sodinokibi | 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986

General

Target

145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118
Size

416KB
Sample

240504-1r3k9sfe77
MD5

145ba213336bbb05c09d2bcf198aa3bd
SHA1

517dc0d3d853c09fd7cb69aa85fc8f37b9bf3a87
SHA256

6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986
SHA512

1868d5e625f2fb48f1ca59a34d6b0ebee612d5c657adc349ddc9b5984409e0e9844f5a31f81a1f1e1234e44064f695de07843f1fad3aad54e051e6620127a4b1
SSDEEP

6144:RQNOV3wQRokxB8n7zPUmmTg2OJH80FjTz/XmlH9n7a:qCFRoI8zP38OJ80Fjff49u

Score

10^/10

sodinokibi 17 11 ransomware spyware stealer

Malware Config

Extracted

Family

sodinokibi

Botnet

17

Campaign

11

Decoy

texanscan.org

g2mediainc.com

avis.mantova.it

cac2040.com

zumrutkuyutemel.com

livelai.com

floweringsun.org

jandhpest.com

agora-collectivites.com

mikegoodfellow.co.uk

letterscan.de

voice2biz.com

biodentify.ai

csaballoons.com

angeleyezstripclub.com

innovationgames-brabant.nl

oraweb.net

transifer.fr

alattekniksipil.com

ruggestar.ch

Attributes

net
true
pid
17
prc
mysql.exe
ransom_oneliner
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. For futher steps {EXT}-readme.txt that is located in every encrypted folder
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
11

Extracted

Path

C:\Users\Default\3k2fd94-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 3k2fd94 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4ACF03FFBC917B86 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/4ACF03FFBC917B86 Page will ask you for the key, here it is: locVvP7q+hmXasFOOb0tlBRk9+/FLseMFPicq4egDoUQuYi3aJkGWIXI3xBIq2XR 3eY+qhh/5gYzjIrfRKsZ9TepmLEyUEkNp3VThKYrLDW1qIViL2X/f1bFhP+kG8kE 9CEGUvXl0cBCxuIzMih+0V8Q89mpaKWPzlH2V3cwx/oxpWaEiWhRlrMx6O2vqUmS fJhVph7jLd6zWGOq0eMc9noSchKpeVfqfF5MllCaVi6RyRM1P/kiw6hhajl8iLqW EyhL3NG2cWoEKKoIMsBAV1soKsDtjkBOW3uEKLrJewGFq8uNZm9IiT40H1YMzuQS eOpxC5UWyuMIdnMBuVvCuZ5yMEgxQeOKDv0E5V4Dzmkv+t3uVg0r6V+BDabX001K Wo+WvuckSuWBZo7OwCl4bptljn7qr04e4JnkueHn2ePcqGgGRXkLXvkM/5gQOz9u RS9VEP3SBFx4v3KtZgbXJgrpjgaD2QGMXKUy4tjXk6y2HtQ/D1Uy1+NevC1kDRC5 58RIsjKhMRMAeZmpurC9trZD7xzlcano6qC5vqRemzI9NPxsH5M+YuGvxWPZeLcx WeTc6dlj+PicWEq1ebu0qphbCM5yB6ahKD17uSKfQStSSfz72iGDvk+qWzSTatZw TkkQ2yN5affvk0qegvj4SaoM0zamk9KaYhuRMXQMILJtOevikB+4QtwG/4XHcMBl r0vNQiXesrVGfDAUY8SD11IruEBf6k25+vPp8s8bFCXMP6Npnl3L23lZthxzYNUe 9cIkXCMTIDCrA9Ab0+IE3KiangTbn6UvKrokdvfG85BKtutZ7FImxgKd03mJaHsU O3JKAxuLYfN6+qp8ozW1xfQFUSWgB7Tk0pIDWRcb0hi3AA0vLuUeEOBhpAI92YZ7 dQQRAAP6oz80Vq/sZK21bTrXS09U7xfn8PbY9xjAORTHaea7kWM13tvFuhODF1lj /ZMSNb+j33X8wVAPU3JfbqufJXaVe9RuBazUdgm4prRV9MB8YyAZb5JtqXoxpDJ0 E1ETMPq4wkC+HR8FERQpeLUOJHCemktkGTGs/qfn98TbgyIWhFEKWY1zVm2tYgef 9P6XzmSZZ2Ix0VIDICuk66nZTj8RcNaBgK+iWciAfKwPZqafD491wPHjU0hi7Y5j GNqlk7YVDa+15082VRS3HmsgNccaBhDMMUrCYjE2qbs=

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4ACF03FFBC917B86

http://decryptor.top/4ACF03FFBC917B86

Targets

- Target
  
  145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118
- Size
  
  416KB
- MD5
  
  145ba213336bbb05c09d2bcf198aa3bd
- SHA1
  
  517dc0d3d853c09fd7cb69aa85fc8f37b9bf3a87
- SHA256
  
  6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986
- SHA512
  
  1868d5e625f2fb48f1ca59a34d6b0ebee612d5c657adc349ddc9b5984409e0e9844f5a31f81a1f1e1234e44064f695de07843f1fad3aad54e051e6620127a4b1
- SSDEEP
  
  6144:RQNOV3wQRokxB8n7zPUmmTg2OJH80FjTz/XmlH9n7a:qCFRoI8zP38OJ80Fjff49u
Score

10^/10

sodinokibi 17 11 ransomware spyware stealer
- Sodin,Sodinokibi,REvil
  Ransomware with advanced anti-analysis and privilege escalation functionality.
  ransomware sodinokibi
- Renames multiple (142) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1