DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
General
-
Target
New folder (13).rar
-
Size
5.3MB
-
MD5
ee064dd6c224e77d73c08588c72fe38f
-
SHA1
0be18fdd02f206fcf8fbb0693bc3778808051fdb
-
SHA256
3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787
-
SHA512
c3b8a5347303c8121ed4884099a7ded0658196ebca8b19baf4c742bf79dfed61d4bc7e64fbb1e432cc726bc751b8880ce381dd971ebaf1415ede49e88e055522
-
SSDEEP
98304:N7lNcNlD8XfLEFIkOuiScSKebhWgkVPaN8lxzF/QZQb5d5wdBQnYouCiU:N7K8PQyddSt/96SanNQOL5iaYoxp
Score
10/10
Malware Config
Extracted
Family
sodinokibi
Botnet
13
Campaign
49
Decoy
alaskaremote.com
epicjapanart.com
narca.net
mediahub.co.nz
mustangmarketinggroup.com
alcye.com
reygroup.pt
letterscan.de
jax-interim-and-projectmanagement.com
unislaw-narty.pl
justaroundthecornerpetsit.com
bescomedical.de
bertbutter.nl
parksideseniorliving.net
reputation-medical.online
biodentify.ai
polynine.com
nvisionsigns.com
luvbec.com
hospitalitytrainingsolutions.co.uk
Attributes
-
net
false
-
pid
13
-
prc
mysql.exe
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
49
Signatures
-
Sodinokibi family
-
Sodinokibi/Revil sample 1 IoCs
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unsigned PE 38 IoCs
Checks for missing Authenticode signature.
Files
-
New folder (13).rar
-
174ac08f7fd9c8486511122f2b8c730018c68d4492bf58840f7dbe5338072883.exe
4c3219645dd78b3b70c45db7e9e9ce69
Headers
Imports
Sections
-
21697ff9c9b2ad4fb91d805cd139175a4ff8fbddf1fdff52c9dd8eee78612b27.exe
b5a5caf35820b0585dc0bf46a1ceb2a6
Headers
Imports
Sections
-
299baa160cc77a615a22266ea21c1eabc357ade95901e569d82731ba44309f88.exe
511ce72a0f5f4dd1bb156ed7e39799ee
Headers
Imports
Sections
-
390f8ea3044007611ebadad5352708aa3d0df0872b4550100f439a0aad7213a2.exe
Headers
Sections
-
3d26ddb0a96c825ff98a6b6456bf52dab1a896da2a8690a041524a6c82213a05.exe
Headers
Sections
-
out.upx
Headers
Sections
-
51308678ff4559482f32fc2138d4134b412ab75977c19003bd6a7209b3c1cb54.exe
78432b8949ef05b6ec09f13349b9ebb4
Headers
Imports
Sections
-
600db89be8dbd50e60c620ea147688cea7d512b1dc545a6b95fe41f0dfeca57f.exe
dffacf698243f6dd84fabd018fb0d630
Headers
Imports
Sections
-
6860173ca54b7e763cc667ac54435f1a18a821e09453b9e41556b6c2e9323eb1.exe
b7c4c83c583f58da8c0272ab6a9d8d5a
Headers
Imports
Exports
Sections
-
6fd5bdcc625d735f67f0ad4cacd06feb2ae20a2ec7626ff91fbd1848d1173d34.exe
5c3ff417c94f110f829013c73025a364
Headers
Imports
Sections
-
87cee50a81408e14f015d7507a87950e678742ba78015fd65d24f9934d22c9c7.exe
Headers
Sections
-
93564e681c3b63f14bfb67df98f5461917c447f343770a3a944ab251c4dac5ca.exe
Headers
Sections
-
9c109b79dae8527b370cc0b91d5822f4a69b3acda284c361b310e18738ec5a97.exe
979fb227ed62f6c626f50b68d5b3f7b2
Headers
Imports
Sections
-
9c8685a98f9be3a699ea95314449fd90fbaeac3e587efdfcb0c495621e7b087f.exe
Headers
Sections
-
CrypMod.exe
b4e318e0972407708adcc8489fa1a611
Headers
Imports
Sections
-
Fuck.exe
ee7eabfb216812054a15738aa6448fc2
Headers
Imports
Sections
-
Generic_Ransom_1.exe
d69adc5aba535543d2bfe93df4c9469a
Headers
Imports
Sections
-
Genericcc.exe
Headers
Sections
-
Gneeirc2.exe
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
Imports
Sections
-
MyxaH.exe
b34f154ec913d2d2c435cbd644e91687
Headers
Imports
Sections
-
$PLUGINSDIR/System.dll
fc0224e99e736751432961db63a41b76
Headers
Imports
Exports
Sections
-
$TEMP/1.COMServerPS.dll
-
$TEMP/83.opends60.dll
-
$TEMP/Aureomycin
-
$TEMP/SampDBInstall.exe
e8f7fef0a3111f8024797557c9cff445
Headers
Imports
Sections
-
$TEMP/SystemWindowsForms.xml
-
$TEMP/cadi.dll
253572847504e1c8c644f9bdb73ac781
Headers
Imports
Exports
Sections
-
$TEMP/cltu.il
-
$TEMP/datetimebox.css
-
$TEMP/gdm.mo
-
$TEMP/hp3900.conf
-
$TEMP/listportsosx.cpython-35.pyc
-
$TEMP/netwinforms02.gif
-
$TEMP/pagenum/67.opends60.dll
-
$TEMP/pagenum/VSLauncher.exe
-
$TEMP/pagenum/assistantda.qm
-
$TEMP/pagenum/lockfile-remove
-
$TEMP/pagenum/unicode.c
-
$TEMP/seahorse.1.gz
-
seahorse.1
-
$TEMP/udl.ko
-
$TEMP/vsslnui.dll
Headers
Sections
-
$TEMP/webdev10flinks.hxk
-
$TEMP/x-fortran.xml
-
$TEMP/zr36050.ko
-
a1e86fc6cfb129a978b7de1f8b773f766640e50874d8989999be2c55c6d022c2.exe
Headers
Sections
-
add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310.exe
Headers
Sections
-
ae3a9c9cf994b6f1967aee6a31f13796e0f59d4c2bd22865e24f2babf2043bb7.exe
Headers
Sections
-
out.upx
Headers
Sections
-
b878926219059096382653b807efb9476435cc6d3401667c502d2c7bb2f6d7be.exe
Headers
Sections
-
c28384feb8d622682c10e81da44448c226638a7fed9b531ab7a5f652c55b3e1a.exe
Headers
Sections
-
cryptmod2.exe
2506f29890e5deaaf308d3f8118bb857
Headers
Imports
Sections
-
d041a11a04bba9142ee44712a53c8e94bccefeefe1d382ac35171518cd6b64a7.exe
Headers
Sections
-
db3f0b9d66482afc1f2328f7eee8a8cc57ce03e19a4325e50d239203a4d17e0f.exe
0584572c0cf6d376de80d6d8c7c64e59
Headers
Imports
Sections
-
dcb283e040d84bf1a86b381bfb0ce6b8dc070b58ba5d3150eed9cb7becf769ea.exe
0ae1be5dfbc31afc8c5071154390cc4c
Headers
Imports
Sections
-
e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe
Headers
Sections
-
f14fd49537695f6e33bd102633b0737a2713df3197e36b7cdb176bc8683f6919.exe
a093075fe06ded86ab25dea1802c7cf8
Headers
Imports
Sections
-
f7ee55f1571b1a082a8e61811811009b02e5b0d651bd7c3f8d29ca16ef1e14ed.exe
Headers
Sections
-
genenenrnenr.exe
Headers
Sections