MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3e37c5cf4b43ea92fd71e08edc38bcfe6fe33f283f62aa5632113c444a71b00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sodinokibi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3e37c5cf4b43ea92fd71e08edc38bcfe6fe33f283f62aa5632113c444a71b00
SHA3-384 hash: 4c516a840909ab7d9ca9ee915dbce95d13ab8f693a8d0ba17a00f800926319c4cd27a435b30e01e9123a30194fd29639
SHA1 hash: cf153e39e65b2ccc3ea0bc7637ff075b9f43579c
MD5 hash: 73f8252eea3a1361eb07f58f7e695f5d
humanhash: winter-mars-cat-july
File name:8hHzXixt.exe
Download: download sample
Signature Sodinokibi
Create hunting rule
File size:119'296 bytes
First seen:2020-11-03 01:06:40 UTC
Last seen:2020-11-03 13:53:49 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 0a72a27bb4f50c4e03f53b443def2069 (18 x Sodinokibi)
ssdeep 1536:CPp8kFF4+utlznGEvCrUmUYwGOmpX2yaICS4Aa7AblYbMLM5l4Qqp7irg:8vnuGqfGOqVBblgMF7H
Threatray 189 similar samples on MalwareBazaar
TLSH 15C3CF73A94183B2D99745FF532B2F2749FFFE340015A866D3214CC84E6A091FA3A697
Reporter pmelson
Tags:exe REvil Sodinokibi

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'796
Origin country :
n/a
Vendor Threat Intelligence
Detection:
REvil
Create hunting rule
Link:
https://www.capesandbox.com/analysis/81910/
Detection(s):
Win.Ransomware.Sodinokibi-7013612-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/518710
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
sodinokibi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e3e37c5cf4b43ea92fd71e08edc38bcfe6fe33f283f62aa5632113c444a71b00/
Threat name:
Win32.Ransomware.Sodinokibi
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 01:08:06 UTC
File Type:
PE (Dll)
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4prxyxhuwq7ksl6xdyeo3q4lz7tp4m7sqp3cvjldeej4irfhdmaa._file
Verdict:
malicious
Similar samples:
14c8e3f1f23d16c2c9a4272cd05d00461d27b372cc5f588b4bbfc6102bbed708
Sodinokibi
2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15
Sodinokibi
6295da1218817aaac71447d83d2221d251724dd33751d94581e3f10e76da1280
Sodinokibi
74320a6921912c89e7e2e0f44e1192926b226f5b70a580c0a36c6e1c8b8dd0fe
Sodinokibi
83002399482a30115e37cea0222fdb265cc6d57101ca7ce4591374acd6b8a371
Sodinokibi
8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71
Sodinokibi
93bd21cb6331ce96cc28dc7a1f0b6b2b2ed8ec064d2ac6e1f428af59c924cb57
Sodinokibi
9793e0ba85d2b0c14960b6cc506fe2aecb952795e167d504e2701b4dd399dbb6
Sodinokibi
b8fcf275ea5024bc10bd51f4db8f59d01822b9ec61e7a5ada8bf6290954933b2
Sodinokibi
e0b8bc41f54e982571d878303f3714a2b71985e37abe8f2c84c04139927b31a9
Sodinokibi
+ 179 additional samples on MalwareBazaar
Result
Malware family:
sodinokibi
Create hunting rule
Score:
  10/10
Tags:
family:sodinokibi persistence ransomware
Link:
https://tria.ge/reports/201103-w5xchsmh96/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Modifies service
Sets desktop wallpaper using registry
Enumerates connected drives
Modifies extensions of user files
Sodin,Sodinokibi,REvil
Unpacked files
SH256 hash:
e3e37c5cf4b43ea92fd71e08edc38bcfe6fe33f283f62aa5632113c444a71b00
MD5 hash:
73f8252eea3a1361eb07f58f7e695f5d
SHA1 hash:
cf153e39e65b2ccc3ea0bc7637ff075b9f43579c
Detections:
win_revil_auto
Create hunting rule
Link:
https://www.unpac.me/results/a48ca7b8-bb41-4c79-a450-1b4b943a6d36/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
REvil
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3e37c5cf4b43ea92fd71e08edc38bcfe6fe33f283f62aa5632113c444a71b00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_revil_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Sodinokibi

DLL dll e3e37c5cf4b43ea92fd71e08edc38bcfe6fe33f283f62aa5632113c444a71b00

(this sample)

  
Link
https://www.virustotal.com/gui/file/e3e37c5cf4b43ea92fd71e08edc38bcfe6fe33f283f62aa5632113c444a71b00/detection
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/81910/

Comments