sodinokibi | cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c

Sharing

Copy URL

Twitter E-mail

General

Target

cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c
Size

118KB
Sample

220305-yhk9hshbc4
MD5

0cf6dc8500639f66a7ac56c5a6b36b57
SHA1

45f93a774ceaad53f93c3ee560adb37ce50c3440
SHA256

cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c
SHA512

039e385df79aaf80b3f7be864aad228698288c4960bc80538177d88ea475c4ba7f46324ea49da077e6e6a6ecfab42683ae14f8bf02c36ab3b21aba6eb7f549d0

Score

10^/10

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$yA1l43rWH6fokpBi8Qy0HedpEXWoM/v5z0hNyeE32cJyfduBWiHuG

Campaign

6387

hannah-fink.de

craftleathermnl.com

ilcdover.com

helikoptervluchtnewyork.nl

zso-mannheim.de

compliancesolutionsstrategies.com

easytrans.com.au

tophumanservicescourses.com

iyengaryogacharlotte.com

morawe-krueger.de

lionware.de

nijaplay.com

ulyssemarketing.com

calxplus.eu

zenderthelender.com

slupetzky.at

brevitempore.net

longislandelderlaw.com

hmsdanmark.dk

teknoz.net

Attributes

net
true
pid
$2a$10$yA1l43rWH6fokpBi8Qy0HedpEXWoM/v5z0hNyeE32cJyfduBWiHuG
prc
mydesktopservice

sql

synctime

thebat

encsvc

mydesktopqos

msaccess

infopath

winword

excel

onenote

ocssd

outlook

firefox

xfssvccon

thunderbird

visio

ocautoupds

isqlplussvc

sqbcoreservice

mspub

powerpnt

agntsvc

oracle

dbsnmp

steam

dbeng50

tbirdconfig

wordpad

ocomm
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
6387
svc
sql

vss

sophos

backup

veeam

mepocs

memtas

svc$

Extracted

Path

C:\1166p651-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1166p651. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CB1759C8832983C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0CB1759C8832983C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kEsCelNe9syPvZnIa7jSpEYyLm7bcPzES9oYsn3KGcKSDzL/DCGLWLqbj798a6K5 lkGLI/VBa3w4P7YufIr2vxub9swFc9jQyFOYq6ZLqkS3qg+cL7LqwkT3lX/8ehIg ZeY1xwggMIfDx2Epc2yyuNfATgnBktxgUOKUAOk4JnYWimAbRm39BhLgo5FEgDss Y/khVParvP5ftJRaFCck92JuROmC5BoQJYuI3DdTYnONxpaFryaDoRQmsGJSpYbC 7HOiGjUr316RLGY0WFfPMJZs2wF0ORv8A/BlWQbOFnlmWIFUBDy9qhiSGgv6lrSe z24N3w7svsB6mw0yvtl2CHjRXe8fTYjUjDlOFDOkItkkU8IxgzmUF2wh3ys3jywF d+hQ7aLL6KqNVbz+N4FoTKIWp9qdSPfwZNR5hwLCDTAp9N7kj8BNQwGyrrbEXr5c R8NqSYWx1x4eDWl7qIYwmYiqZj6ISM8xkEaCNxKcJYqyahYZ6p1eQVC+r380FG+H nDZKkirfjyCXCxAgbwu/jz3zPjFe6iOXBuFuukojF6jiCWZEeBqcyH2XK+vH7iz/ 7kWWCit/DlRfDEG7cbwNp2Xd3qJVDkdDb2QP2sW2SuECA2Y2CUKCyFVfKkPBiqOy 1OvtFya1jqFv1KNsLI3SvSrCx7lSsn14UrunGVPgKfO7RcXcY69GxD2WuUa4W2td Trd4eHmvmzkBpAAq2YwytrJJdASkdOuqCSY6GkKjc91cdlW6HiR4Y1JKIRWcWaPC hiNkmOyNoGjULY4KCm/R3LCl4hG9cNkOdgZVqwtdoPweU+5EghhahBIMTGcgfxHn t8gtJPH44w8nOVceG0N9fpeuHN9F2Nf4ibm8KMijjLAz4KVBWu1ydrAS+SmZoFAV Lk1cMtTbInBlz2JG2HqjgnDNXOER8bNDNMyMEXhkSuuoLF7eqi85c5695EkQEJs3 4CyacJ4zY7g/9WWmYldi+gbNZ6uy2B8+el2AN0qttHTIP95PNoQHJY0dPueFJtZv duI/u7RBJHwBLMjLwmvsZHJ1diqherGkEQYpKncb3OMNJQfpaTXkPu2CktubZdeJ HPxQ9IIJNwhjqAmuQbQ2FzSufdJF3v1lTjwSUx65IBtcpq3MGEpgYEUiK1I501Yc +csvOhMMtglalV9JoN4GuUy6JhGz2QvlqFA5eghhgDeDgbzwOkEYvgrRAp+pWIcC YSU00oNLTpTxSjcNLoDxtOZlcu/CrNc24ez1oxdZTVJSCWlQfmsi2NgMADXZ4PS9 wcVV++AEyyW/wiLrIduN+eReFGhfUvjLuBVN2Q== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0CB1759C8832983C

http://decryptor.cc/0CB1759C8832983C

Extracted

Path

C:\ot86281-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ot86281. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E8969E138D8FFE7B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E8969E138D8FFE7B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: l6GiFaBxAWnxVEZFh77KFO5qnr8ljU9LoQSy/4+dMr2yRWngBsxELhGJmo9xddH7 Tn4Wx4myqBAZI/7lJmBf27R2yQmpNQMV8baPrf2ncF77/+8MC9XtnQYd0nkHkqqX hPtuQMF51+83+uvV7lGon0UhKWa13hg9ERbMbzH/2Nk/MNg0GIiDHwME9zkiRMQV E6OuiKGskebE+6MOr8kSP05ceRB7YN58A8m8HcXdl6WYUibw9jYxBfIWhegEODsg vqXUwTkJlmJgtChZnuB/B1BcK/DowY1u5r+PrnjBW+6teZg5IiOh5gVFHOQWn+Xb BamNvurQiyNlk9W5ylTgMIUByFxBobvhq+mk3CQJPUVi5tfbmcj7koyxTOUoQdYr GjuB/sAdct3e/G1yq6Ry+9fo0kbeLgNXTij6BYFqNNz3Hj5rDpWp01yvoP9ewlad rB+BVvNdUkZTgkWHkLOBl4yqcVyIDOFG+VxTtX9+QtKBgSLnSnxiTO+2/bzB9KoM 0VWi/FQoM09KKu3gko8zmotOH8xu/XFzjV/eAX02e5Vg7JBuTbVUDUrAMCfqQIDd V++GYAGJrs9iQ2gPqaSMkqBhPm8XJBoHOpFH+NZO9/opGSYdISELnzylY9jj36nq Zi9Jh//xu8L9Jw/ds8JcJ6OB7u9Gtk2qK8kGPfqSB6w1l5waVifjpIiDuSqgfUQw zE9eZGoI+lxep+9q8Gf6OXKk5kVP77f0MJjb+/x9GkXmCRNGVHolkImAAy4rNNLB A+KYEae6HuzJvZfjidlZnnTgxdo+yJahmYEF/n9TVaU2xf2cnD6z97qkSV2A8zFe Ou6OxoqC4ykXu7GciKNSNaOw/j7twa2mzUfw4720Dz+bUEyoHZxAjErOsy1hTZiy LQW6Q92i9ZZyE4F/Z2Ojy0JLI48iBSprUbqHrWbVCK5yIeWTCnVkfTx9nKh8krGm FNkHupiYDnfzB1nFE7r8O+fIVgiQJg7zny/udkcsVPaunbKFtKjg8m11m7nECapp TYiKCid9HGv+825UUsyAQWvwKFjRoekIje4QKUR4vCUDyzQOao2Mu5MqO76gGe1N 5/D4xXDiEhOBmYnwHzsK0BrfutvEtyJBz8tat5DfCImBeb+wg8hZ56uLREKREngX NW9EASHrjwJc/dcpj+6wmTiLyiBfU0mp7JwLAlQvOCh6ybDsFon0YUpf154NnTL6 2eqs4+RqK1yikvewI1LpGZS636wBQugg412v2e0ev7qS21w0Bs5wWpDjbWflgKa2 GiK5J0LvG6XpM80SwCUFTLGU7hpiWM8s7FhDvbLu0fo= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E8969E138D8FFE7B

http://decryptor.cc/E8969E138D8FFE7B

Targets

- Target
  
  cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c
- Size
  
  118KB
- MD5
  
  0cf6dc8500639f66a7ac56c5a6b36b57
- SHA1
  
  45f93a774ceaad53f93c3ee560adb37ce50c3440
- SHA256
  
  cb0ce597738bc7cacaf401b12aae3ddb431ff139a6648cc326a303f3d94fa31c
- SHA512
  
  039e385df79aaf80b3f7be864aad228698288c4960bc80538177d88ea475c4ba7f46324ea49da077e6e6a6ecfab42683ae14f8bf02c36ab3b21aba6eb7f549d0
Score

10^/10

sodinokibi persistence ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Sodin,Sodinokibi,REvil

Modifies extensions of user files

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2