Overview

overview

10

Static

static

10

REvil_v2.06.exe

windows10-2004-x64

10

REvil_v2.06.exe

windows11-21h2-x64

10

Resubmissions

26-09-2024 23:44

240926-3rfgvaxbke 10

28-04-2021 17:44

210428-nl3kdh8mhe 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    REvil_v2.06.exe

  • Size

    121KB

  • Sample

    240926-3rfgvaxbke

  • MD5

    46a40ec6d39b7530830f3047cdebaa1b

  • SHA1

    a1540914b5ceb9e772ee5898e777f48e3cd57010

  • SHA256

    08c2d24cb9c632f9aa84254bb673c9df04d4ac23ee07e840794e9438b06e9bd2

  • SHA512

    64d3bd219e939100612242a35d36db8636a18eb962ce174284359178b6abb29c957bb1a0083015b948ff17c30e01ddd46c12824a83d0698b03372effeae0aa12

  • SSDEEP

    1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZskecjrzgPujd:J1MZwlLk9Bm3uWqgu6M1njIXi1

Score
10/10
sodinokibi$2a$12$k6iq18br3uu7ufyc.pgy0e8gklmvcwyoi09nqzjkgxzn1vngskatc7495bootkitcredential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$k6iq18BR3UU7uFyc.Pgy0e8GklmvcWyoi09nqzJkgxZN1vNGskAtC

Campaign

7495

Decoy

the-virtualizer.com

aminaboutique247.com

thaysa.com

aunexis.ch

allentownpapershow.com

plotlinecreative.com

spinheal.ru

darrenkeslerministries.com

peterstrobos.com

sanyue119.com

extraordinaryoutdoors.com

airconditioning-waalwijk.nl

ledmes.ru

all-turtles.com

euro-trend.pl

ausbeverage.com.au

micro-automation.de

easytrans.com.au

sandd.nl

wien-mitte.co.at
Attributes
  • net

    false

  • pid

    $2a$12$k6iq18BR3UU7uFyc.Pgy0e8GklmvcWyoi09nqzJkgxZN1vNGskAtC

  • prc

    oracle

    onenote

    msaccess

    dbsnmp

    firefox

    ocssd

    excel

    wordpad

    isqlplussvc

    thebat

    dbeng50

    sql

    mspub

    visio

    steam

    outlook

    encsvc

    mydesktopservice

    powerpnt

    winword

    ocautoupds

    synctime

    agntsvc

    tbirdconfig

    thunderbird

    sqbcoreservice

    ocomm

    mydesktopqos

    infopath

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7495

  • svc

    mepocs

    memtas

    svc$

    sophos

    sql

    vss

    veeam

    backup

Extracted

Path

C:\Users\7x5uuzi-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7x5uuzi. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60A9AD4D4CCC0AC6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/60A9AD4D4CCC0AC6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: M26YimqTfLJ6wtt8YWb6L4vPtJ1QW5hckrnutkBDZU1ZfOgqv3Lb/9lDvKFvW0U9 /2WsYl/edXpbzA8om/vwrjRo24zkw2JaLYYurmxnitZNj5ihW1wcDf/vOfOh0voi ko7i7qWNIO1MKIGRckmxa5VB+tKyWq/7su8v9zS2Og5PwsQFH+goJ+n1o13TsQSh HsY+/GdlTycbcu8nV5+tYiMZOWA8VS3SAyGJPudjbOI7PaHpZi1MFRcWB22Cay+L 9ncgLNibu4x0tcu31axj8LM25TdcqGWEsXPWOR8KXKbHp+OLy6UrLYZdVDbd9UgR 29OXddw3QyJmttHSVj/EMoOJZpyEsEHczx/Tz4PriOkuN5l7tpx94rxqh7ncGe+Y jf6P+CFdqc/SqBrGIusnXiWADJyekO/U1AAz4MIbWXIc3HT714E5Q4XKg73AZErn A0xDKBWDAaOH4gJpgNKtwvbWmwHy/6lw6/btlgzuXQPB/+ccRXVYkS6skzxN+QNw 1VH3A6USmGJXxoJfcYn5KeEgCOxgDT6m5k/bZIa/7WPiPu3xRzkwf6pvp8VH5WKO 01uOWCyLq3BnBsFQCFrc66yIWFDCY8oxVEpnxGwrBeyAzl7qZfMLCzLvef91uy47 aM/czwKLt1Cc5+bwI/e4A3PAqgEviqFjoD9AT38ueVYEif9Tb6fCe/aBITcxcB2K HGBc13nKRyC9ERVqvX3u4AAQBhj7xo7gT1CdPua6nlzLaF8wEa5ouAkAZGsy4EmT spgPRmSx8F8hZPW3q69Yh9HiRoaQ7RJGbV8RZ08L2qXQ5UFzJ6t7p+R+JyJOiQtM eIp5WReTN1/XcSkLQ1En6tacGDgSV7AECHHzwQOkcH/yDBioULhRoRbQ3ZEUTCrC AS9syZSP0RgmYosfNJ6TUTK5yPnKtjEOtqIWrlhZmKw4jJCxr610VNnwr0aviAws x/RV1tlwsT20FzjMfAgswDDx4wFaYXf6drivKJvkR1iDgfY93lnyfgD9FV4vL+hb wNcEj2BxrQWGW/k7dRkHL8QpoILnZ4Nd4z4Fp5SnpBev0BQwx2v5BRbQGKcaEfyg 2e8cnZpdO8DWHkUxuyHP/M+ITwPv2yTw37x8BOzzpMjZif9hnK7ZL1lElCFAJ8dl YO4vFYjhUq7sjq7E8pjMoeHIb3+R7PYmRsuSLrRc/VdJdZ0fz4PNXxHL9a2kjNx4 MkuAe9TSyiuOFQ15HZqmV8hr/vN88L5J4CfJfPIBtOINgrPPauBkwtEQJPiolquL C4xiBT2Tvyc0lz7m2lV/OVYTbmjXegYZEjk3GPY+Gt8KJ4P2Lc2eWKMhKHbK5SUh Njh5iL2hm0s/Io7ktoUSIt2eM69cr53YnXMyXHZm ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60A9AD4D4CCC0AC6

http://decoder.re/60A9AD4D4CCC0AC6

Extracted

Path

C:\Users\n1jrkl-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension n1jrkl. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A3E3AE45FDACB846 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/A3E3AE45FDACB846 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: IN+RKAeDib4SlHE8XE9sLmFSYjxX68YfsM0Xof7GsmvS9ZYRmHYFlikhGq4j0IqA ZzalqEAUTH/dY2m6VxgYep0MB4bu6biQCX+0LeVD7i1hfX6mEZ7BtQnTIkJinbvk 9HC0y1ZK8RHXDqZw5hgXuSdrdl7pnjVM9Ls8gx0OSXNU9f0IuBUjPywWj+raZbQw lGE+IJf92jLI3NO9Q4xzm5gPE8SSdKQ9euF7cRAlHGxKSUlomWZQcTus1oh0vvRA zQV3r9EwiVpDGQTSdUKMEleG6xflA87qoMXSolzFwJ8v6BT4NnYWmZl70Duu1kwu L5jC7aSTfh9Q2tiWXw4vXIDa0TezE7MxA+ADV4YeWluCBTh/VOkQ74g2OQ1i+thr y4ks2BSV/N+hOcjBD/R0Mc9uZM/PF6w2Tp97lMm+ssgPbmKOd4TuTmXVmKPguLuv VRvSdtZarCk01VSbIiOs8rDcnzIwve4ofInr0CAdHQj0aDW7uWUKxC06c+0NR0V4 Uq8ekwHS6ferDhMfhjTVgZaV1Ligm3y4vSSkxzuhGXLlchGZ/V2fsWMEbu/SC6vA 6S7UQbTPrQnUsjXU87P7oA7ckOTpYZcSojsynnpcWS40yfNj0+ajOuTJGcHJ5C0g gb0jDy8mNd7zx9hI3oSFL7/KDN+QJ/+RFJxBPRTijjTb/SKb0/SRaM+7bik9iYNV 36BJJCi/pKIs3eWa/VqI7JgAenpKV2Q4k4BEk0k9t+mTaMaXfS3IyIkmWi+LRNu4 EdyUrRJz9wkmrFXqr7ErqxJXfgmBQmPOGYKzA8t2yajBJPirevjzhYc/mnkCFn0j EJOLR5NaxTXg7s8/+f1ZrNVf88F9Xj7KUwHA1rJWdBfoRI/1M8WUVkIFclqHOekv KqqQpO3n4+lXDA7v0sZd6ANMBGIumtZNxB8ShDsbrRDZ9L3N/VvyCeoYlULO/crF gfEFZK/WgHCTJiZi1qxyzVRW3xzHddn2giL3Rdx2YRGos6HLwRc0oY24RXpesavJ 6qxfoyTdH1nzrqHdmw8uNMqhKFHcQh7+paTLgD05xEmCBbNZLi+kVEBkMrOmr+U7 9ftVzIfKc80qp+t14//41a2PezqCv6+imtp3yRm45Yy91Fh2Dun7DslU7LOAg/D1 hI3PupZhQfUwnN4XVVfG25gNBeoyB4E13J5RKpvXJs881ijcLFhOnWe3sNQ8E93k 7mcCElTjgMfGEGamWiYraHFyutE0Wi/QfroWpiDbnNKedZhE47KWBKJjAherTByn UQf7HU50xIKKTpy+GDUgcS2qnlzOsRZ4nmhjP2WF0H3007TjqGKJjFpm/SJEDNcy geA3pFAupDwXIASaUp+Istgiz3fTEPV1pd9r7A== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A3E3AE45FDACB846

http://decoder.re/A3E3AE45FDACB846

Targets

    • Target

      REvil_v2.06.exe

    • Size

      121KB

    • MD5

      46a40ec6d39b7530830f3047cdebaa1b

    • SHA1

      a1540914b5ceb9e772ee5898e777f48e3cd57010

    • SHA256

      08c2d24cb9c632f9aa84254bb673c9df04d4ac23ee07e840794e9438b06e9bd2

    • SHA512

      64d3bd219e939100612242a35d36db8636a18eb962ce174284359178b6abb29c957bb1a0083015b948ff17c30e01ddd46c12824a83d0698b03372effeae0aa12

    • SSDEEP

      1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZskecjrzgPujd:J1MZwlLk9Bm3uWqgu6M1njIXi1

    Score
    10/10
    sodinokibibootkitcredential_accessdefense_evasiondiscoveryevasionpersistenceprivilege_escalationransomwarespywarestealertrojan

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

6
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

3
T1120

Query Registry

8
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks