MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f173aec9830677d751097483b2cd8b9a1609886d0c445568b6f52cf9461a668. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Sodinokibi

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	6f173aec9830677d751097483b2cd8b9a1609886d0c445568b6f52cf9461a668
SHA3-384 hash:	0d54f28d03fc115dc8a27f8df5d12294fd48295dad48d6d24293f26e9f257b669e1e63ae4a25206b4c13c6723735ef6b
SHA1 hash:	220c2c1b5b625e800fe6d5e72d8971f25310ef63
MD5 hash:	07679969f48c4e0a83b9eb3ca31e9a2f
humanhash:	burger-social-table-fanta
File name:	ohaan.exe
Download:	download sample
Signature	Sodinokibi Create hunting rule
File size:	292'864 bytes
First seen:	2020-06-16 11:45:33 UTC
Last seen:	2020-06-17 09:22:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a0e066e1542eef3eebaa4fca1fb38e94 (1 x Sodinokibi)
ssdeep	3072:vAcc99Ruu7OZ1tVj1Ox+Av/tzxQ0YR93NLixOLRptibY/u44Sj09bIm:vAcc9b/Sj1OxfNYR93NuxidD/0Im
Threatray	196 similar samples on MalwareBazaar
TLSH	DB549D01B6D4C071E173063208F8BA715938FD6A4B359ACB7B887F5A1A781D1673AF63
Reporter	malwaretracekr
Tags:	Sodinokibi

malwaretracekr

https://twitter.com/malwaretracekr

Intelligence

File Origin

# of uploads :

3

# of downloads :

454

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/10951/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.DanaBot

Status:

Malicious

First seen:

2020-06-16 11:47:02 UTC

File Type:

PE (Exe)

Extracted files:

26

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

2d7f9d04c5f1764ae45a4e2ec4100cf20c51099431135745aaa074c7117cc4a5

34a813a1016a70161b66e00c628d9eddb97ecfa78e2272de2e7e86f8c981a9e9

4002b38c82cb339d1ccb434b5665389dfc33e0efb436bcc86928010797c89695

591d971b9411860904bc7fb9234d9069e3e8cacd06523b0bf93547bc2c4a827a

b433aaa86cc70ce6c60798f07fa013f4712947b32b6692bc08e1832dc17f90fb

b8d7fb4488c0556385498271ab9fffdf0eb38bb2a330265d9852e3a6288092aa

ba5ad1edfdfaecc2becdd7f08922be08b37450556a503e3bd06119ba57facef0

bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d

cb0373b35abf4b089be60e714ee415d3491ddc2cffcfb45b84a87a3a106c822f

fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278

+ 186 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware persistence

Link:

https://tria.ge/reports/200624-sre9ej74ne/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Modifies service

Sets desktop wallpaper using registry

Enumerates connected drives

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

X

https://twitter.com/malwaretracekr

Cape

Cape

https://www.capesandbox.com/analysis/10951/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample