sodinokibi | 97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463

General

Target

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463
Size

221KB
Sample

230805-kjw6hsba47
MD5

77ed1092409c927f5cd1992021f99147
SHA1

4c9027e660614db7fe653e67a7ac0b726b52cc44
SHA256

97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463
SHA512

1e01f85f50179fb7620680809862c28c8955e696b397acd6766a2d8a18b81cc08f99c2a059213797ea8de1e004412b9d4853cf1c2ae9f451505322b00e26238a
SSDEEP

6144:Za/6o9aptGtbbqcqjuEyileXEHpSYxyEpq:S5atGtfqcqju3iXHpSgq

Score

10^/10

sodinokibi $2a$10$mabwjcxkb3kropx5kearm.sc7uhuubcbvrc/j3kvhmn3f11eujg3.4402 persistence ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.

Campaign

4402

Decoy

gopackapp.com

croftprecision.co.uk

sanyue119.com

chatizel-paysage.fr

falcou.fr

theshungiteexperience.com.au

xn--vrftet-pua.biz

slimani.net

vibethink.net

mrxermon.de

hebkft.hu

danskretursystem.dk

castillobalduz.es

pmc-services.de

advizewealth.com

pixelarttees.com

testcoreprohealthuk.com

ino-professional.ru

alvinschwartz.wordpress.com

mercantedifiori.com

Attributes

net
true
pid
$2a$10$MaBWjCXKB3kROpX5KeARM.SC7uhuuBCbvRC/J3KvhMn3f11EUJg3.
prc
isqlplussvc
mydesktopqos
onenote
ocomm
dbsnmp
powerpnt
winword
thebat
sql
infopath
visio
firefox
tbirdconfig
wordpad
agntsvc
msaccess
sqbcoreservice
xfssvccon
dbeng50
thunderbird
outlook
mspub
excel
mydesktopservice
steam
ocautoupds
oracle
encsvc
synctime
ocssd
ransom_oneliner
Soon you may lose your files FOREVER Find: "readme-{EXT}-NOW.txt" in folders or on your desktop! YOU HAVE A FEW DAYS OR A FILE WILL BE LOST FOREVER !!!
ransom_template
Your files are locked due to a vulnerability in your system by "{EXT}" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/{UID} If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} After going to the site, enter the following code: {KEY}
sub
4402
svc
vss
backup
svc$
memtas
sql
veeam
mepocs
sophos

Extracted

Path

C:\Users\readme-cr0v4-NOW.txt

Ransom Note

Your files are locked due to a vulnerability in your system by "cr0v4" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/B455AE79B35BE10E If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B455AE79B35BE10E After going to the site, enter the following code: wlWlX1hKr7/taxO8KVG324TRSZko6yQnAlI3D2Gjqo9WP/osOkI9oBWUd3JDQln6 VSV/3I4UGHepHjb/ZakJs5zEhS1DG3XZgTdh6g8VtCBOppvBlJZ/P70JK2tTFal1 EzEBfxQNs4/ZLqrR7oJrIVo2BBqfscp2rocRpx/vIyl3mddTxhpCV93mFxaB8c+x u0dJJUc6PkxGwlYHry/59aLdFgsLhHUw0Qtrm2uXubUTa6+yCb0vSxwfEc0vUmEy +qUJxLU2wSieXzKq1zg7jK196cvi8BDQb1BNvajuM2bSH4pZJgUYIMunUcyR2AtT J7Pfkj+T+4TUmh8pF5aYHklR8Q+9Exbxl0Ona/KMKyaCym5AuIFwptWD1rwMbUJb TvwonmtGGJ8Kk/K22H/CkywgsSPNtYJVwY8Udn7Oh6EdxCE38mQmL6h9/FTzBHOk HbolGEyGg/YP3gyzY7y9+vbjco1/C7j+1dlqrmQd4Xyr6TbEvyLuAG4mEKdb6p9z GwSAfyJxugDmVtmTpy//cnsT4WPLfucTTXmEBPp6qUQIzGnC6xL/0DcrQr0k+Ek+ gCwUrH6Cxr7u/p3vVf9t2o7AXOzuY4qVqGuibT+6wBUwkSlWr1k55lC55OwVwual pvmIu1dZZ5mE79OucRK+OQmDMDe7YUXk065hLy5ABEQwIsinwBPbLSSubaNUsSJG 8/lSm70ycODrM7RwJnLyeau+BAOVSWxHtVUtOwVlvxueooWqBPAVucTSDWJq1s8T 5b2np80T4i/AQWXMJ8QmIpE8/lAJJnb5GIk0IYi6hAmlNoKXrL2JemaBj1y0iEzs pxSDAVrSMmVUJBgR07VO0aVS5Is1cB4ibo6F28Ygxgge8rVnPgOE4BXYnUzBCrwV ryXWIp9KMhJDgQ04dxQH2j4ITQE3FIW9aBURK9Ihs7K14xpG8ljy8Y46xtqHDqMt gj9UA2fZkRkuovpMsUS1HGowGG7ekME5CW+XVyBCad4G/gf3FUnC9mku6pP4ESJM G5cNuC8xk2u3ewXKvtK81F4GXkGsFAa0Bv004GvMeiDgs2CDy32zSc3RTsF3fUdU xZMebicg908oJs2xXcGtZ0+IndaC+CkfogeycVzf97QruSDYgePZTjsGJBU2idh/ iOLq5W+h+6GbFatH8hWc2CyXTZz9XDQkLJr32UGQDcpLaVB8LW/HATJSNRXo0mVL OUGbS1x0nBZknPGQasDGR/EJnEYlhGhxotOW2LD6J8qgZWbs08IQTOGdgWDuftH4 KHbJ76EodeYwkbbQhD9+l5e2eHE+HT8Aml8Qa4+oPQX+Ccf/JQsiYaiRtSYqFhDq 5yeIR9x55E/3NgFbnhrSC0jB+BP5NhxADru51VhP

URLs

http://decryptor.cc/B455AE79B35BE10E

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B455AE79B35BE10E

Extracted

Path

C:\Recovery\readme-ovxmopp-NOW.txt

Ransom Note

Your files are locked due to a vulnerability in your system by "ovxmopp" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/4B13C627D46B7444 If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4B13C627D46B7444 After going to the site, enter the following code: 28KcMc/kmhvEq6BqQZltUPfqz0x1+utMG1QEPyneIigghEQIlsuwejKhmYE/w955 PrMvoZV8WI/Ei2z271VUdfaZ6TLB8oxQEY4LL2WgZ3TRhTJSi7DQjIsnKMC64Ptt XReK2NUL9TSiUC2Pc9qVHAdcFA4tHf1kS8lUZqJtKwJwpBwq7pM/RsQ/uRHoWclJ p/I9Fe42w+3cVLjgCMxwQjdK35k45wIm1Dnye0ZAlOz3DqtlfAZRiXE1anRlH0HM BG71ydNabyOf+BxPuc092x1QDwjP3HPKd2jXEZQZ9Dm/i1C1tmQvuQ7rzL4nxmdz xQyJAI1txLgpF/dVTthRBwQoc73bdauriFhhQgA2AUfcOh6iH1pzG0IvDPiOH1hU jiT5dU0yyUwhmelwAVTt7Yy1kbc9PWQOugSCwnGWqYwBr48PoxYjA1AxVXp0u/eo 4voMXhO6VeGGfTUe6R8/+SMPG9qw6MOYQRlRYDeT4z94auqZrIPv077sk2yUjYuq ous/rHFdj37eAzd36+jKlnt/Mon7bNGL2bUGDov/i2E4NIbPYDm0nGB28K4o9W+R 7+0ozf4vKrSdDuavkZ9ZeRgCtINnrbCJwRWJPJZdkVEoWsBpIe68DmeL4vP3rAic m/TNA5eIfyH3MqZ/blkSpBEPM70yHaprfCEq5EYP3OgjMKaEf22AJmnPm7/3xUX4 Syz2DKFtoxshhXPRWLbWrBqYMMPoVcLswOfDSKJNlR+EcWfbGYCjBei+US13X4om NFnukHR0ZqtHtZy8jQfUz5WYuOEW89Y9FMZp4m5R/JbeXesYxTDBAJTgmvoDRM3w /z843g1XwP+GEO4Vv2pvO/Zyrkgwgu6nvg5onjgo1y2kssMYViCfRqIw3qqJcIzt eM/xxwj9qOCsGDmCfCr5HBB+EXjogVGJpuP9dS3nr2/8pp8mXm6QR3O0ZZxsAJXf LurVSCbJ7rOzmUmFpOxOonI/NzPSCgk4DTF40KweYwIOybg74g9KlwvTqmt4/CxU LiglQli73602sNDPQ+f7uxU6byERsqxfRMCCeNzdxP7DGDMXaJzqxymIWldqYmJg Pjp39v0sOEbeoXWUfSLsZ4EJRI22ZoxYySsEBK1HJ4l2NFsfy7X+p3NIG4NlqhbF gT3IshbfYncx5hiznhEG0v6/oMigDTRy6HHKZE1iMUAGHTBJNV7EwkpQIC1mQMvp qWF9LaG+TQ/S5Lu+sB3Db0GjIYQihoFpJRydKNkMwgeNoqAYuVbw/aV1dywArB6D mH3W7iRyd7UPBVFfr0anDREWSc9RcLThH5cHWvO2K/IBCFoeoQ0/lEqOMxTDLNUF ojcY/ogwMkf7OQPOICT+rVI1+mRmBaB+UndDCMBEfQNKDxAdLlUxIg==

URLs

http://decryptor.cc/4B13C627D46B7444

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4B13C627D46B7444

Targets

- Target
  
  97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463
- Size
  
  221KB
- MD5
  
  77ed1092409c927f5cd1992021f99147
- SHA1
  
  4c9027e660614db7fe653e67a7ac0b726b52cc44
- SHA256
  
  97a2331bc8088327dd97c4d01c3183cec88e4d5b724365602b982036a6306463
- SHA512
  
  1e01f85f50179fb7620680809862c28c8955e696b397acd6766a2d8a18b81cc08f99c2a059213797ea8de1e004412b9d4853cf1c2ae9f451505322b00e26238a
- SSDEEP
  
  6144:Za/6o9aptGtbbqcqjuEyileXEHpSYxyEpq:S5atGtfqcqju3iXHpSgq
Score

10^/10

sodinokibi $2a$10$mabwjcxkb3kropx5kearm.sc7uhuubcbvrc/j3kvhmn3f11eujg3.4402 persistence ransomware
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2