sodinokibi | 43cd585e36a8b4edf2b6ef406ae5f019b1480401c684bd2bf594195f075433e4

General

Target

43cd585e36a8b4edf2b6ef406ae5f019b1480401c684bd2bf594195f075433e4
Size

164KB
MD5

f110035255ecf395f0d5fa1cd89bf15f
SHA1

e60d841b1630f1c6abc0060448ed718a92ec3b56
SHA256

43cd585e36a8b4edf2b6ef406ae5f019b1480401c684bd2bf594195f075433e4
SHA512

974d4babf66d1cd7d20fe61390b248c2251d403fe15d8e0b2eea29096db4ab83e8488bfbce82dceb725cda11bdd26284656394e8d30fa1cbf592973c8456691a
SSDEEP

3072:xdHwJK3BMoFiWjmfb+HP+rnRfU7qK4F9co:xNwE3q4jmfCHWtU7i9

Score

10^/10

18 37 sodinokibi

Malware Config

Extracted

Family

sodinokibi

Botnet

18

Campaign

37

C2

koncept-m.ru

weddingceremonieswithtim.com

rivermusic.nl

hom-frisor.dk

ronielyn.com

lapponiasafaris.com

queertube.net

cp-bap.de

signededenroth.dk

johnsonweekly.com

ludoil.it

foerderverein-vatterschule.de

atelierkomon.com

otpusk.zp.ua

parseport.com

vitoriaecoturismo.com.br

perfectgrin.com

docarefoundation.org

traitware.com

annenymus.com

Attributes

net
true
pid
18
prc
steam
sqlwriter
infopath
thebat64
mysqld_opt
sqbcoreservice
visio
dbeng50
xfssvccon
msftesql
agntsvc
encsvc
tbirdconfig
wordpad
sql
sqlservr
dbsnmp
mysqld_nt
winword
firefoxconfig
sqlbrowser
mydesktopservice
thunderbird
ocssd
mysqld
oracle
sqlagent
synctime
ocautoupds
isqlplussvc
outlook
thebat
excel
ocomm
mydesktopqos
powerpnt
mspub
msaccess
onenote
ransom_oneliner
All of your files are encrypted! Find {EXT}.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} c) Open our secondary website: http://decryptor.top/{UID} When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
37
svc
sql
memtas
svc$
veeam
mepocs
sophos
backup
vss

Signatures

Sodinokibi family
sodinokibi
Sodinokibi/Revil sample 1 IoCs

Processes:

resource yara_rule

sample family_sodinokobi

resource	yara_rule
sample	family_sodinokobi

Files

43cd585e36a8b4edf2b6ef406ae5f019b1480401c684bd2bf594195f075433e4
.exe windows x86

c88f20b29592f2107a629e815db6afae

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetErrorMode

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 57KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.x7nj
Size: 50KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

c88f20b29592f2107a629e815db6afae

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 43KB - Virtual size: 42KB

.rdata Size: 11KB - Virtual size: 10KB

.data Size: 57KB - Virtual size: 58KB

.x7nj Size: 50KB - Virtual size: 50KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 43KB - Virtual size: 42KB

.rdata
Size: 11KB - Virtual size: 10KB

.data
Size: 57KB - Virtual size: 58KB

.x7nj
Size: 50KB - Virtual size: 50KB

.reloc
Size: 1KB - Virtual size: 1KB