sodinokibi | a28e23ad4033341694551d6f59737138de9f1997384da5ae9a1642cc8c9e237f

Sharing

Copy URL

Twitter E-mail

General

Target

a28e23ad4033341694551d6f59737138de9f1997384da5ae9a1642cc8c9e237f
Size

116KB
Sample

220124-btjthaheg2
MD5

2894ecbd12a791cbf7404febb43b5f4e
SHA1

8ed5327cf869893d6099df145c49aec08c86faa6
SHA256

a28e23ad4033341694551d6f59737138de9f1997384da5ae9a1642cc8c9e237f
SHA512

8b7a9ab31b4ff2f37d772308db28717947624d172b5b23e9979623e3cf03fa109480f83aa9243fa9ecf7d2fb7a7cc4deb5899b5f462d0c911bee3dab3e4b6115

Score

10^/10

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$KuzfU0w2PCD7QO5MO0R7J.0hQv1r4Ic.mdhNdXr2g26IjGFJHNfcC

Campaign

3678

micro-automation.de

jenniferandersonwriter.com

sterlingessay.com

lukeshepley.wordpress.com

zso-mannheim.de

saka.gr

micahkoleoso.de

rerekatu.com

werkkring.nl

em-gmbh.ch

raschlosser.de

visiativ-industry.fr

classycurtainsltd.co.uk

ogdenvision.com

mrxermon.de

precisionbevel.com

phantastyk.com

nvwoodwerks.com

arteservicefabbro.com

gopackapp.com

Attributes

net
true
pid
$2a$10$KuzfU0w2PCD7QO5MO0R7J.0hQv1r4Ic.mdhNdXr2g26IjGFJHNfcC
prc
infopath

mydesktopservice

thunderbird

ocomm

msaccess

ocautoupds

tbirdconfig

wordpad

agntsvc

xfssvccon

oracle

powerpnt

excel

sqbcoreservice

isqlplussvc

winword

mydesktopqos

ocssd

onenote

dbeng50

encsvc

dbsnmp

outlook

visio

synctime

sql

thebat

firefox

steam

mspub
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
3678
svc
backup

vss

memtas

svc$

sql

veeam

mepocs

sophos

Extracted

Path

C:\ko665-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ko665. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/59B1DB071E79C2A5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/59B1DB071E79C2A5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lzW7gggLq3LBFW12CMv4Dx88irgZstjWCBiJGxdgfH8v3p8Z4b7+du3Wq3XRXypu SHjclxENu7OqDgNfp+TkGa2bymeFVHP4vvwJvX5Mz/j88Rb/2/vKuXB5mPTCuqOd dlyO9q9OyN6skItsYGxWwObeX8t6ek2l+S8SfSnk9zPBJ07jKaG183/xnBRNerRV 6SAZ1qngmOZ2J0SjLD0j/c3Es6rGIo46iOMfP+pOEqiYW3z6E6tb5h7++skkuO+4 veZw64VqftubGbptWfYfRlsR2q/Wv+7EQ1BDvi/DYciydFPBaTGNg0PBGoKcrvd3 HofsXnJrSgoPvPdl15rNewnoFP6zTNKT/gQtrwMl67GQy7XEuSdcHom8e151dpGJ yxEcJ+QjIq30WfJJlCVbVtAAqz0bxg+CWk3eGCGN29yF1/NYPTt639vk36lJoyzd SqpEGkGC1PV3Hf5TLwxHGZLJmQRlIivmNndClGqJJTQNwcNg39Pfj3WhlDQKx5DV UFDUfv8AlkyfF5Qcy/8ijRrwS/+FfXc7QS8D8fe8jqorr453Jc4TG5DmuH5lezR4 b4J/Wf/GVKjI8bRNbMVNUbIvZSK5I3IJxCNgzmDkKYi3soaRHSaXCOqgxW3VcKo2 jUwthpyMA210k94A1nT3DvRhnP4m6Y/45lwKmT+SuG6DJHRQ0t7P+1wqJ8Go9XtM a/mAYQsXwGyOUPMA3bK3YhYJZ5fOIwGf8dvQqxNhTgEqmtIZ8o1uhPzcbknpak89 TC81a4mC+evSqlLaeMoVUshard+Og3pj7TsovYP91GCR1m0vzgB0ar6WONHPBp8S f7JHM5915e5YAO5TokG/nsHb/6sOxpW3C0G6h/kjKJsX+1hVhvaQhOQ6RBqGCMtY +LDkhQt9ewRithfDOcuVbEkOfOn8Xo47u2eHGece6ZZV3nMy69o7xPeyn9Ah+BWw NyWzUeA5i+Jv1DAb+RuszYbo/NlkXmMhZpv1EddEQkLcElH9PmaKRVxh69pwnbda R3hzP/pT4qtTLvCSPcLz/pVQ23meiaJB2VVhU4GX0pDzngGsRSjc8XxYFhHNVFAo 9btz7bl6/ANvZwoV6d3DJaJebHhZoyJFm8Z/mUntdgfmzrLL9Ej2IcVibql3yxbs A8arYb4jho2fAtT1m5zMop1R4+wYWNq3Np4CvzdHQ6FsmVjYPQhPFRDrxG+DCoLm YMlv7AobxHLLZJwipbMaezxYbrLmgdv1SDkxkG55P/rXjd5gI6+Ew7Kj6ratpCf+ XStdNpS6XosupLaQH2ABU/KUg7y4WQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/59B1DB071E79C2A5

http://decryptor.cc/59B1DB071E79C2A5

Extracted

Path

C:\oeyq480-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension oeyq480. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/01DF7CB2D6981761 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/01DF7CB2D6981761 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ImQC+yEupqrO7QcXMODll834qB/rSpGfPjIgsZ6VmiFA9GioLcJrv0BHxLBTrgG0 JWdjF+4NZSLvkdMYO2RZj1MIydekRZCxo6oVq7VauZQs+fu92zKLVM/hJtGyW8B9 lqdHLB7g4V/huAfx54NqKwv5i0fPD4Lx+SqfJIGWmwjv3by2EjKmMnLqpbGEcDiq Rrwbwwu4Kf05BAywEDyqCVlZlSWTLdTIlV4N8KR9CtU6wfCeSLAcaMG05oPAhhne 0n9jb9V34Mj0y0LjrH0YpL/CQ4HvI7OK71UTPLnMymEfWmeO+XboAZrWYKgdJF9E xbnb91dAx+iJyuHXs9eDXy6JsdkIf7VP8dFT9Y5I0NrktgZ44ENAXSWGkHcTgk67 HvDsi3iHQyN3rlHrYlkt2rZh73Gtui4ebhxv6yz1V0xnG2JfauLTPmdL+O9D/peD nukbL4fCXHKzFtFiNxwE58TvDypCu4fy3fDfUvbKIAqfDsqKbWUg+iqyIXWBvVAl LnJ5rrxPOXJ1M0mtcIwDGSabd7yG5p7IzbzB5xwcMCuUoZHfXldLn3E/tA6UE7YC Qfdcan9mULSGnPyXKhWbcI8r4x6oc7ZyAE/AYEQWFUUfMK+Yrrz901BlOrTH7l/k X8FSjwDa2Fct9w2oBilPB7ht0ZBx0kvSJRwM169AYDiZICEiF0cUI71Q3OY5uqU+ jyu4UAvBpx7UPbWDkbdBFm81rJ9TPSMGtVK5WZ5LTzzkgInfyBrZLVTn4cCdMaBX ahBTWI8ii3DAqZk9X/I6YSRCBCfmAw+ELcvwuAXcEOGxLdjfQQWAqXW6J23lvQKf arOF1n970p8LAKYDcfy58ksIFbJIy3T8rKk/wLcaTGmdvYAO+JInMmEnmE45D8g4 VJehKin3qE5L0aB3dneBOOm6PKl7CQfKZLGZslzGEVbu7rqg4o9dD/KkH6oCiDeJ 4Glo6BUSBaRQJgdQzGEIqfVVM2WkQAPmkNYf6jdJcpZKzlT+TWmag8o1mDAmgCN8 dCUmNWVQ4wfpwndGsUz3qHR8WfWwCDD8SKVkJoaDtaYmp9ypcUsWEAscgCqVzC0t WjY07hBQsElp0JxNEstT/5hnfEN1ymmBHiQjEsrHiXX9MHbYyVxNj3lZ9Gh/YzZ9 vQ+M0AgBH+NXzi0u6rYo2RppeAsG67Ta0O2ZlkSpT6KzEeoTyac2/69UXnkmf/EQ xIELWMKetQ4AULOqK/5tOhXCJGGGI2a7z9L4WrnrP9OZAgSm3USv91VqD84wFDf2 Ug6b58pFlWedQs35+LtALq4q ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/01DF7CB2D6981761

http://decryptor.cc/01DF7CB2D6981761

Targets

- Target
  
  a28e23ad4033341694551d6f59737138de9f1997384da5ae9a1642cc8c9e237f
- Size
  
  116KB
- MD5
  
  2894ecbd12a791cbf7404febb43b5f4e
- SHA1
  
  8ed5327cf869893d6099df145c49aec08c86faa6
- SHA256
  
  a28e23ad4033341694551d6f59737138de9f1997384da5ae9a1642cc8c9e237f
- SHA512
  
  8b7a9ab31b4ff2f37d772308db28717947624d172b5b23e9979623e3cf03fa109480f83aa9243fa9ecf7d2fb7a7cc4deb5899b5f462d0c911bee3dab3e4b6115
Score

10^/10

sodinokibi persistence ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Modifies Installed Components in the registry
  persistence
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Sodin,Sodinokibi,REvil

Modifies Installed Components in the registry

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2