General

  • Target

    a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762

  • Size

    160KB

  • Sample

    220124-bs993ahef5

  • MD5

    18f64d441c8dced086e35e5bd8000dfb

  • SHA1

    6b95d59eaa2e062467447dca4f9f1878f5ab6c10

  • SHA256

    a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762

  • SHA512

    e6992ae9e2b976b9b97924d0051539f60115219feec05a8c0640b94f754e313fc8d8139cdc9ff7b8026529d14e7b204a1fe3dbd6d12ce12ec1f416ba7da9316b

Malware Config

Extracted

Family

sodinokibi

Botnet

16

Campaign

288

C2

donau-guides.eu

tanatek.com

buffdaddyblog.com

jefersonalessandro.com

riffenmattgarage.ch

cymru.futbol

kvetymichalovce.sk

agrifarm.dk

silkeight.com

molinum.pt

babysitting-hk.helpergo.co

dogsunlimitedguide.com

turing.academy

bluemarinefoundation.com

comoserescritor.com

topautoinsurers.net

teamsegeln.ch

avtoboss163.ru:443

saboboxtel.uk

sambaglow.com

Attributes
  • net

    true

  • pid

    16

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    288

Extracted

Path

C:\cboygp-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion cboygp. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/22009BB6831DADE4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/22009BB6831DADE4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NHuHLZS5koUqhj0Gm79NBboymHIuUQmhpVtyBCZFEGj4r1Df2+BpP31an8lkZJbD uneNZXx66KfMGYzCY5GvVIWq3tIZ+tPmOEqWunMM7aK7BQrUa2vhDol39c1mBy/+ zfltGO/5+Pj0LIJh1AwdY2CBmcPPZla+CFlxp1Qndb8bmVnlt9KyHOJ9jg3ToIjr 97lb7sqY9ttXfq4wFpceAtrfJrCoHbCa8oYZjhQ9QEI4FpR4G2nK58RD+FxPnzPN z2xdBBFPJ5sGOxoNYO3FTP9xsoKE5g2yqXJsEN0PRSuGzDWnX8Zm2rvl59WxlJB5 yxy7h5iteLjZ6JrABjVm+NmxLqCjifc6WS3lUQUOQ1hjAvm8cbZ8+pe2GYIQ5gFl ipowFEYfUf/TFKUF5F0Lkp0BFCqiSSWknPwNHTDMs+DZMRmikPuivt9/vBXh4u1r iefntbKfoc/zJ5gUSaBD2R0VeMqFlztS7JbznvbYA1oLU52u/W/mpWkJCWCteYlL eKxlpiaTeitHI38oD0mMLLRePOcRRef/4FNcznZ8DUw50XjX9WoUwyPo4KFsLiq+ zKmSacp8VC4a9plbAZWAC7MxnBraIzCbwEXrwgGtVRE7vI9c4z8ME5+Y1F4Ihe/U tw34vRFLeJsSPgGSfJ4YVnBfht+UPYuLnawqukRzQT3bZSiICGInwQriQ4/5zCLh QBvNaG5XltFUGzNvhGpnPER58kp3crFCsu2V0ImbsCxjUZ5/xr6DpURRhzsl0ZCs npLwr3XnyW2eF5HKrbnqDRzPkMstcayxVWvi4Ox+cV9epyoM/Pr/pAiOwa9OLB+o Cgk93CJGaKBReaL7eYxkDxy2FGJHj7sno6O80OLioD/Tk1PWWi/r+YAnUI8T/mIp FNOKE+dgE6A2v1B6hxFgoCs4HcqkWDapzIm6FxjtAcVzb87nEBD8lVSsNOrzWvYH icgTTTGQeLjFod3IFiv0poZkWrSWzPVXdhpgzQikKvKDi6MTwr0o0Uxr6lCuPoxN tJhvftxvAcN7pFYAJWEhm8/vBBWgJ0/JyHTBxT09UTKhUdI1G1TqxjpdJ0gVeDmL U8W+uLtPXcyB6vyXTmKilDDCgBOB8dOJNq4wds9H6ICdd75apbL7lpLftr0ySP// z0A= Extension name: cboygp ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/22009BB6831DADE4

