MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sodinokibi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71
SHA3-384 hash: 334df660a0a3a0252724b02bb1787566ed66e890b7a7fb8b245c6ef4f6f0e114d64e26688d88263a59c19be0e8340ab4
SHA1 hash: 137db4ccf35660ab2b7e44b29755b363a93736d6
MD5 hash: 6f478788c9bf905bad3371598255fe71
humanhash: jig-april-table-spaghetti
File name:8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe
Download: download sample
Signature Sodinokibi
Create hunting rule
File size:119'296 bytes
First seen:2020-08-20 13:01:04 UTC
Last seen:2020-08-20 20:16:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 60a84185e19afa379906abb359cfa2ed (4 x Sodinokibi)
ssdeep 1536:aTZINbRh0SKws6KTUkmHlntMvfWhbpfCqeICS4AKvQIFlsXPF51PV6Dux+QgC1:FRix3PWhNlOVFmXPFm0+Ql
Threatray 168 similar samples on MalwareBazaar
TLSH 08C3CF27E96082F2D99345F7122F7F1A98BFFE34141264ABD33449884B654C3A723A63
Reporter Dashowl
Tags:Sodinokibi

Intelligence

File Origin
# of uploads :
2
# of downloads :
848
Origin country :
n/a
Vendor Threat Intelligence
Detection:
REvil
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49136/
Detection(s):
Win.Ransomware.Sodinokibi-7013612-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Sending a UDP request
Modifying a system file
Creating a file in the Windows subdirectories
Launching a service
Creating a file
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Changing a file
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking Windows Firewall launch
Stealing user critical data
Creating a file in the mass storage device
Encrypting user's files
Result
Threat name:
Sodinokibi
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/441551
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Encrypted powershell cmdline option found
Found malware configuration
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Delete Shadow Copy Via Powershell
Yara detected Sodinokibi Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
sodinokibi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71/
Threat name:
Win32.Ransomware.Sodinokibi
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 15:26:14 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rupexn2xth6tmoorf4sbrlrrmmpeqp4n3f2y4hulu6c4jz5brjyq._file
Verdict:
malicious
Similar samples:
07346bb5f71e3c67a9ffd1b0d9602452f044b9262b468b6ed055f6548f26327a
Sodinokibi
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
Sodinokibi
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15
Sodinokibi
7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464
Sodinokibi
9793e0ba85d2b0c14960b6cc506fe2aecb952795e167d504e2701b4dd399dbb6
Sodinokibi
b6929c10554b2ec977acdf9dbe47dc28fc35fb67c0fbaddca9486dadc72d545f
Sodinokibi
bbcaee51155609d365f6bb297d124efea685df0243ec1d4efb5043d9afe5963d
Sodinokibi
e0b8bc41f54e982571d878303f3714a2b71985e37abe8f2c84c04139927b31a9
Sodinokibi
e9e5459e32521a8ca1c075a96d3358337919321f5d149fe3a8cc5f6f57b33923
Sodinokibi
fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278
Sodinokibi
+ 158 additional samples on MalwareBazaar
Result
Malware family:
sodinokibi
Create hunting rule
Score:
  10/10
Tags:
ransomware persistence family:sodinokibi
Link:
https://tria.ge/reports/200820-aqx31bqt1n/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Modifies service
Sets desktop wallpaper using registry
Adds Run key to start application
Enumerates connected drives
Modifies extensions of user files
Sodin,Sodinokibi,REvil
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
REvil
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_revil_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.hybrid-analysis.com/sample/8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71/5f3297f594dab70c0f22dea0
Cape
Cape
https://www.capesandbox.com/analysis/49136/

Comments