MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sodinokibi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a
SHA3-384 hash: d8a160bdb5d5126881267311152a6462343cfa1c140cf4cbba7c163ab56334cce8674882c95c3c4dbc6270618ee78332
SHA1 hash: b837df01d31c1bfff0e54f07076323d075a4bf27
MD5 hash: 35766bd0b389c682306437d45ba5c4e6
humanhash: seven-utah-item-oven
File name:591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a.bin.exe
Download: download sample
Signature Sodinokibi
Create hunting rule
File size:118'272 bytes
First seen:2020-08-20 13:02:29 UTC
Last seen:2020-08-20 20:15:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c686e5b9f7a178eb79f1cf16460b6a18 (3 x Sodinokibi)
ssdeep 1536:/DMcoFQf0U4u//dpkDM5Rw8IP3NHpwOqJICS4A9O/g7u4VFaIxf:euDkD+I3NJFqD4hf
Threatray 168 similar samples on MalwareBazaar
TLSH D1C3C062E96102F3D99302F6232B7F1B98FFFE74251958F6D36089480E75483EA1B527
Reporter Dashowl
Tags:Sodinokibi

Intelligence

File Origin
# of uploads :
2
# of downloads :
852
Origin country :
n/a
Vendor Threat Intelligence
Detection:
REvil
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49138/
Detection(s):
Win.Ransomware.Sodinokibi-7013612-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Modifying a system file
Creating a file in the Windows subdirectories
Launching a service
Creating a file
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Changing a file
Reading critical registry keys
Blocking Windows Firewall launch
Stealing user critical data
Creating a file in the mass storage device
Encrypting user's files
Result
Threat name:
Sodinokibi
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/441561
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Encrypted powershell cmdline option found
Found malware configuration
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Sigma detected: Delete Shadow Copy Via Powershell
Yara detected Sodinokibi Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
sodinokibi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a/
Threat name:
Win32.Ransomware.Sodinokibi
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 17:45:11 UTC
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=leozog4ucgdasbf4p64sgtmqnhr6rswnazjdwc7zgvd3ylckqj5a._file
Verdict:
malicious
Similar samples:
07346bb5f71e3c67a9ffd1b0d9602452f044b9262b468b6ed055f6548f26327a
Sodinokibi
34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9
Sodinokibi
6f173aec9830677d751097483b2cd8b9a1609886d0c445568b6f52cf9461a668
Sodinokibi
b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb
Sodinokibi
b8d7fb4488c0556385498271ab9fffdf0eb38bb2a330265d9852e3a6288092aa
Sodinokibi
ba5ad1edfdfaecc2becdd7f08922be08b37450556a503e3bd06119ba57facef0
Sodinokibi
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d
Sodinokibi
cb0373b35abf4b089be60e714ee415d3491ddc2cffcfb45b84a87a3a106c822f
Sodinokibi
e9e5459e32521a8ca1c075a96d3358337919321f5d149fe3a8cc5f6f57b33923
Sodinokibi
fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278
Sodinokibi
+ 158 additional samples on MalwareBazaar
Result
Malware family:
sodinokibi
Create hunting rule
Score:
  10/10
Tags:
ransomware family:sodinokibi persistence
Link:
https://tria.ge/reports/200820-qnnlefs8ka/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Modifies service
Sets desktop wallpaper using registry
Enumerates connected drives
Modifies extensions of user files
Sodin,Sodinokibi,REvil
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
REvil
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_revil_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/49138/

Comments