http://decryptor.top/22009BB6831DADE4

Extracted

Path

C:\h7m61uei4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion h7m61uei4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B603EAC04D3DEE53 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B603EAC04D3DEE53 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: eznbtPnyRP7lSo+sE823AMDN8w+y/Gq7mvHVWwsM8HXsc4uec0akxeXHkRrZCyn8 tFBU3IX2fBTO0UpqX8Uc68KNfoPKUTzV29n70WJjtLxB/mqWAOx7JlyKAUZWJJfX 6s/F2vaoOxp9dnoWG0q8kgFfFnIEMDxOMDT0El0Lif+wfMWZnHBnxhY30T+hwyc9 F0Hd360f/jTWBN3B++j+BC1ub8JO8zCkKHiUKXQ5R3YQYycrO+wHIpROJSHs+BFs T2D17jg1GPakMEsizSDIC3OTXtGUHkZATvI4N1kWX0ABVp1fSnJDuTpLn77s02vQ VVqvoc+vCps2K8pmJnLINrqKyq9yZ535CL2dWZ5Nl0cCvUhMOg/9+cDIMRD8fm/U HH+np0/Q0nYFrM3bgE4eTlWWW4LKqk13dCNZLBATM675Gj1PxMzEBUwi7gflwI0X Jodk8JeKywDC+xcIro3c7yN/O69KkY7Yl8ihjMNNsiJEw29yMcdCpgqGRw5DuzOw PJIJmHK8cZp+/SmQEGGbnTcNBu3uncSsfRNNmX+oZ5+vY0Ic1C7q4JZbrSfA+5Ig Q0J/oMp9tgxur+h5HJfJ89wEnLhbwXBEIlFxuBbH69Js2WjQ4pSibnOcyw7lWgho +DpQqVBXBhZ6KF2oxO/tiW/wMuYyc9azD0AxkwFu+1Um6Sba0A423LFzWn9u1Fse yMyfBa98zS253/6nEPR626cf4Bb9GBuv782GwJV+6ebnp1m1YIVyflifPtDRzPDg 7n9poZl+Ae3iTHBb3QOlO0THE39HLevGpdYmvK5gnaFkf4dqAO4ARKlyh3X9w1za ND7lzvywoIhli6G8WgTaeoHWvrbJPinvZHxVxmQHnwj1GakMI9H2wRXQEA7po5bK wbS2kMre/whMvdWxsGrfEvHv1q10v+phpLbCsP2vMovXOjdS2KSjAFnscpABNIdi f3JmlKppZYvxpi9pN59MHWmXsIapwUmeMTtn6qReYBzu/NJURrCPHdgkzjWoYu/t ll/kl0pQvTUzQtTqC8AIWwpyl5yBBecRu8HaggHkQ7ZtBHZh/efiaY1TkjlvIskC CDvZuy6X9twjhqeqS9PsukVyvgnn9TSVSOJ7HP7EaH/fL47aizMDaJ7HaxWyKiz+ Extension name: h7m61uei4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B603EAC04D3DEE53

http://decryptor.top/B603EAC04D3DEE53

Targets

    • Target

      a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762

    • Size

      160KB

    • MD5

      18f64d441c8dced086e35e5bd8000dfb

    • SHA1

      6b95d59eaa2e062467447dca4f9f1878f5ab6c10

    • SHA256

      a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762

    • SHA512

      e6992ae9e2b976b9b97924d0051539f60115219feec05a8c0640b94f754e313fc8d8139cdc9ff7b8026529d14e7b204a1fe3dbd6d12ce12ec1f416ba7da9316b

    Score
    10/10
    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks