963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e

General
Target

963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e

Size

198KB

Sample

220124-bxzzwshefk

Score
10 /10
MD5

bf9359046c4f5c24de0a9de28bbabd14

SHA1

d1f7c41154cbbc9cd84203fe6067d1b93001dde6

SHA256

963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e

SHA512

9050b23a429a92f0be4feb43ee901f64acab06a588d903f308697174fc1e73633cfcac27f71292e2d6ad6b40e34ab580c52949e1a533b885aa7a2f13f12b060b

Malware Config

Extracted

Family sodinokibi
Botnet 19
Campaign 29
C2

schluesseldienste-hannover.de

alpesiberie.com

bratek-immobilien.de

bcmets.info

log-barn.co.uk

diverfiestas.com.es

nexstagefinancial.com

mundo-pieces-auto.fr

marmarabasin.com

walterman.es

juergenblaetz.de

centuryvisionglobal.com

witraz.pl

aslog.fr

qandmmusiccenter.com

awag-blog.de

domilivefurniture.com

penumbuhrambutkeiskei.com

from02pro.com

teamsegeln.ch

scholarquotes.com

mind2muscle.nl

karmeliterviertel.com

rs-danmark.dk

amco.net.au

oro.ae

jayfurnitureco.com

bellesiniacademy.org

georgemuncey.com

catering.com

limounie.com

cssp-mediation.org

eyedoctordallas.com

craftingalegacy.com

innervisions-id.com

brunoimmobilier.com

richardiv.com

randyabrown.com

buffdaddyblog.com

kombi-dress.com

chorusconsulting.net

silverbird.dk

oraweb.net

burg-zelem.de

rhino-turf.com

paardcentraal.nl

kellengatton.com

larchwoodmarketing.com

terraflair.de

redpebblephotography.com

Attributes
net
true
pid
19
prc
mysql.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
29
Targets
Target

963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e

MD5

bf9359046c4f5c24de0a9de28bbabd14

Filesize

198KB

Score
10/10
SHA1

d1f7c41154cbbc9cd84203fe6067d1b93001dde6

SHA256

963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e

SHA512

9050b23a429a92f0be4feb43ee901f64acab06a588d903f308697174fc1e73633cfcac27f71292e2d6ad6b40e34ab580c52949e1a533b885aa7a2f13f12b060b

Tags

Signatures

  • Detect Neshta Payload

  • Modifies system executable filetype association

    Tags

    TTPs

    Modify RegistryChange Default File Association
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    Tags

  • Sodin,Sodinokibi,REvil

    Description

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    Tags

  • Sodinokibi/Revil sample

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation