MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Sodinokibi

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d
SHA3-384 hash:	ddadf3a0a060953e1464a13eefebd43ff12d9de4b7a3b2747772dde1fda3e5b151dc89284ee6f585375f2e5acfccc5e2
SHA1 hash:	1ed11049103a716f8a21f0fc7bcc07d20090871e
MD5 hash:	8ea56fd712f728e5ed1a7dcba86ca9e9
humanhash:	undress-blossom-kitten-nuts
File name:	368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d
Download:	download sample
Signature	Sodinokibi Create hunting rule
File size:	135'680 bytes
First seen:	2020-07-06 07:23:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	773fee0b4a452a64ac71454a76a68a34 (2 x Sodinokibi)
ssdeep	1536:3zlMbdsYwGYQ+MGvNcbXoZp+AZ+5Yl5534yLPqSpovf1kwICS4A6OOmO3qDCKB5s:dGYjPNWFY34yLPqmfBOd3XK2XXJ4wen
Threatray	171 similar samples on MalwareBazaar
TLSH	3FD3BF2399D04576F6E301F26E7A2F6369FEBD3088354467C3B4A8440A694C1E53B3EB
Reporter	JAMESWT_WT
Tags:	Sodinokibi

Intelligence

File Origin

# of uploads :

# of downloads :

921

Origin country :

n/a

Vendor Threat Intelligence

Detection:

REvil

Link:

https://www.capesandbox.com/analysis/21225/

Detection(s):

Win.Ransomware.Sodinokibi-7013612-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Launching a process

Using the Windows Management Instrumentation requests

Launching a service

Creating a file in the Program Files directory

Creating a file in the Program Files subdirectories

Delayed writing of the file

Changing a file

Modifying an executable file

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Creating a file in the mass storage device

Forced shutdown of a browser

Encrypting user's files

Detection:

sodinokibi

Link:

https://mwdb.cert.pl/sample/368dfd0ce07c2010b0bcfc05b60c653d285b9b201c0da60c3be6f6110a89140d/

Threat name:

Win32.Ransomware.Sodinokibi

Status:

Malicious

First seen:

2020-06-30 05:11:42 UTC

File Type:

PE (Exe)

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g2g72dhapqqbbmf47qc3mddfhuufxgzadqg2mdb3433bccujcqgq._file

Verdict:

malicious

Sodinokibi

4aee79733f02aa31ced0b6a0672d67cc6b0e0f7e0fc8654b8981c529046d9b7c

Sodinokibi

681836cd8181c784646b39238d8e4d9323b91c71690894782220e2678c1f3191

Sodinokibi

6e5f225b72d932fa68cafd3e0366298d5b1b92098049dcf01f6e3f2ad0f9b92e

Sodinokibi

81b452c5cfc9b054231b73c412e06335770965ec8ec92a309df18c1909233a70

Sodinokibi

8931fa8e5b8ec0db4b1a722778eaaf580ed1a45fc4f93a5e879d688925971424

Sodinokibi

b83081e0e2676da0476f762d0d3efcccf37db54e1fb9ce3b663d4b9557185744

Sodinokibi

b9f3199637a3662429d829e2eb2d210fc96bf282883e721da1704981c136b143

Sodinokibi

bfbe9826927232ab355f0dc6343175dec5244026bdead1ca7033f4ba62d9a65c

Sodinokibi

fd8ba926720610c0864ed8f53bfe61b9d991883798f176f7ad65a16102aeeca3

Sodinokibi

+ 161 additional samples on MalwareBazaar

Result

Malware family:

sodinokibi

Score:

10/10

Tags:

ransomware evasion spyware trojan family:sodinokibi persistence

Link:

https://tria.ge/reports/200706-xlm5bwxl9e/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Modifies service

Drops file in System32 directory

Sets desktop wallpaper using registry

Modifies system certificate store

Enumerates connected drives

Adds Run entry to start application

Sodin,Sodinokibi,REvil

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_revil_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21225/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample