MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sodinokibi


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca
SHA3-384 hash: e65ec501a010e17d157b0b8256a2d4795addb3b07e0f3992ecc0f0f08526a38e83c173329e47a4f6c16faa1b0c0b1b20
SHA1 hash: 8ef5072dc4351e49c11241f332577c7630656c95
MD5 hash: fbd2a737bfd8a83dcdc9b9359e2ca68f
humanhash: river-washington-jersey-kilo
File name:68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca.bin
Download: download sample
Signature Sodinokibi
Create hunting rule
File size:122'368 bytes
First seen:2021-03-15 00:36:43 UTC
Last seen:2021-03-15 02:35:04 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 12b3d5a940cbcd57463181405f48f963 (4 x Sodinokibi)
ssdeep 1536:uRnNZyC8Pw7RZCq3L6xVh1uK0igtprD4pTqMPfLICS4A0q48Bpc+dFoiz7A0IYlk:/zY7MjtIprD0RfwiqpuqFxk0dxUB
Threatray 202 similar samples on MalwareBazaar
TLSH 4AC3BF23A9E142B2D59340FE232B7F274ABFFE358661582BE3204D894F654C1E627717
Reporter Arkbird_SOLG
Tags:Ransomware REvil Sodinokibi

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'592
Origin country :
n/a
Vendor Threat Intelligence
Detection:
REvil
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124240/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.33602.2821.12189.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the Program Files directory
Changing a file
Creating a file in the Program Files subdirectories
Adding an access-denied ACE
Reading critical registry keys
Stealing user critical data
Creating a file in the mass storage device
Forced shutdown of a browser
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Sodinokibi
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/639000
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Found malware configuration
Found Tor onion address
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Writes a notice file (html or txt) to demand a ransom
Yara detected Sodinokibi Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 368477 Sample: h09olWF39h.bin Startdate: 15/03/2021 Architecture: WINDOWS Score: 84 34 nancy-informatique.fr 2->34 36 houseofplus.com 2->36 38 2 other IPs or domains 2->38 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Sodinokibi Ransomware 2->50 52 Found Tor onion address 2->52 9 loaddll32.exe 1 2->9         started        11 unsecapp.exe 2->11         started        signatures3 process4 process5 13 regsvr32.exe 6 7 9->13         started        17 rundll32.exe 9->17         started        19 cmd.exe 1 9->19         started        file6 26 C:\yv93u-read-me-GLOBAL.txt, data 13->26 dropped 28 C:\Users\yv93u-read-me-GLOBAL.txt, data 13->28 dropped 30 C:\Users\Default\yv93u-read-me-GLOBAL.txt, data 13->30 dropped 32 4 other malicious files 13->32 dropped 54 Writes a notice file (html or txt) to demand a ransom 13->54 56 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 13->56 58 Contains functionalty to change the wallpaper 17->58 60 Contains functionality to detect sleep reduction / modifications 17->60 21 iexplore.exe 2 86 19->21         started        signatures7 process8 process9 23 iexplore.exe 156 21->23         started        dnsIp10 40 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49744, 49745 YAHOO-DEBDE United Kingdom 23->40 42 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49738, 49739 FASTLYUS United States 23->42 44 9 other IPs or domains 23->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca/
Threat name:
Win32.Ransomware.Sodinokibi
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 01:26:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncuwxugbkdjibb2v5x6jbmrggytn4yjljed6o4vpho2vf4h4ytfa._file
Verdict:
malicious
Similar samples:
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15
Sodinokibi
3c56d3fe6373d5b84074f214b883ca65685d04141ff829f73ff65531bf1f86ad
Sodinokibi
6f2432e4ac98575aa653094123b478bf6c3aa9b00aaad84dfd09045a96d6b970
Sodinokibi
8c716101e118ac65d7bdb900e0100d012256abb1d7cdf64830e5943a795ccce2
Sodinokibi
9443d7f2890e26024ee0b8067ac2609fcdbd4bcc6981a7ab1aa8671be232b1f6
Sodinokibi
9793e0ba85d2b0c14960b6cc506fe2aecb952795e167d504e2701b4dd399dbb6
Sodinokibi
d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95
Sodinokibi
e12e9ff0a4cf29714bed618d69ff121b8a8d269d741cc1dbc8d92b9a405716a0
Sodinokibi
e3e37c5cf4b43ea92fd71e08edc38bcfe6fe33f283f62aa5632113c444a71b00
Sodinokibi
f4f73a451c1ec493eb3b4395d06de73598fcf5b8f7d13e81418238824d90fda3
Sodinokibi
+ 192 additional samples on MalwareBazaar
Result
Malware family:
sodinokibi
Create hunting rule
Score:
  10/10
Tags:
family:sodinokibi ransomware
Link:
https://tria.ge/reports/210315-5envtt4tmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Sets desktop wallpaper using registry
Enumerates connected drives
Modifies extensions of user files
Sodin,Sodinokibi,REvil
Unpacked files
SH256 hash:
68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca
MD5 hash:
fbd2a737bfd8a83dcdc9b9359e2ca68f
SHA1 hash:
8ef5072dc4351e49c11241f332577c7630656c95
Detections:
win_revil_auto
Create hunting rule
Link:
https://www.unpac.me/results/de0a9b01-9768-4870-8e6e-e12e1c56b031/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
REvil
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68a96bd0c150d2808755edfc90b2263626de612b4907e772af3bb552f0fcc4ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_RANSOM_REvil_Oct20_1
Create hunting rule
Author:Florian Roth
Description:Detects REvil ransomware
Reference:Internal Research
Rule name:sodinokibi_2020_06_10
Create hunting rule
Rule name:win_revil_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/124240/

Comments