MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Sodinokibi

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545
SHA3-384 hash:	df44a3ea9ed289c2118c7a8431f9c43f0bcd94605fbe530ee35e1bcd36f4f26c76f15d1611d787d5f58f0bad8eb565a7
SHA1 hash:	a8d88813f2691cf71e8d6790e473593644c913ed
MD5 hash:	ff1f6956f07e700a86b5986b63ea12db
humanhash:	nine-july-saturn-march
File name:	revil_fixed_I_think
Download:	download sample
Signature	Sodinokibi Create hunting rule
File size:	129'284 bytes
First seen:	2023-08-22 14:18:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f3d46e2f8717ced6d4b220e65d6ad18a (16 x Sodinokibi, 1 x Worm.Ramnit)
ssdeep	1536:YxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6QdZls8XzUXiWr4X5Fg:YMhQNDEtb3A2ZHjUyWr4X5FTDUA
TLSH	T11EC3CF33EC9003B2CD83C1F2132E6E579EBEBD34161524A6E3258A454F760D2AE1B75B
TrID	25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 19.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.1% (.EXE) Win32 Executable (generic) (4505/5/1) 7.8% (.ICL) Windows Icons Library (generic) (2059/9) 7.7% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	petikvx
Tags:	Sodinokibi

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

Vendor Threat Intelligence

Malware family:

sodinokibi

ID:

File name:

revil_fixed_I_think

Verdict:

Malicious activity

Analysis date:

2023-08-21 10:36:19 UTC

Tags:

ransomware sodinokibi revil

Link:

https://app.any.run/tasks/4709fc99-a325-4bd5-821c-a627ab565122

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

REvil

Link:

https://www.capesandbox.com/analysis/444165/

Detection(s):

Win.Ransomware.Sodinokibi-9880447-0

SecuriteInfo.com.Trojan.Encoder.33991.12554.11119.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching the process to change the firewall settings

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file

Creating a file in the Program Files directory

Creating a file in the Program Files subdirectories

Changing a file

Reading critical registry keys

Moving a recently created file

Searching for synchronization primitives

Launching a service

Network activity

Creating a file in the %temp% directory

Stealing user critical data

Creating a file in the mass storage device

Forced shutdown of a browser

Encrypting user's files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/108298/overview

Behaviour

MalwareBazaar

Gathering data

Verdict:

Malicious

Labled as:

Ransom.Sodinokibi.Generic

Link:

https://www.hybrid-analysis.com/sample/3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sodinokibi

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd35a9a7-a8fa-487f-b5ad-9217599f85cc

Result

Threat name:

Sodinokibi

Detection:

malicious

Classification:

rans.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1295235

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Found malware configuration

Found ransom note / readme

Found Tor onion address

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies existing user documents (likely ransomware behavior)

Modifies the windows firewall

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Uses netsh to modify the Windows network and firewall settings

Writes a notice file (html or txt) to demand a ransom

Yara detected Sodinokibi Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

sodinokibi

Link:

https://mwdb.cert.pl/sample/3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545/

Threat name:

Win32.Ransomware.Sodinokibi

Status:

Malicious

First seen:

2023-08-22 14:19:08 UTC

File Type:

PE (Exe)

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hzx3ynmoaicmwz5edmcxoh5moty3jfzxy6vxcohecxd6syuo6vcq._file

Result

Malware family:

sodinokibi

Score:

10/10

Tags:

family:sodinokibi botnet:$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq campaign:8254 evasion ransomware

Link:

https://tria.ge/reports/230822-rmtywscg23/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Sets desktop wallpaper using registry

Enumerates connected drives

Modifies Windows Firewall

Unpacked files

SH256 hash:

3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545

MD5 hash:

ff1f6956f07e700a86b5986b63ea12db

SHA1 hash:

a8d88813f2691cf71e8d6790e473593644c913ed

Detections:

win_revil_auto

win_revil_a0

Link:

https://www.unpac.me/results/33e98203-2cd2-4fd6-91d2-e097fe283485/

Malware family:

Sodinokibi

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3e6fbc358e02/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MAL_RANSOM_REvil_Oct20_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects REvil ransomware
Reference:	Internal Research

Rule name:	MAL_RANSOM_REvil_Oct20_1_RID2ED2 Create hunting rule
Author:	Florian Roth
Description:	Detects REvil ransomware
Reference:	Internal Research

Rule name:	RAN_Revil_Dec_2021_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect Revil ransomware
Reference:	Internal Research

Rule name:	Revil Create hunting rule
Author:	Dhanunjaya
Description:	Yara to detect Revil

Rule name:	Windows_Ransomware_Sodinokibi_a282ba44 Create hunting rule
Author:	Elastic Security
Description:	Identifies SODINOKIBI/REvil ransomware
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

Rule name:	win_revil_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.revil.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/444165/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample