sodinokibi | fc70a3f17ca6d94e2bf5d73ecbdc6be9ed923e27dcd3c68bc3d1a874160b8cfc

Sharing

Copy URL

Twitter E-mail

General

Target

REvil_Kaseya.zip
Size

993KB
Sample

210805-ke2yhnk6rs
MD5

aa01e574bd2f58356772dde5bdd29a63
SHA1

dad24567e3bcc418f1b1934f47fe049b88c5253a
SHA256

fc70a3f17ca6d94e2bf5d73ecbdc6be9ed923e27dcd3c68bc3d1a874160b8cfc
SHA512

4d67c5064f4fc805bb8c82fd9b6d5edd3e695fea706e1e2fc7f096e78b8cb06c0268c04edcf8af97756956951fc3b341f30814ab3a3e66b3e369bdc7f773b508

Score

10^/10

Malware Config

Extracted

Path

C:\v6abu3kll-readme.txt

Ransom Note

---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension v6abu3kll. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2523CBC1B2656EAB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/2523CBC1B2656EAB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: W2pifTrY3l5a9BtFV27EyqdXyTQ6e+hpWn83YZb1BngPfg4GS3XueNZ6Y6FFzfTz b663Fcl6nGUBlJne6CpZ7QC4uJSxCE7vx2Up3p84rFVrBXeE97QE3sYpFm6/7SBn 3sGSi0+Jo0gp/GmTNJidtMHblm9S51S/s0LnpIMEGmC/f/DLo5qzVesYSr3nlYk1 hT6tC1QaKAtJoGr8miUop+SOHye4R/xfGzT9E96Q9cRnZnkAUEKmBmnovUbBmA2z 4XxJuyoTdiHnHRi2hLesiLJsZKoRo2weeVtlCkhpBzd5gr+MRTmxY4iQHB6k9hqp MR6BY2YAHKSMSAguLlCUHAkkBgUH6KLYYp7C1oUwnLf+mdN38fDFH2829JRi6BhT QvQa0ntsa9okY+KV7CsIwPwZgHxGK3T1qpbnvag9jvnD4hLwjDo/jYKAfLE6mgti EoUPyJ2zsQNddaNvLrqmAK/6Cp8U9DUuM60g3tdwrhSO0pHu+qXj5HxUbaVne0Ro AMqm/v4vW/DIDqrEWGj397mribfXVuYBbf9c+vwIgtMjjDC9+ynjJUoZQI4djsuX QPKu36dI6PWPha3immzAcwhh50CUVSvdZNSkUZxLYbAdohzSni6JMOACeZSbnTFx MeVt7jaqF+Bocsa8cPSpO1oxo4Cm2aeqIBMrn8OWxmbWIFMpaHjWuiLBmjmw9b1y woaSB+hIOThV7XMCZc0J2b+Cxm0SmWc0LUZkPPmKVLgfuC52r8mQFNVttyO2VWj6 uk3eH9eDvtdmmZq3Az291S1Ya7pT9fj5OAy++VF9ireXFzbYJuIIB861N6t9Hfhm llQBVH1sFR+uZgtk64N7ZLx7KyKTVWKhTB5EWydywW3DzvSeEbct9pJdDCj66MtQ 0UZkoYUt8jOHVasqSfD5+I0pT3C0ckq/8ZDVaElcphQz+yl49z6C+VV0DE/WQaFo fz3ND9c/mrOLoiVIJZFbOd8J3bCjfzqnm1H+FyLgt8sg3NXMVrb3h3rieWw8qb1S iLpHYGhHTBhSfoYc9e7CLCn5DIC4p1daGsGJ6/aGi5/R5NqSMJ6dfv0K4wZwvGaR g03i92Gxi1TXR82gXOOFGx7GxXz4Vr5rmozJdOcPB1sB5Os9oivrKv8j/TnyJ6bt FMSiqbMfWo0bjQE849cRQ5act2eTEu9ypUmeisz9g0mIbLMFlFtbIo+CmY50+w7h IhMy+x3Td+CO0qjofcIR9/D7bnSaYls1DtNueRjnUP4xX3RTxURmfH/MaErycqzC NN0lMozHyPoDcinH ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2523CBC1B2656EAB

http://decoder.re/2523CBC1B2656EAB

Extracted

Path

C:\0ro0393c3b-readme.txt

Ransom Note

---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 0ro0393c3b. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05D50655E3483A83 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/05D50655E3483A83 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: XQISoevylpFUi+DlSO5EWkb53W2eqrDF7SKWjnFwgJsmMw30FVthoAXkK9vsuTgR 0TUJ6a2SUs6dQ+WybX1iWkbvHAbQC/yalltrNFCJvaIWawlIX2aoYhLTxysK/VmH uR1NGfGyczFbLhEu2jGlUtms956neweS6UDniseZUPLdmWFkatwgcdl+bdRqyUIm vtrAW0U1w6DG9mkvJA00AgB367o9qBE+jXZC7dcfp6z7gRArYdLDEkWHcZ+Oelct FWjlDJkwSYpd9Tl2ZaGiFb1dlC/sg/IJCpy3NbkfyNVErHvrb/7ZmiOig6MtuYFy BtuOS4v14aphDa/g8SPHtO2B54a+UJu5VuVV3UtTQndY+oMtc6D3ZwEWbnMAdKOs FYdGNY0EnjY/eY9XWCMLWHrmeOHdZz0B4yrCrdokVBXATBDdHDClWxs+RUpTsNOh sdXaW5OiXXvf19cYx57bY9Wbb4jC3va5DAGoEqM+RvbsJKMRTYr/fwJDJkBHmkfq re7kVqq+hdl44JP+ALrkso/44AeudrXT9mkhKB9ujTdsm7Jvymm+G+aQXGuMZeeg NwUNoXOHbHb5D+lp3axbAYcebNoJLMUNajACyBE3SCUgMViOoTVc8KA+Vr3v3JSU Wdat7qsMyTkLyDju5nA4C9xjBqZDobsQ8dv9cCXBEIKU9fVETTh5OG6y5sLaTVMI 1DDQstGMcRDT8agWCNPmKt3CO2kWYTLISXYtsKM4jvgJ8iqsv3USJ6Y1GtkBARst 5MWl6/ouPhqjtGZVSkb+sXmGFfmezkFdKFztet9TjgDF5KZ3ghqDxEhRU66mCC0S qFEYSoZwAPvsh7FVDAIAB30FhL2wT6vha7IZj66OPeoBCfYtN1U33ZJ6Dtcg85pR wb894oBiLLpS/kOJKibEimOpFNZProR4p3E4EkWbKZQ2Wi32ljmIdvIKdmv5M7MS H4JlRpdcBDgizWEtCLFCsErPCX8Qng3VNSfRhv++Cg83YHtejIokBWZiPb/SF5Po 0CGxZ1luzYH9D+eJP18+eW9GnCfWyMMY7zeiIseKm4p7SpOam01+eHaqmIH2tj1r rL/TTATAV3fGoDJfN+gEfjPfgDjs8A0IMZcGL+4Akvl6PdvFVSDRfKFSAFNry8jv v/znOtJJszArv6YLfOxBXuYqPPZD5ELGsuTjt1JyGQoeDQQuNJpart/MMZiAKrFC xSAbsk/fe9mZ0BfvMB9I7jcTVDHTrioyA5W88g/TeQUwwuCm0EIFlCkrK2pnznc1 I8J3Uiaaqy+NP6OP8Qw= ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05D50655E3483A83

http://decoder.re/05D50655E3483A83

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au

Attributes

net
false
pid
$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq
prc
encsvc

powerpnt

ocssd

steam

isqlplussvc

outlook

sql

ocomm

agntsvc

mspub

onenote

winword

thebat

excel

mydesktopqos

ocautoupds

thunderbird

synctime

infopath

mydesktopservice

firefox

oracle

sqbcoreservice

dbeng50

tbirdconfig

msaccess

visio

dbsnmp

wordpad

xfssvccon
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
8254
svc
veeam

memtas

sql

backup

vss

sophos

svc$

mepocs

Targets

- Target
  
  REvil_Kaseya/8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
- Size
  
  789KB
- MD5
  
  a47cf00aedf769d60d58bfe00c0b5421
- SHA1
  
  656c4d285ea518d90c1b669b79af475db31e30b1
- SHA256
  
  8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
- SHA512
  
  4c2dcad3bd478fa70d086b7426d55976caa7ffc3d120c9c805cbb49eae910123c496bf2356066afcacba12ba05c963bbb8d95ed7f548479c90fec57aa16e4637
Score

10^/10

evasion ransomware
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  REvil_Kaseya/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
- Size
  
  890KB
- MD5
  
  561cffbaba71a6e8cc1cdceda990ead4
- SHA1
  
  5162f14d75e96edb914d1756349d6e11583db0b0
- SHA256
  
  d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
- SHA512
  
  09149b9825db2c9e6d2ec6665abc64b0b7aaafaa47c921c5bf0062cd7bedd1fc64cf54646a098f45fc4b930f5fbecee586fe839950c9135f64ea722b00baa50e
Score

10^/10

sodinokibi $2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq 8254 evasion ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Modifies Windows Firewall

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

Sodin,Sodinokibi,REvil

Executes dropped EXE

Modifies Windows Firewall

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2