General

  • Target

    3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45

  • Size

    1MB

  • MD5

    bed6fc04aeb785815744706239a1f243

  • SHA1

    3d0649b5f76dbbff9f86b926afbd18ae028946bf

  • SHA256

    3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45

  • SHA512

    1ed873577545dc52ffe3516b10848a0474c7f30dbaeed95c67b9b5a690acf4045c05114231dc4350e60219dea00a7e2be4cedc81a9e8655de59831ac09f53100

  • SSDEEP

    1536:Dk+Ih4gfvovCz9XwjeGjplqghkk7Pbi4eTMlux4ICS4A5H:a4gcAwCG1XLbi4eTMlm

Score
10/10

Malware Config

Extracted

Family

sodinokibi

Botnet

1

Campaign

4

C2

domain3.com

domain2.com

domain1.com

Attributes
  • net

    false

  • pid

    1

  • prc

    mysql.exe

  • ransom_oneliner

    Image text

  • ransom_template

    Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://z2lnrdtp2u4tl7agvqfgnxr7jxu36egfhft3w6zklaq2fl5be7yt4gad.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://domain2.com/{UID} Page will ask you for the key, here it is: {KEY}

  • sub

    4

Signatures

  • Sodinokibi family
  • Sodinokibi/Revil sample 1 IoCs

Files

  • 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
    .exe windows x86

    5127c8ff00914b312f0361bc6155bca2


    Code Sign

    Headers

    Imports

    Sections