Overview

overview

10

Static

static

8

sodinokibi.bin.exe

windows7_x64

10

sodinokibi.bin.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sodinokibi.bin

  • Size

    542KB

  • Sample

    210118-w4y48yjme6

  • MD5

    61c19e7ce627da9b5004371f867a47d3

  • SHA1

    4f3b4329871ec269043068a98e9cc929f603268d

  • SHA256

    bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9

  • SHA512

    dd919e1dace4e1f246552bbb1b55cd13f38bdac8764afb67624d4331341dff1c3cd75616da26d9deb4e05c04163b78a5ff8b9ffec2f73b2c9b82d5a41e216244

Score
10/10
sodinokibiransomwarespywareupx

Malware Config

Extracted

Family

sodinokibi

C2

craftingalegacy.com

g2mediainc.com

brinkdoepke.eu

vipcarrental.ae

autoteamlast.de

hostastay.com

gavelmasters.com

ronaldhendriks.nl

successcolony.com.ng

medicalsupportco.com

kompresory-opravy.com

sveneulberg.de

oththukaruva.com

voetbalhoogeveen.nl

selected-minds.de

log-barn.co.uk

fsbforsale.com

jobkiwi.com.ng

ivancacu.com

11.in.ua
Attributes
  • net

    false

  • pid

    5

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    367

Extracted

Path

C:\4p171m6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 4p171m6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/584BF5555F34A14E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/584BF5555F34A14E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: nASoLMNfbD+0hdPHoG+6kdSXHzDb5XZzZef/NPy2A6AOtnqF4C6im+r54sui7JzM wzuNmNXp75TZaCZwgZQRVde8MLsryxwJBtJ8S7XZ8kfs1ySDBS1bCtVaSHm99sNj UW/Sd3Z3s6iZCD+XvPKKZ4vxt/oWJ3Td/+O7hW0PwGGiP/R5Yvzo8C+ms67MyNv6 EF8udFMn0uw4cHps+W56JuVgaGi314y17AzvajJjSy2owFdwgpI7ULZ36ko9DxxN qXT/zhF/NIy0TJ/Re48pge60WDUCtRApCqdS0lafngwTYkdBPgbM/pBnJzyTDiCv Iao1yd/S3vzY5Gjjyf51EcYYseRZ60N5lIM/x709ScI+t1yB0JL1e+PXOEOTGMyo vD+YHvfOWFTat2lIStKz7cXROvPiFj8ZAUg/LNMK/9bl0FefrUpa7+aO6G9N5H65 6knCHnOIsNEa9Gup4WMNzgD0ZJO8Ae7fUz4O6InVXOwVbPQ+WYJi9nN2DJhmGI/W afIso2UpyvlngzGfOMoyDUnUJyj8DgzurqR8y+eGla1B3Fumr3LB0OsxNJsq3TDq oCEd2KFMonSDJvibkc5THx8Wx2b0W2tXTyVwUUcV497zSkrG2gHQFxxyNJ5oXIY6 8LUyjL0WVHoywY8xgq1zNL+VwhxtXlrWqeq11disbrzB9PCGMXMJgWmHeG9L34cD kM5dEDrEyr+z26pbgq0GZbFTcswoDLzXsMa4IHmG/LSbFWcRAXBIZfoOkmOn9UUi u9iMAVZ+lRu9cd+9MOPVc37F0Tb74Hxy7WOTnIXlABaLXY81hHr6kgqvXvrPnG+K Long1aP59Ncsntux/BRpCbjZFE4jAK8KO2pweifi7aWHC569a7QtObxgvd1J4sym cfkuljTjb8amOp94YLwTzC51XEezZvX/LNJQC7IjDRHW7DGM92MSYwLagi2hPmnw oV2DhyzJJQrnzLpSbMbrR4xKBCA3SZ6pgKBmT75eA04Y3NbwAhxQQLPlQTh7WSer Pf7yhf9KAdoQCpngXA/3JmC+xw+qUSVgIttEXd+d7s0HEXcz834HXZkSkVVTVj1c oEGiScPGXuoWx1koiHdTjETqz3KFfdx+Yf983ZDq6Q9wPtK8l1M11G5t Extension name: 4p171m6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/584BF5555F34A14E

http://decryptor.top/584BF5555F34A14E

Targets

    • Target

      sodinokibi.bin

    • Size

      542KB

    • MD5

      61c19e7ce627da9b5004371f867a47d3

    • SHA1

      4f3b4329871ec269043068a98e9cc929f603268d

    • SHA256

      bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9

    • SHA512

      dd919e1dace4e1f246552bbb1b55cd13f38bdac8764afb67624d4331341dff1c3cd75616da26d9deb4e05c04163b78a5ff8b9ffec2f73b2c9b82d5a41e216244

    Score
    10/10
    sodinokibiransomwarespyware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks