MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Sodinokibi


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash: d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95
SHA3-384 hash: 735167cbfe632d2ccaafa8928415ce2355cf35f152eecbe6bffc1cfdcd4ab27b556a9104f344869bd34302d89a54cd1e
SHA1 hash: 24e8a7a0b9fdf929e6cc4b52b0470bf4f7b6f244
MD5 hash: 0e285f30f30dedd812295d2408f4b84c
humanhash: charlie-spring-india-robert
File name:d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95.bin
Download: download sample
Signature Sodinokibi
File size:120'832 bytes
First seen:2020-11-22 00:02:25 UTC
Last seen:2021-08-13 08:55:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3eff7b78fa879bdd7bc10b8b899e0ab3 (1 x Sodinokibi)
ssdeep 1536:ac79OtHXciw8MfMNQulioPIKNpVO6OICS4AziU/U/F20rg8sNlQoaA:EXCSK4IKvXhiU/+F20EVlQTA
Threatray 193 similar samples on MalwareBazaar
TLSH 08C3C033B9A042F3CC9306F7131B2F3F9ABFBE345514A836D76089845A265939627367
Reporter Arkbird_SOLG
Tags:REvil Sodinokibi

Intelligence


File Origin
# of uploads :
2
# of downloads :
2'032
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Launching a service
Launching a process
Creating a file in the Windows subdirectories
Reading critical registry keys
Changing a file
Blocking Windows Firewall launch
Stealing user critical data
Creating a file in the mass storage device
Forced shutdown of a browser
Encrypting user's files
Result
Threat name:
Sodinokibi
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Behaviour
Behavior Graph:
Threat name:
Win32.Ransomware.Sodinokibi
Status:
Malicious
First seen:
2020-11-21 21:42:58 UTC
File Type:
PE (Exe)
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Result
Malware family:
sodinokibi
Score:
  10/10
Tags:
family:sodinokibi persistence ransomware
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Modifies service
Sets desktop wallpaper using registry
Enumerates connected drives
Modifies extensions of user files
Sodin,Sodinokibi,REvil
Unpacked files
SH256 hash:
d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95
MD5 hash:
0e285f30f30dedd812295d2408f4b84c
SHA1 hash:
24e8a7a0b9fdf929e6cc4b52b0470bf4f7b6f244
Detections:
win_revil_auto
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_revil_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments