sodinokibi | d4e89180e559721e6bcd9c03549d540282c3774bdd6ae61a61d57a23c10fc299

General

Target

d4e89180e559721e6bcd9c03549d540282c3774bdd6ae61a61d57a23c10fc299
Size

157KB
MD5

cb10b8ae80227663ab17ab7b206c3057
SHA1

3eb865331bf14ce7c22cd7464928432285820824
SHA256

d4e89180e559721e6bcd9c03549d540282c3774bdd6ae61a61d57a23c10fc299
SHA512

72c2ebce70ea3b6c76b4ce84171ce28bdd322f9caae94eba7ac491e134fb67c953738dda4a52efe869874b731a28d711887a6957ff24d2376c0c505b300a4b89
SSDEEP

3072:F6woOP9LDdLbi4eTMlwDCnukYw2oFxDcoo:UwnLFbnWJI2o/e

Score

10^/10

9 5 sodinokibi

Malware Config

Extracted

Family

sodinokibi

Botnet

9

Campaign

5

C2

dnqa.co.uk

juergenblaetz.de

stabilisateur.fr

dentalcircle.com

jonnyhooley.com

creohn.de

www.factorywizuk.com

rubyaudiology.com

biodentify.ai

b3b.ch

unislaw-narty.pl

patassociation.com

aciscomputers.com

rename.kz

marmarabasin.com

christianscholz.de

www.mrmac.com

annida.it

baumfinancialservices.com

devplus.be

Attributes

net
true
pid
9
prc
mysql.exe
ransom_oneliner
Your computer have been infected!
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
5

Signatures

Sodinokibi family
sodinokibi
Sodinokibi/Revil sample 1 IoCs

Processes:

resource yara_rule

sample family_sodinokobi

resource	yara_rule
sample	family_sodinokobi

Files

d4e89180e559721e6bcd9c03549d540282c3774bdd6ae61a61d57a23c10fc299
.exe windows x86

Code Sign

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bja
Size: 50KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Code Sign

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 38KB - Virtual size: 38KB

.rdata Size: 62KB - Virtual size: 61KB

.data Size: 4KB - Virtual size: 4KB

.bja Size: 50KB - Virtual size: 50KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 38KB - Virtual size: 38KB

.rdata
Size: 62KB - Virtual size: 61KB

.data
Size: 4KB - Virtual size: 4KB

.bja
Size: 50KB - Virtual size: 50KB

.reloc
Size: 1KB - Virtual size: 1KB