0889db953af284517d75668b
- SHA256
  
  80bbe933cc68fd5837b0ba84f17b9f796918125c52321d3d504468e837239765
- SHA512
  
  115f1f3ae9900eda0d1c19fdb7b7a35d0cf4392831a54190c9c51ffe67463f888a58a4ce4edfd8cea72bd4359be755e82f5b1a6d1ccc2a324b8db37e95b32bb9
Score

10^/10

ransomware sodinokibi persistence spyware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Enumerates connected drives
- Modifies service
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2