Overview

overview

10

Static

static

10

42438a6763...35.exe

windows7_x64

10

42438a6763...35.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135

  • Size

    120KB

  • Sample

    210412-vz2zvqc6qx

  • MD5

    0c7c5fcfb2368c716ce7eb0eda3f3533

  • SHA1

    96854d0cb673bd8575acc0c864052ce6b03ec9d2

  • SHA256

    42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135

  • SHA512

    a5bf231ba0ab43d0fb9c87b8f2d936381f3baf68a9cb5b4eb8567cec835f468a3200a0834e2fcd57bbcf30f31899f54c680d0a4c292506d78c0518c63a31e89f

Score
10/10
sodinokibi$2a$12$8rdjpkhsbcl4to.cuojftolgy5u2urywif4abgxs9hxobz/zu0iia7337ransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$8RdjpkhSbCl4TO.CuojftOLGy5U2uRywIf4AbgXS9HXOBZ/zU0Iia

Campaign

7337

C2

fiscalsort.com

filmstreamingvfcomplet.be

corelifenutrition.com

bargningavesta.se

elimchan.com

jolly-events.com

bierensgebakkramen.nl

amylendscrestview.com

calabasasdigest.com

fizzl.ru

myzk.site

jerling.de

faronics.com

schoolofpassivewealth.com

balticdentists.com

vorotauu.ru

katiekerr.co.uk

centuryrs.com

schmalhorst.de

daklesa.de
Attributes
  • net

    false

  • pid

    $2a$12$8RdjpkhSbCl4TO.CuojftOLGy5U2uRywIf4AbgXS9HXOBZ/zU0Iia

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7337

Extracted

Path

C:\6a689-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 6a689. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D88BB1CBB91DD499 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/D88BB1CBB91DD499 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: K5y4La6KT7Fl5IzzH6m3GE3XazMGiu3wG9/K2xM5RKC6ERtr8o5rokMmpQ82LrZD j0yRObjUFdpay78Klaxm+J/VXT7rcqBJIndG6IWBx38MJYgwmQ5SzwUyydCqT10Y sAEKWv+zejhlEVmS9y7DGM5HzptmAeiDuwc16huaPX7IiaJdWWQEdC4ecXdRjl14 y1VGMhh8vhQp2OXev0Cb6h1UTGt8D6zjr27IMaBdGCqu5mSOywhVoKuu1aDaCW9X ShPkiAmYN2aufPvAl5yQIyBWjqSYlNRrWEo9Py5xRCaYlJUsQtHAH55vtO1DIGFo 8s7x4go0Zyr0wskzSCiq1OitSIIE4Lh9oShQmYyI/TxhaeA1CWUpwBTgtyq9g/er vklmOMK+axi4IPiqr6cpVOyTrMkNSdsvLSK54iBksqUY0i7WuuX9EcM9eZd4sO0S VdtV8sTG232mha2olsziN4Rge63bnHl67iW80SGGxqVOcZgT6jR3kxDtSSZypuub qEjAfq9SlVuLpgSX6gwPBeVcjWXODAxkKyX0Pzbbqu+zAS0MVw4nzYC0her83GIh D56huSQ3yAaPEmy0wM89G4xcxXN0BB3kZv5eh5+EKTNyzv5VN3ufrnX99PLHXx6C 69ZG6STRTCucnpYTsmrtCO/YZmE1+VeP2g0DuulxqybXMnzLZ6/BkYgr23fKsRKR KkvN+NX2YUI1g9EhAkHyWaTsvbX+FzCTA3u8p74guv77u6lrCG9W1tna9AtkuE4f C0oepU5xnMaD6CPrISTYmYru4HzG1LwUDi9846oI5Z5xhtx69czkWabk7Kgn3PFQ AD9HRfA1fPJrTFv3HlbyN1mS/6txc9EenMeCUpNAHloWfnx9V9Lw2L2MjOda6W0k iKot5Ab2GGYLCROOyFQ7PIwYZJ3QJyVjAlxdOUyWeGGxAwycXImX2RqQQXay0d4a mViBbmAJXKwWKn+S21/QkIbtixZx5GEF3EXrU28LFowr5+tXzgaBxt7+G22oFfwu DbiSjJdURF3emRm+m8WjAcvBfyxIa5fKs99Dqfvb+YaxHHei3qlxcYr8wU/OLstV U6PBftM6/S+vmOw+0/NTkzB4LfvpbyXnrK0WMQK5hVZe5KzSHJeAjdms6P1OATkh mzrO90IdbdSrbN+0z5MnAIR6lyIG3CjV8FWtMFiE/7TYeBUryu/nN9MJZU8eGEXg tEVH+1O68epPjE71f0b44voikBhk24uQCA3blVXAYcKh7G1klL3chpai0k36INsW FIvdiTurq8kA27D1nvp/nEm3GkQ= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D88BB1CBB91DD499

http://decoder.re/D88BB1CBB91DD499

Extracted

Path

C:\9py1j96m-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9py1j96m. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F40AD04A4401D40A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/F40AD04A4401D40A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Qsr5Vx9Fw5q8/k+sz3WSchr7zetMEvIf6Ey03H7kZGjljG9xox2Pp/2eOZB+UK+i HA0Q+gC8sx8aYjczm4TWUjHtXywmJtXpHScV2wsT+LzwetEfv/rwTADNrB245MO8 lPBtIlKfACzUbCLpeRORThJ6fXQkbrf3PotFGYiw1gjF25SBlj98viMEQNo1+Es5 6fdoG/bM3Wa3Zq2dnqClHEkssS23tz/wdw2Q/5TX84uUWA51fkccI8sgxdydPail IXjQESbO8v93gYGhYQD9kBPQIguv3FgaoD8QPdO7cxEQ2ve4JRAbOD9oI6kec6hE XXUW1WlJtUlwMmRDQNddWOwdywbAndkKzWzPYyDdSFJ+m9Hi+4phFSV20AK+BR6w B9mSr9V6N6epC2+mTMcGr7/eD+J3VyX7n2a+CR2pz9rrxrscIb7c2o/RN3HgHcJp jIFSRygZQoSg2SRTokP48NpACK1ctT3E8YClmIF+aZvLqpoQwNDTPHxxAzkmMrN9 Z8qCfhkzxA4HHZN/kNy9DU7Pg6QLvvW61ThfSCyk8DLsfF58Hu3O+5QfMyMCL5GM CUAHvghaoRQ0/W6tB2ighhrutSQ0nwZee4i5bZzxiO9/fmG6EwrMUJcROuf74o1P 46EMbyg7DBvwdYYMQZ2Nx2syIRvvi4D8ng+Y5MNP9VweCS/U5G7BsBJvpoIMrXRF tRVjjaFjsKHWhuunPMBTFtJNtDNy5+DtmhJAOVJskq8E7ATAC+Hi58y4hAWBD9Ly OHoXUOUDp7bV/dfMg7eUd/Z0B9WC/vZ8To0mqYVZUj5++c96Rq7VLJ9MYkqXDnVc AJHaqogJrIiii3rpY6csj8v3FUJ3gmidrvrmFKl5BSeOX8V+j9sRgropEWmEefto 0U6XriLSzPikNsPfasOOpAUfyF4jlGre64FRLnsogT+BXwNQkKoZwUiUZvjzvchd 02qG6j+5l8Csh0/koF+IiiK+5WCx/rv9eEiNV1aTo0FzurFzK/HiNljFmmU8fJHQ 9cG2WiP/0wbaFONTfXViWtiA/KhZAeWSIeeRZNt3l99dV64XLzigdi8ecnHC88D/ HT6SC7wff2o5l//C/VGhFFzdlT/abGS/bJp47vsuPsNVP0yYsSFjS8gzzyJzNPCc VpFAjvZ7jkSla/MJkYfAD11QCPSH5K/nlhWrwydQL77cK8Iuj6bNXmlFomDSeUYn 90jxj7kt3oDG3IaMdVMfgkCrYPIZaAddBKR91kMZYZSYQPxK7gVjs6ChAGEaigc+ HNcP2btNUwOtwA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F40AD04A4401D40A

http://decoder.re/F40AD04A4401D40A

Targets

    • Target

      42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135

    • Size

      120KB

    • MD5

      0c7c5fcfb2368c716ce7eb0eda3f3533

    • SHA1

      96854d0cb673bd8575acc0c864052ce6b03ec9d2

    • SHA256

      42438a67636a6981b4e3209449040f6b393f10fe0636dfca2260fc0f4271e135

    • SHA512

      a5bf231ba0ab43d0fb9c87b8f2d936381f3baf68a9cb5b4eb8567cec835f468a3200a0834e2fcd57bbcf30f31899f54c680d0a4c292506d78c0518c63a31e89f

    Score
    10/10
    sodinokibiransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks