Loading ...

Play interactive tourEdit tour

Analysis Report gVz4ueFL8n.bin

Overview

General Information

Sample Name:gVz4ueFL8n.bin (renamed file extension from bin to exe)
Analysis ID:321427
MD5:0e285f30f30dedd812295d2408f4b84c
SHA1:24e8a7a0b9fdf929e6cc4b52b0470bf4f7b6f244
SHA256:d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95
Tags:Revilsodinokibi

Most interesting Screenshot:

Detection

Sodinokibi
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • gVz4ueFL8n.exe (PID: 5916 cmdline: 'C:\Users\user\Desktop\gVz4ueFL8n.exe' MD5: 0E285F30F30DEDD812295D2408F4B84C)
  • unsecapp.exe (PID: 5364 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9CBD3EC8D9E4F8CE54258B0573C66BEB)
  • cleanup

Malware Configuration

Threatname: Sodinokibi

{"prc": ["firefox", "oracle", "visio", "xfssvccon", "steam", "winword", "mspub", "isqlplussvc", "ocssd", "ocautoupds", "mydesktopqos", "outlook", "dbeng50", "sql", "agntsvc", "tbirdconfig", "encsvc", "thebat", "synctime", "onenote", "mydesktopservice", "thunderbird", "excel", "powerpnt", "dbsnmp", "sqbcoreservice", "ocomm", "infopath", "wordpad", "msaccess"], "sub": "5891", "svc": ["veeam", "vss", "backup", "sophos", "svc$", "mepocs", "memtas", "sql"], "wht": {"ext": ["msc", "mpa", "hta", "ani", "themepack", "com", "ps1", "icl", "dll", "ldf", "ocx", "lnk", "theme", "nls", "386", "cmd", "wpx", "diagcfg", "cur", "prf", "ico", "nomedia", "sys", "bat", "exe", "deskthemepack", "spl", "shs", "hlp", "rtp", "msp", "scr", "ics", "key", "msstyles", "mod", "cab", "diagcab", "adv", "rom", "drv", "bin", "msi", "idx", "cpl", "diagpkg", "msu", "icns", "lock"], "fls": ["boot.ini", "bootsect.bak", "bootfont.bin", "ntuser.ini", "iconcache.db", "ntuser.dat.log", "desktop.ini", "autorun.inf", "thumbs.db", "ntuser.dat", "ntldr"], "fld": ["system volume information", "program files (x86)", "mozilla", "application data", "windows.old", "msocache", "appdata", "$recycle.bin", "$windows.~ws", "program files", "windows", "programdata", "google", "tor browser", "perflogs", "boot", "intel", "$windows.~bt"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "notmissingout.com;employeesurveys.com;delchacay.com.ar;sw1m.ru;sofavietxinh.com;samnewbyjax.com;pawsuppetlovers.com;panelsandwichmadrid.es;frontierweldingllc.com;antenanavi.com;nokesvilledentistry.com;partnertaxi.sk;tomaso.gr;levihotelspa.fi;myhealth.net.au;midmohandyman.com;kirkepartner.dk;zewatchers.com;lapmangfpt.info.vn;purposeadvisorsolutions.com;fitnessbazaar.com;brigitte-erler.com;lescomtesdemean.be;supportsumba.nl;deltacleta.cat;mastertechengineering.com;dontpassthepepper.com;apprendrelaudit.com;whittier5k.com;ladelirante.fr;mariposapropaneaz.com;nsec.se;shsthepapercut.com;adoptioperheet.fi;labobit.it;retroearthstudio.com;ahouseforlease.com;greenfieldoptimaldentalcare.com;renergysolution.com;xtptrack.com;sandd.nl;euro-trend.pl;christ-michael.net;bigasgrup.com;plv.media;wacochamber.com;jyzdesign.com;facettenreich27.de;echtveilig.nl;mbxvii.com;igfap.com;noskierrenteria.com;strategicstatements.com;itelagen.com;burkert-ideenreich.de;cleliaekiko.online;baronloan.org;slwgs.org;wolf-glas-und-kunst.de;hardinggroup.com;mousepad-direkt.de;4youbeautysalon.com;suncrestcabinets.ca;zzyjtsgls.com;commercialboatbuilding.com;stemenstilte.nl;maasreusel.nl;bloggyboulga.net;vitavia.lt;skanah.com;autodujos.lt;leoben.at;filmstreamingvfcomplet.be;mediaplayertest.net;travelffeine.com;ungsvenskarna.se;securityfmm.com;rushhourappliances.com;ziegler-praezisionsteile.de;drinkseed.com;live-your-life.jp;deko4you.at;comarenterprises.com;despedidascostablanca.es;lebellevue.fr;schraven.de;daklesa.de;musictreehouse.net;imadarchid.com;karacaoglu.nl;oneheartwarriors.at;cheminpsy.fr;dr-seleznev.com;ilcdover.com;baptisttabernacle.com;malychanieruchomoscipremium.com;tennisclubetten.nl;bigbaguettes.eu;pcprofessor.com;pcp-nc.com;berliner-versicherungsvergleich.de;bouldercafe-wuppertal.de;rafaut.com;c-a.co.in;modamilyon.com;financescorecard.com;darnallwellbeing.org.uk;houseofplus.com;urist-bogatyr.ru;parkcf.nl;maratonaclubedeportugal.com;launchhubl.com;anteniti.com;mirjamholleman.nl;faizanullah.com;gantungankunciakrilikbandung.com;blgr.be;sachnendoc.com;smejump.co.th;minipara.com;lefumetdesdombes.com;arteservicefabbro.com;thee.network;walter-lemm.de;adultgamezone.com;dubscollective.com;tongdaifpthaiphong.net;todocaracoles.com;girlillamarketing.com;abl1.net;pinkexcel.com;smartypractice.com;ravensnesthomegoods.com;unim.su;deepsouthclothingcompany.com;leather-factory.co.jp;romeguidedvisit.com;leeuwardenstudentcity.nl;mymoneyforex.com;levdittliv.se;vihannesporssi.fi;bildungsunderlebnis.haus;abogados-en-alicante.es;nurturingwisdom.com;naturalrapids.com;micahkoleoso.de;tux-espacios.com;manifestinglab.com;effortlesspromo.com;boosthybrid.com.au;huesges-gruppe.de;kikedeoliveira.com;simpkinsedwards.co.uk;synlab.lt;expandet.dk;acomprarseguidores.com;yourobgyn.net;kariokids.com;x-ray.ca;serce.info.pl;run4study.com;seagatesthreecharters.com;dr-tremel-rednitzhembach.de;kath-kirche-gera.de;peterstrobos.com;liikelataamo.fi;littlebird.salon;kevinjodea.com;morawe-krueger.de;ilive.lt;iwelt.de;ai-spt.jp;gemeentehetkompas.nl;foryourhealth.live;koken-voor-baby.nl;d2marketing.co.uk;seproc.hn;porno-gringo.com;geoffreymeuli.com;camsadviser.com;garage-lecompte-rouen.fr;mdacares.com;andersongilmour.co.uk;havecamerawilltravel2017.wordpress.com;kedak.de;uranus.nl;tandartspraktijkheesch.nl;kojima-shihou.com;pomodori-pizzeria.de;advizewealth.com;blog.solutionsarchitect.guru;nandistribution.nl;desert-trails.com;celeclub.org;bouncingbonanza.com;toponlinecasinosuk.co.uk;revezlimage.com;modestmanagement.com;stoeferlehalle.de;pointos.com;wurmpower.at;marcuswhitten.site;1team.es;abitur-undwieweiter.de;hihaho.com;brawnmediany.com;coding-marking.com;paradicepacks.com;ymca-cw.org.uk;mdk-mediadesign.de;latestmodsapks.com;danskretursystem.dk;highimpactoutdoors.net;waynela.com;ki-lowroermond.nl;puertamatic.es;tulsawaterheaterinstallation.com;aarvorg.com;visiativ-industry.fr;systemate.dk;calxplus.eu;profectis.de;dsl-ip.de;fax-payday-loans.com;otsu-bon.com;iviaggisonciliegie.it;ontrailsandboulevards.com;spacecitysisters.org;odiclinic.org;zweerscreatives.nl;entopic.com;alysonhoward.com;8449nohate.org;sporthamper.com;schmalhorst.de;hvccfloorcare.com;danubecloud.com;gastsicht.de;corendonhotels.com;solinegraphic.com;kissit.ca;thewellnessmimi.com;presseclub-magdeburg.de;marietteaernoudts.nl;ncid.bc.ca;myhostcloud.com;commonground-stories.com;darrenkeslerministries.com;forskolorna.org;personalenhancementcenter.com;drinkseed.com;olejack.ru;projetlyonturin.fr;webcodingstudio.com;antonmack.de;ausbeverage.com.au;marketingsulweb.com;xltyu.com;syndikat-asphaltfieber.de;jsfg.com;ikads.org;i-arslan.de;figura.team;themadbotter.com;international-sound-awards.com;rebeccarisher.com;nicoleaeschbachorg.wordpress.com;parkstreetauto.net;helenekowalsky.com;bristolaeroclub.co.uk;csgospeltips.se;rerekatu.com;blood-sports.net;spsshomeworkhelp.com;plotlinecreative.com;hhcourier.com;birnam-wood.com;zflas.com;love30-chanko.com;sportverein-tambach.de;funjose.org.gt;oncarrot.com;cursoporcelanatoliquido.online;yamalevents.com;bimnapratica.com;schlafsack-test.net;jenniferandersonwriter.com;id-et-d.fr;satyayoga.de;ecopro-kanto.com;xn--fnsterputssollentuna-39b.se;vyhino-zhulebino-24.ru;spectrmash.ru;maineemploymentlawyerblog.com;cnoia.org;turkcaparbariatrics.com;zimmerei-fl.de;nijaplay.com;montrium.com;lecantou-coworking.com;fitnessingbyjessica.com;copystar.co.uk;igrealestate.com;groupe-frayssinet.fr;creamery201.com;mrtour.site;jusibe.com;mank.de;sportsmassoren.com;austinlchurch.com;dekkinngay.com;35-40konkatsu.net;stacyloeb.com;hkr-reise.de;diversiapsicologia.es;norovirus-ratgeber.de;mercantedifiori.com;kmbshipping.co.uk;brevitempore.net;psnacademy.in;2ekeus.nl;praxis-foerderdiagnostik.de;devstyle.org;tanzschule-kieber.de;layrshift.eu;homng.net;insigniapmg.com;mapawood.com;zenderthelender.com;smogathon.com;dramagickcom.wordpress.com;tanciu.com;clos-galant.com;connectedace.com;wasmachtmeinfonds.at;tips.technology;atozdistribution.co.uk;thefixhut.com;harpershologram.wordpress.com;kafu.ch;bodyfulls.com;daniel-akermann-architektur-und-planung.ch;123vrachi.ru;lange.host;kingfamily.construction;petnest.ir;rota-installations.co.uk;caffeinternet.it;brandl-blumen.de;ralister.co.uk;oceanastudios.com;hugoversichert.de;xn--rumung-bua.online;cityorchardhtx.com;extensionmaison.info;real-estate-experts.com;wmiadmin.com;abogadoengijon.es;verytycs.com;southeasternacademyofprosthodontics.org;jbbjw.com;bxdf.info;pt-arnold.de;xn--singlebrsen-vergleich-nec.com;mir-na-iznanku.com;mindpackstudios.com;linnankellari.fi;web.ion.ag;stupbratt.no;aurum-juweliere.de;roadwarrior.app;crowd-patch.co.uk;jadwalbolanet.info;dlc.berlin;wari.com.pe;fairfriends18.de;femxarxa.cat;thedad.com;bhwlawfirm.com;muamuadolls.com;resortmtn.com;sexandfessenjoon.wordpress.com;tanzprojekt.com;epwritescom.wordpress.com;div-vertriebsforschung.de;hypozentrum.com;www1.proresult.no;drnice.de;ecpmedia.vn;aco-media.nl;lusak.at;chavesdoareeiro.com;zonamovie21.net;tinyagency.com;parking.netgateway.eu;miraclediet.fun;oldschoolfun.net;smhydro.com.pl;mirkoreisser.de;starsarecircular.org;modelmaking.nl;corelifenutrition.com;raschlosser.de;greenko.pl;kaotikkustomz.com;paulisdogshop.de;craigvalentineacademy.com;catholicmusicfest.com;sarbatkhalsafoundation.org;mikeramirezcpa.com;eglectonk.online;simulatebrain.com;allamatberedare.se;lascuola.nl;zso-mannheim.de;kindersitze-vergleich.de;baumkuchenexpo.jp;vermoote.de;freie-gewerkschaften.de;cactusthebrand.com;iwelt.de;1kbk.com.ua;mytechnoway.com;polzine.net;xn--thucmctc-13a1357egba.com;krcove-zily.eu;bodyforwife.com;sauschneider.info;woodworkersolution.com;admos-gleitlager.de;stingraybeach.com;body-guards.it;hotelzentral.at;compliancesolutionsstrategies.com;gopackapp.com;dutchbrewingcoffee.com;intecwi.com;nvwoodwerks.com;reddysbakery.com;directwindowco.com;liveottelut.com;citymax-cr.com;waveneyrivercentre.co.uk;kunze-immobilien.de;yousay.site;rocketccw.com;troegs.com;jiloc.com;friendsandbrgrs.com;castillobalduz.es;basisschooldezonnewijzer.nl;hrabritelefon.hr;calabasasdigest.com;fatfreezingmachines.com;berlin-bamboo-bikes.org;controldekk.com;xlarge.at;conexa4papers.trade;yassir.pro;bierensgebakkramen.nl;asiluxury.com;conasmanagement.de;joyeriaorindia.com;tetinfo.in;the-domain-trader.com;servicegsm.net;firstpaymentservices.com;gasolspecialisten.se;jvanvlietdichter.nl;takeflat.com;freie-baugutachterpraxis.de;huissier-creteil.com;scenepublique.net;atmos-show.com;interactcenter.org;lloydconstruction.com;bestbet.com;hotelsolbh.com.br;healthyyworkout.com;hoteledenpadova.it;bockamp.com;quizzingbee.com;thedresserie.com;plastidip.com.ar;devlaur.com;kojinsaisei.info;zervicethai.co.th;newyou.at;myzk.site;siluet-decor.ru;sabel-bf.com;poultrypartners.nl;boisehosting.net;socstrp.org;actecfoundation.org;offroadbeasts.com;aunexis.ch;stormwall.se;nativeformulas.com;jolly-events.com;luckypatcher-apkz.com;centromarysalud.com;mylovelybluesky.com;cranleighscoutgroup.org;radaradvies.nl;fotoscondron.com;sloverse.com;theshungiteexperience.com.au;onlyresultsmarketing.com;bowengroup.com.au;artallnightdc.com;space.ua;gratispresent.se;sevenadvertising.com;bingonearme.org;carrybrands.nl;12starhd.online;transliminaltribe.wordpress.com;tigsltd.com;esope-formation.fr;global-kids.info;xoabigail.com;milestoneshows.com;balticdentists.com;pogypneu.sk;elimchan.com;vloeren-nu.nl;pmcimpact.com;westdeptfordbuyrite.com;charlesreger.com;narcert.com;argos.wityu.fund;outcomeisincome.com;appsformacpc.com;importardechina.info;alten-mebel63.ru;thailandholic.com;ra-staudte.de;henricekupper.com;twohourswithlena.wordpress.com;nachhilfe-unterricht.com;koko-nora.dk;dinslips.se;longislandelderlaw.com;digivod.de;woodleyacademy.org;knowledgemuseumbd.com;hairnetty.wordpress.com;memaag.com;richard-felix.co.uk;edv-live.de;kamahouse.net;truenyc.co;fizzl.ru;shiresresidential.com;proudground.org;carriagehousesalonvt.com;fibrofolliculoma.info;drugdevice.org;kaliber.co.jp;sagadc.com;collaborativeclassroom.org;mmgdouai.fr;quickyfunds.com;waermetauscher-berechnen.de;asgestion.com;praxis-management-plus.de;i-trust.dk;sobreholanda.com;phantastyk.com;beaconhealthsystem.org;moveonnews.com;spargel-kochen.de;portoesdofarrobo.com;nataschawessels.com;jorgobe.at;dubnew.com;art2gointerieurprojecten.nl;glennroberts.co.nz;licor43.de;hellohope.com;coastalbridgeadvisors.com;seevilla-dr-sturm.at;kenhnoithatgo.com;talentwunder.com;flexicloud.hk;lubetkinmediacompanies.com;promesapuertorico.com;anybookreader.de;operaslovakia.sk;krlosdavid.com;slupetzky.at;argenblogs.com.ar;remcakram.com;gadgetedges.com;vannesteconstruct.be;iwelt.de;humanityplus.org;patrickfoundation.net;lykkeliv.net;hexcreatives.co;punchbaby.com;socialonemedia.com;vickiegrayimages.com;greenpark.ch;alvinschwartz.wordpress.com;danholzmann.com;pelorus.group;rksbusiness.com;dw-css.de;theclubms.com;rieed.de;antiaginghealthbenefits.com;baylegacy.com;autodemontagenijmegen.nl;boompinoy.com;cite4me.org;pickanose.com;meusharklinithome.wordpress.com;huehnerauge-entfernen.de;summitmarketingstrategies.com;perbudget.com;gmto.fr;physiofischer.de;chefdays.de;roygolden.com;vorotauu.ru;agence-chocolat-noir.com;ulyssemarketing.com;tophumanservicescourses.com;vibehouse.rw;airconditioning-waalwijk.nl;carolinepenn.com;sweering.fr;igorbarbosa.com;marchand-sloboda.com;hairstylesnow.site;creative-waves.co.uk;thaysa.com;kostenlose-webcams.com;spylista.com;amylendscrestview.com;allfortheloveofyou.com;kaminscy.com;deprobatehelp.com;ditog.fr;rostoncastings.co.uk;naturstein-hotte.de;backstreetpub.com;celularity.com;tonelektro.nl;caribbeansunpoker.com;merzi.info;solhaug.tk;mirjamholleman.nl;whyinterestingly.ru;htchorst.nl;restaurantesszimmer.de;devok.info;consultaractadenacimiento.com;innote.fi;senson.fi;cwsitservices.co.uk;tandartspraktijkhartjegroningen.nl;mbfagency.com;thomasvicino.com;filmvideoweb.com;michaelsmeriglioracing.com;artotelamsterdam.com;pubweb.carnet.hr;philippedebroca.com;lynsayshepherd.co.uk;all-turtles.com;hokagestore.com;eadsmurraypugh.com;theletter.company;pridoxmaterieel.nl;buroludo.nl;trapiantofue.it;christinarebuffetcourses.com;ilso.net;selfoutlet.com;chaotrang.com;jameskibbie.com;alhashem.net;insidegarage.pl;the-virtualizer.com;fotoideaymedia.es;craigmccabe.fun;saxtec.com;opatrovanie-ako.sk;lbcframingelectrical.com;testzandbakmetmening.online;cuspdental.com;rosavalamedahr.com;behavioralmedicinespecialists.com;joseconstela.com;helikoptervluchtnewyork.nl;coursio.com;hashkasolutindo.com;baustb.de;parebrise-tla.fr;ouryoungminds.wordpress.com;dutchcoder.nl;bundabergeyeclinic.com.au;smart-light.co.uk;simpliza.com;ceid.info.tr;4net.guru;americafirstcommittee.org;ncs-graphic-studio.com;myteamgenius.com;ianaswanson.com;lightair.com;planchaavapor.net;crosspointefellowship.church;maxadams.london;humancondition.com;rimborsobancario.net;navyfederalautooverseas.com;jasonbaileystudio.com;new.devon.gov.uk;theadventureedge.com;tecnojobsnet.com;globedivers.wordpress.com;mezhdu-delom.ru;pivoineetc.fr;quemargrasa.net;xn--logopdie-leverkusen-kwb.de;dareckleyministries.com;gporf.fr;judithjansen.com;augenta.com;stoneys.ch;accountancywijchen.nl;better.town;smalltownideamill.wordpress.com;amerikansktgodis.se;gasbarre.com;architecturalfiberglass.org;kao.at;asteriag.com;evergreen-fishing.com;notsilentmd.org;kamienny-dywan24.pl;ussmontanacommittee.us;mountsoul.de;lachofikschiet.nl;xn--vrftet-pua.biz;heidelbergartstudio.gallery;waywithwords.net;galleryartfair.com;stopilhan.com;victoriousfestival.co.uk;instatron.net;chandlerpd.com;blacksirius.de;surespark.org.uk;almosthomedogrescue.dog;bafuncs.org;fannmedias.com;penco.ie;people-biz.com;lukeshepley.wordpress.com;pferdebiester.de;d1franchise.com;mepavex.nl;happyeasterimages.org;ecoledansemulhouse.fr;exenberger.at;slimani.net;imperfectstore.com;oslomf.no;schmalhorst.de;smithmediastrategies.com;nacktfalter.de;hatech.io;klusbeter.nl;videomarketing.pro;madinblack.com;mediaacademy-iraq.org;destinationclients.fr;torgbodenbollnas.se;farhaani.com;boulderwelt-muenchen-west.de;nosuchthingasgovernment.com;wellplast.se;harveybp.com;psa-sec.de;schoolofpassivewealth.com;transportesycementoshidalgo.es;jerling.de;craftleathermnl.com;bsaship.com;wychowanieprzedszkolne.pl;abogadosadomicilio.es;streamerzradio1.site;pv-design.de;johnsonfamilyfarmblog.wordpress.com;delawarecorporatelaw.com;herbayupro.com;irishmachineryauctions.com;macabaneaupaysflechois.com;milsing.hr;pasivect.co.uk;walkingdeadnj.com;sportiomsportfondsen.nl;durganews.com;oemands.dk;maureenbreezedancetheater.org;otto-bollmann.de;lillegrandpalais.com;dirittosanitario.biz;naturavetal.hr;monark.com;theapifactory.com;sairaku.net;marathonerpaolo.com;abogadosaccidentetraficosevilla.es;ogdenvision.com;thenewrejuveme.com;mooshine.com;dr-pipi.de;stallbyggen.se;handi-jack-llc.com;babcockchurch.org;jacquin-maquettes.com;shonacox.com;siliconbeach-realestate.com;qlog.de;blumenhof-wegleitner.at;katketytaanet.fi;worldhealthbasicinfo.com;trackyourconstruction.com;centrospgolega.com;centuryrs.com;bayoga.co.uk;theduke.de;solerluethi-allart.ch;strandcampingdoonbeg.com;caribdoctor.org;liliesandbeauties.org;cortec-neuro.com;kadesignandbuild.co.uk;advokathuset.dk;bouquet-de-roses.com;noesis.tech;denifl-consulting.at;vanswigchemdesign.com;uimaan.fi;dpo-as-a-service.com;iqbalscientific.com;tomoiyuma.com;sahalstore.com;sotsioloogia.ee;nmiec.com;zimmerei-deboer.de;katiekerr.co.uk;nuzech.com;corona-handles.com;crowcanyon.com;bbsmobler.se;allure-cosmetics.at;jobcenterkenya.com;edgewoodestates.org;id-vet.com;steampluscarpetandfloors.com;microcirc.net;ostheimer.at;colorofhorses.com;eco-southafrica.com;hebkft.hu;bookspeopleplaces.com;ino-professional.ru;alfa-stroy72.com;mank.de;cafemattmeera.com;associationanalytics.com;edrcreditservices.nl;dezatec.es;blewback.com;allentownpapershow.com;bastutunnan.se;comparatif-lave-linge.fr;mirjamholleman.nl;bogdanpeptine.ro;kosterra.com;tsklogistik.eu;erstatningsadvokaterne.dk;chrissieperry.com;wraithco.com;idemblogs.com;homesdollar.com;completeweddingkansas.com;gymnasedumanagement.com;executiveairllc.com;haar-spange.com;mrxermon.de;skiltogprint.no;candyhouseusa.com;aprepol.com;eaglemeetstiger.de;sanyue119.com;kuntokeskusrok.fi;charlottepoudroux-photographie.fr;classycurtainsltd.co.uk;denovofoodsgroup.com;kidbucketlist.com.au;stoeberstuuv.de;faronics.com;atalent.fi;mrsfieldskc.com;fensterbau-ziegler.de;ruralarcoiris.com;heliomotion.com;besttechie.com;321play.com.hk;apolomarcas.com;biapi-coaching.fr;sojamindbody.com;pocket-opera.de;bradynursery.com;loprus.pl;plantag.de;thomas-hospital.de;ftf.or.at;insp.bi;groupe-cets.com;tarotdeseidel.com;c2e-poitiers.com;tenacitytenfold.com;pay4essays.net;rehabilitationcentersinhouston.net;shiftinspiration.com;gaiam.nl;jobmap.at;buymedical.biz;bargningavesta.se;aakritpatel.com;lucidinvestbank.com;nakupunafoundation.org;dushka.ua;fayrecreations.com;alsace-first.com;answerstest.ru;lmtprovisions.com;bordercollie-nim.nl;foretprivee.ca;norpol-yachting.com;naswrrg.org;slashdb.com;webhostingsrbija.rs;evologic-technologies.com;polychromelabs.com;precisionbevel.com;hannah-fink.de;prochain-voyage.net;milltimber.aberdeen.sch.uk;mylolis.com;DupontSellsHomes.com;tampaallen.com;piajeppesen.dk;kampotpepper.gives;limassoldriving.com;finde-deine-marke.de;danielblum.info;cirugiauretra.es;dnepr-beskid.com.ua;101gowrie.com;officehymy.com;courteney-cox.net;vetapharma.fr;lichencafe.com;broseller.com;fiscalsort.com;rhinosfootballacademy.com;campus2day.de;mooreslawngarden.com;sipstroysochi.ru;crediacces.com;platformier.com;ampisolabergeggi.it;justinvieira.com;spd-ehningen.de;anthonystreetrimming.com;micro-automation.de;pier40forall.org;agence-referencement-naturel-geneve.net;forestlakeuca.org.au;coding-machine.com;imaginado.de;falcou.fr;ateliergamila.com;homecomingstudio.com;elpa.se;vitalyscenter.es;bricotienda.com;aniblinova.wordpress.com;ihr-news.jp;aminaboutique247.com;xn--fn-kka.no;veybachcenter.de;ccpbroadband.com;geisterradler.de;urmasiimariiuniri.ro;easytrans.com.au;pasvenska.se;lapinvihreat.fi;lionware.de;botanicinnovations.com;leda-ukraine.com.ua;tradiematepro.com.au;vdberg-autoimport.nl;neuschelectrical.co.za;seminoc.com;vibethink.net;iyahayki.nl;grelot-home.com;iphoneszervizbudapest.hu;y-archive.com;sla-paris.com;parks-nuernberg.de;newstap.com.ng;jakekozmor.com;tinkoff-mobayl.ru;ledmes.ru;teresianmedia.org;rozemondcoaching.nl;bigler-hrconsulting.ch;irinaverwer.com;wien-mitte.co.at;symphonyenvironmental.com;body-armour.online;lenreactiv-shop.ru;aodaichandung.com;educar.org;seitzdruck.com;eraorastudio.com;iyengaryogacharlotte.com;triactis.com;vesinhnha.com.vn;osterberg.fi;cuppacap.com;ausair.com.au;cursosgratuitosnainternet.com;aglend.com.au;izzi360.com;miriamgrimm.de;readberserk.com;abuelos.com;analiticapublica.es;corola.es;psc.de;architekturbuero-wagner.net;coffreo.biz;stampagrafica.es;sanaia.com;manutouchmassage.com;tastewilliamsburg.com;braffinjurylawfirm.com;spinheal.ru;deoudedorpskernnoordwijk.nl;klimt2012.info;galserwis.pl;pixelarttees.com;testcoreprohealthuk.com;edelman.jp;unetica.fr;hiddencitysecrets.com.au;grupocarvalhoerodrigues.com.br;qualitus.com;smessier.com;sinal.org;familypark40.com;degroenetunnel.com;croftprecision.co.uk;jeanlouissibomana.com;teknoz.net;embracinghiscall.com;evangelische-pfarrgemeinde-tuniberg.de;shhealthlaw.com;ivivo.es;faroairporttransfers.net;werkkring.nl;villa-marrakesch.de;nestor-swiss.ch;associacioesportivapolitg.cat;makeitcount.at;fransespiegels.nl;work2live.de;beyondmarcomdotcom.wordpress.com;drfoyle.com;promalaga.es;upmrkt.co;herbstfeststaefa.ch;ligiercenter-sachsen.de;pierrehale.com;artige.com;digi-talents.com;cimanchesterescorts.co.uk;stemplusacademy.com;ctrler.cn;ceres.org.au;oneplusresource.org;toreria.es;bptdmaluku.com;ftlc.es;mooglee.com;finediningweek.pl;mountaintoptinyhomes.com;rumahminangberdaya.com;autopfand24.de;boldcitydowntown.com;triggi.de;mrsplans.net;tuuliautio.fi;geekwork.pl;songunceliptv.com;simoneblum.de;jandaonline.com;sterlingessay.com;bargningharnosand.se;smokeysstoves.com;fundaciongregal.org;markelbroch.com;saka.gr;juneauopioidworkgroup.org;assurancesalextrespaille.fr;schoellhammer.com;verifort-capital.de;first-2-aid-u.com;zieglerbrothers.de;vietlawconsultancy.com;rollingrockcolumbia.com;lapinlviasennus.fi;campusoutreach.org;corelifenutrition.com;mardenherefordshire-pc.gov.uk;enovos.de;makeurvoiceheard.com;pmc-services.de;onlybacklink.com;365questions.org;nancy-informatique.fr;hmsdanmark.dk;maryloutaylor.com;ncuccr.org;wsoil.com.sg;julis-lsa.de;carlosja.com;bee4win.com;live-con-arte.de;aselbermachen.com;ivfminiua.com;webmaster-peloton.com;blogdecachorros.com;softsproductkey.com;latribuessentielle.com;biortaggivaldelsa.com;chatizel-paysage.fr;vancouver-print.ca;bridgeloanslenders.com;simplyblessedbykeepingitreal.com;autofolierung-lu.de;cerebralforce.net;higadograsoweb.com;cyntox.com;smale-opticiens.nl;gonzalezfornes.es;upplandsspar.se;slimidealherbal.com;verbisonline.com;kalkulator-oszczednosci.pl;teczowadolina.bytom.pl;shadebarandgrillorlando.com;paymybill.guru;gamesboard.info;ora-it.de;dublikator.com;lorenacarnero.com;tstaffing.nl;datacenters-in-europe.com;luxurytv.jp;binder-buerotechnik.at;vox-surveys.com;team-montage.dk;polymedia.dk;highlinesouthasc.com;nhadatcanho247.com;n1-headache.com;trystana.com;bunburyfreightservices.com.au;makeflowers.ru;urclan.net;icpcnj.org;milanonotai.it;refluxreducer.com;bauertree.com;blossombeyond50.com;kisplanning.com.au;em-gmbh.ch;saarland-thermen-resort.com;haremnick.com;ohidesign.com;stefanpasch.me;deschl.net;beautychance.se;manijaipur.com;withahmed.com;balticdermatology.lt;heurigen-bauer.at;logopaedie-blomberg.de;trulynolen.co.uk;ventti.com.ar;iwelt.de;extraordinaryoutdoors.com;goodgirlrecovery.com;winrace.no;qualitaetstag.de;noixdecocom.fr;schutting-info.nl;mediaclan.info;hushavefritid.dk;no-plans.com;iwr.nl;gw2guilds.org;fitovitaforum.com;podsosnami.ru;journeybacktolife.com;you-bysia.com.au", "dbg": false, "pid": "$2a$10$hIPnYTfL4yAd01j./DIPs.Tdwq.QURm2fbUM4pQFInKQ45tak6xW6", "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAcwB5AHMAdABlAG0AIABoAGEAcwAgAGUAeAB0AGUAbgBzAGkAbwBuACAAewBFAFgAVAB9AC4ADQAKAEIAeQAgAHQAaABlACAAdwBhAHkALAAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABpAHMAIABwAG8AcwBzAGkAYgBsAGUAIAB0AG8AIAByAGUAYwBvAHYAZQByACAAKAByAGUAcwB0AG8AcgBlACkALAAgAGIAdQB0ACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAsACAAeQBvAHUAIABjAGEAbgB0ACAAcgBlAHQAdQByAG4AIAB5AG8AdQByACAAZABhAHQAYQAgACgATgBFAFYARQBSACkALgANAAoADQAKAFsAKwBdACAAVwBoAGEAdAAgAGcAdQBhAHIAYQBuAHQAZQBlAHMAPwAgAFsAKwBdAA0ACgANAAoASQB0AHMAIABqAHUAcwB0ACAAYQAgAGIAdQBzAGkAbgBlAHMAcwAuACAAVwBlACAAYQBiAHMAbwBsAHUAdABlAGwAeQAgAGQAbwAgAG4AbwB0ACAAYwBhAHIAZQAgAGEAYgBvAHUAdAAgAHkAbwB1ACAAYQBuAGQAIAB5AG8AdQByACAAZABlAGEAbABzACwAIABlAHgAYwBlAHAAdAAgAGcAZQB0AHQAaQBuAGcAIABiAGUAbgBlAGYAaQB0AHMALgAgAEkAZgAgAHcAZQAgAGQAbwAgAG4AbwB0ACAAZABvACAAbwB1AHIAIAB3AG8AcgBrACAAYQBuAGQAIABsAGkAYQBiAGkAbABpAHQAaQBlAHMAIAAtACAAbgBvAGIAbwBkAHkAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIAB1AHMALgAgAEkAdABzACAAbgBvAHQAIABpAG4AIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzAC4ADQAKAFQAbwAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAG8AZgAgAHIAZQB0AHUAcgBuAGkAbgBnACAAZgBpAGwAZQBzACwAIABZAG8AdQAgAHMAaABvAHUAbABkACAAZwBvACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAC4AIABUAGgAZQByAGUAIAB5AG8AdQAgAGMAYQBuACAAZABlAGMAcgB5AHAAdAAgAG8AbgBlACAAZgBpAGwAZQAgAGYAbwByACAAZgByAGUAZQAuACAAVABoAGEAdAAgAGkAcwAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUALgANAAoASQBmACAAeQBvAHUAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIABvAHUAcgAgAHMAZQByAHYAaQBjAGUAIAAtACAAZgBvAHIAIAB1AHMALAAgAGkAdABzACAAZABvAGUAcwAgAG4AbwB0ACAAbQBhAHQAdABlAHIALgAgAEIAdQB0ACAAeQBvAHUAIAB3AGkAbABsACAAbABvAHMAZQAgAHkAbwB1AHIAIAB0AGkAbQBlACAAYQBuAGQAIABkAGEAdABhACwAIABjAGEAdQBzAGUAIABqAHUAcwB0ACAAdwBlACAAaABhAHYAZQAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5AC4AIABJAG4AIABwAHIAYQBjAHQAaQBzAGUAIAAtACAAdABpAG0AZQAgAGkAcwAgAG0AdQBjAGgAIABtAG8AcgBlACAAdgBhAGwAdQBhAGIAbABlACAAdABoAGEAbgAgAG0AbwBuAGUAeQAuAA0ACgANAAoAWwArAF0AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIABvAG4AIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFkAbwB1ACAAaABhAHYAZQAgAHQAdwBvACAAdwBhAHkAcwA6AA0ACgANAAoAMQApACAAWwBSAGUAYwBvAG0AbQBlAG4AZABlAGQAXQAgAFUAcwBpAG4AZwAgAGEAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIQANAAoAIAAgAGEAKQAgAEQAbwB3AG4AbABvAGEAZAAgAGEAbgBkACAAaQBuAHMAdABhAGwAbAAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAgAGYAcgBvAG0AIAB0AGgAaQBzACAAcwBpAHQAZQA6ACAAaAB0AHQAcABzADoALwAvAHQAbwByAHAAcgBvAGoAZQBjAHQALgBvAHIAZwAvAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAIAAgAGEAKQAgAE8AcABlAG4AIAB5AG8AdQByACAAYQBuAHkAIABiAHIAbwB3AHMAZQByACAAKABDAGgAcgBvAG0AZQAsACAARgBpAHIAZQBmAG8AeAAsACAATwBwAGUAcgBhACwAIABJAEUALAAgAEUAZABnAGUAKQANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBkAGUAYwByAHkAcAB0AG8AcgAuAGMAYwAvAHsAVQBJAEQAfQANAAoADQAKAFcAYQByAG4AaQBuAGcAOgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQAgAGMAYQBuACAAYgBlACAAYgBsAG8AYwBrAGUAZAAsACAAdABoAGEAdABzACAAdwBoAHkAIABmAGkAcgBzAHQAIAB2AGEAcgBpAGEAbgB0ACAAbQB1AGMAaAAgAGIAZQB0AHQAZQByACAAYQBuAGQAIABtAG8AcgBlACAAYQB2AGEAaQBsAGEAYgBsAGUALgANAAoADQAKAFcAaABlAG4AIAB5AG8AdQAgAG8AcABlAG4AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AIAB0AGgAZQAgAGkAbgBwAHUAdAAgAGYAbwByAG0AOgANAAoASwBlAHkAOgANAAoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAA0ACgANAAoAIQAhACEAIABEAEEATgBHAEUAUgAgACEAIQAhAA0ACgBEAE8ATgBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AVAAgAHUAcwBlACAAYQBuAHkAIAB0AGgAaQByAGQAIABwAGEAcgB0AHkAIABzAG8AZgB0AHcAYQByAGUAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAeQBvAHUAcgAgAGQAYQB0AGEAIABvAHIAIABhAG4AdABpAHYAaQByAHUAcwAgAHMAbwBsAHUAdABpAG8AbgBzACAALQAgAGkAdABzACAAbQBhAHkAIABlAG4AdABhAGkAbAAgAGQAYQBtAGcAZQAgAG8AZgAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5ACAAYQBuAGQALAAgAGEAcwAgAHIAZQBzAHUAbAB0ACwAIABUAGgAZQAgAEwAbwBzAHMAIABhAGwAbAAgAGQAYQB0AGEALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAA0ACgBPAE4ARQAgAE0ATwBSAEUAIABUAEkATQBFADoAIABJAHQAcwAgAGkAbgAgAHkAbwB1AHIAIABpAG4AdABlAHIAZQBzAHQAcwAgAHQAbwAgAGcAZQB0ACAAeQBvAHUAcgAgAGYAaQBsAGUAcwAgAGIAYQBjAGsALgAgAEYAcgBvAG0AIABvAHUAcgAgAHMAaQBkAGUALAAgAHcAZQAgACgAdABoAGUAIABiAGUAcwB0ACAAcwBwAGUAYwBpAGEAbABpAHMAdABzACkAIABtAGEAawBlACAAZQB2AGUAcgB5AHQAaABpAG4AZwAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcALAAgAGIAdQB0ACAAcABsAGUAYQBzAGUAIABzAGgAbwB1AGwAZAAgAG4AbwB0ACAAaQBuAHQAZQByAGYAZQByAGUALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAAAA", "et": 0, "wipe": true, "wfld": ["backup"], "rdmcnt": 0, "nname": "{EXT}-readme.txt", "pk": "PcGaG/OPoFiNzu1LUC2Qhz905YYQChX9SFo+MuXEV2M=", "net": false, "exp": false, "arn": false}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
gVz4ueFL8n.exeMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
  • 0x4d44:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
  • 0x99c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
  • 0x9fb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
  • 0x91eb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
  • 0x99b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.202573050.00000000031CF000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    00000000.00000003.202518189.00000000031CF000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      00000000.00000002.421931885.0000000000DC1000.00000020.00020000.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
      • 0x4944:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
      • 0x95c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
      • 0x9bb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
      • 0x8deb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
      • 0x95b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
      00000000.00000000.202262320.0000000000DC1000.00000020.00020000.sdmpMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
      • 0x4944:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
      • 0x95c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
      • 0x9bb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
      • 0x8deb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
      • 0x95b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
      Process Memory Space: gVz4ueFL8n.exe PID: 5916JoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.gVz4ueFL8n.exe.dc0000.1.unpackMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
        • 0x4d44:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
        • 0x99c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
        • 0x9fb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
        • 0x91eb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
        • 0x99b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F
        0.0.gVz4ueFL8n.exe.dc0000.0.unpackMAL_RANSOM_REvil_Oct20_1Detects REvil ransomwareFlorian Roth
        • 0x4d44:$op1: 0F 8C 74 FF FF FF 33 C0 5F 5E 5B 8B E5 5D C3 8B
        • 0x99c6:$op2: 8D 85 68 FF FF FF 50 E8 2A FE FF FF 8D 85 68 FF
        • 0x9fb2:$op3: 89 4D F4 8B 4E 0C 33 4E 34 33 4E 5C 33 8E 84
        • 0x91eb:$op4: 8D 85 68 FF FF FF 50 E8 05 06 00 00 8D 85 68 FF
        • 0x99b5:$op5: 8D 85 68 FF FF FF 56 57 FF 75 0C 50 E8 2F

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: gVz4ueFL8n.exeAvira: detected
        Found malware configurationShow sources
        Source: gVz4ueFL8n.exe.5916.0.memstrMalware Configuration Extractor: Sodinokibi {"prc": ["firefox", "oracle", "visio", "xfssvccon", "steam", "winword", "mspub", "isqlplussvc", "ocssd", "ocautoupds", "mydesktopqos", "outlook", "dbeng50", "sql", "agntsvc", "tbirdconfig", "encsvc", "thebat", "synctime", "onenote", "mydesktopservice", "thunderbird", "excel", "powerpnt", "dbsnmp", "sqbcoreservice", "ocomm", "infopath", "wordpad", "msaccess"], "sub": "5891", "svc": ["veeam", "vss", "backup", "sophos", "svc$", "mepocs", "memtas", "sql"], "wht": {"ext": ["msc", "mpa", "hta", "ani", "themepack", "com", "ps1", "icl", "dll", "ldf", "ocx", "lnk", "theme", "nls", "386", "cmd", "wpx", "diagcfg", "cur", "prf", "ico", "nomedia", "sys", "bat", "exe", "deskthemepack", "spl", "shs", "hlp", "rtp", "msp", "scr", "ics", "key", "msstyles", "mod", "cab", "diagcab", "adv", "rom", "drv", "bin", "msi", "idx", "cpl", "diagpkg", "msu", "icns", "lock"], "fls": ["boot.ini", "bootsect.bak", "bootfont.bin", "ntuser.ini", "iconcache.db", "ntuser.dat.log", "desktop.ini", "autorun.inf", "thumbs.db", "ntuser.dat", "ntldr"], "fld": ["system volume information", "program files (x86)", "mozilla", "application data", "windows.old", "msocache", "appdata", "$recycle.bin", "$windows.~ws", "program files", "windows", "programdata", "google", "tor browser", "perflogs", "boot", "intel", "$windows.~bt"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "notmissingout.com;employeesurveys.com;delchacay.com.ar;sw1m.ru;sofavietxinh.com;samnewbyjax.com;pawsuppetlovers.com;panelsandwichmadrid.es;frontierweldingllc.com;antenanavi.com;nokesvilledentistry.com;partnertaxi.sk;tomaso.gr;levihotelspa.fi;myhealth.net.au;midmohandyman.com;kirkepartner.dk;zewatchers.com;lapmangfpt.info.vn;purposeadvisorsolutions.com;fitnessbazaar.com;brigitte-erler.com;lescomtesdemean.be;supportsumba.nl;deltacleta.cat;mastertechengineering.com;dontpassthepepper.com;apprendrelaudit.com;whittier5k.com;ladelirante.fr;mariposapropaneaz.com;nsec.se;shsthepapercut.com;adoptioperheet.fi;labobit.it;retroearthstudio.com;ahouseforlease.com;greenfieldoptimaldentalcare.com;renergysolution.com;xtptrack.com;sandd.nl;euro-trend.pl;christ-michael.net;bigasgrup.com;plv.media;wacochamber.com;jyzdesign.com;facettenreich27.de;echtveilig.nl;mbxvii.com;igfap.com;noskierrenteria.com;strategicstatements.com;itelagen.com;burkert-ideenreich.de;cleliaekiko.online;baronloan.org;slwgs.org;wolf-glas-und-kunst.de;hardinggroup.com;mousepad-direkt.de;4youbeautysalon.com;suncrestcabinets.ca;zzyjtsgls.com;commercialboatbuilding.com;stemenstilte.nl;maasreusel.nl;bloggyboulga.net;vitavia.lt;skanah.com;autodujos.lt;leoben.at;filmstreamingvfcomplet.be;mediaplayertest.net;travelffeine.com;ungsvenskarna.se;securityfmm.com;rushhourappliances.com;ziegler-praezisionsteile.de;drinkseed.com;live-your-life.jp;deko4you.at;comarenterprises.com;despedidascosta
        Multi AV Scanner detection for submitted fileShow sources
        Source: gVz4ueFL8n.exeVirustotal: Detection: 69%Perma Link
        Source: gVz4ueFL8n.exeMetadefender: Detection: 48%Perma Link
        Source: gVz4ueFL8n.exeReversingLabs: Detection: 72%
        Machine Learning detection for sampleShow sources
        Source: gVz4ueFL8n.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeCode function: 0_2_00DC549C CryptAcquireContextW,CryptGenRandom,0_2_00DC549C
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeCode function: 0_2_00DC5D90 CryptBinaryToStringW,CryptBinaryToStringW,0_2_00DC5D90
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeCode function: 0_2_00DC5D2F CryptStringToBinaryW,CryptStringToBinaryW,0_2_00DC5D2F
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: d:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: b:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: e:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: c:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\gVz4ueFL8n.exeCode function: 0_2_00DC766A FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_00DC766A

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: gVz4ueFL8n.exe, 00000000.00000003.421781625.00000000031DA000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/44BE4C1AA85AD2C1
        Source: gVz4ueFL8n.exe, 00000000.00000003.377775643.00000000031EF000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
        Source: 3pp6h54-readme.txt34.0.drString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/44BE4C1AA85AD2C1
        Source: gVz4ueFL8n.exe, 00000000.00000003.377775643.00000000031EF000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
        Source: gVz4ueFL8n.exe, 00000000.00000003.421781625.00000000031DA000.00000004.00000040.sdmp, 3pp6h54-readme.txt34.0.drString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/44BE4C1AA85AD2C1
        Source: gVz4ueFL8n.exe, 00000000.00000003.377775643.00000000031EF000.00000004.00000040.sdmpString found in binary or memory: http://decryptor.cc/
        Source: gVz4ueFL8n.exe, 00000000.00000003.421781625.00000000031DA000.00000004.00000040.sdmp, 3pp6h54-readme.txt34.0.drString found in binary or memory: http://decryptor.cc/44BE4C1AA85AD2C1
        Source: gVz4ueFL8n.exe, 00000000.00000003.421781625.00000000031DA000.00000004.00000040.sdmp, 3pp6h54-readme.txt34.0.drString found in binary or memory: https://torproject.org/