- First seen: April 2019
- Aliases: GandCrab,Sodinokibi,Sodin
- Samples:
- d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e | windows | ransom | pe
- cf5088b4a00529241aeae1fb7404198eb72a1eea541c608d4f467eaa7e2b4b34 | windows | ransom | pe
| Property | Value |
|---|---|
| Size | 912264 bytes |
| CRC32 | 0xf8dbe525 |
| MD5 | 561cffbaba71a6e8cc1cdceda990ead4 |
| SHA1 | 5162f14d75e96edb914d1756349d6e11583db0b0 |
| SHA256 | d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e |
| SHA512 | 09149b9825db2c9e6d2ec6665abc64b0b7aaafaa47c921c5bf0062cd7bedd1fc64cf54646a098f45fc4b930f5fbecee586fe839950c9135f64ea722b00baa50e |
| Ssdeep | 24576:vMz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:kfF7k4pB/JYPIsAE |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(-)[-] PE: linker: Microsoft Linker(14.23**)[EXE32,signed] |
| TrID | 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 4.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.0% (.EXE) Win32 Executable (generic) (4505/5/1) 0.9% (.EXE) OS/2 Executable (generic) (2029/13) |
- Avast: Win32:DangerousSig [Trj]
- Avira: TR/AD.SodinoRansom.xacle
- Bitdefender: Trojan.GenericKD.49195655
- Clamav: Win.Dropper.REvil-9875493-0
- Comodo: Malware
- Drweb: Trojan.Encoder.34110
- Eset: Win32/Filecoder.Sodinokibi.N
- Fsecure: Trojan.TR/AD.SodinoRansom.xacle
- Kaspersky: HEUR:Trojan-Ransom.Win32.Gen.gen
- Mcafee: Ransom-revil.c
- Sophos: Troj/Ransom-GIQ
- Symantec: Trojan Horse
- Trendmicro: Trojan.Win32.SODINSTALL.YABGC
- Windefender: Ransom:Win32/Sodinokibi| Property | Value |
|---|---|
| Size | 121344 bytes |
| CRC32 | 0xa3942067 |
| MD5 | a0d0badd5b4c80cd63d0051553aac1e2 |
| SHA1 | 5379772d57206ee07eff42fa2282aef493547334 |
| SHA256 | cf5088b4a00529241aeae1fb7404198eb72a1eea541c608d4f467eaa7e2b4b34 |
| SHA512 | 0785aa738558ca1c5fac0a283216ff93069ad0f74af23bfcd8198c9c8761033135e7dd22c74b521eb42802b74776da20fd78322f70f2478836aa3f640dadfdf8 |
| Ssdeep | 1536:6xryLRras2vlBmcJW6Xi5wBwBpaKj2dICS4ARoU4agQeX3Cdd+a3:+dBVJW0BwjX/oU4xQeHCd53 |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE32] |
| TrID | 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3) |
- Avast: Win32:Sodinokibi-D [Ransom]
- Avira: TR/Crypt.XPACK.Gen
- Bitdefender: DeepScan:Generic.Ransom.Sodinokibi.4BAAA907
+ Clamav: clean
- Comodo: Malware
- Drweb: Trojan.Encoder.30497
- Eset: Win32/Filecoder.Sodinokibi.B
- Fsecure: Trojan.TR/Crypt.XPACK.Gen
- Kaspersky: Trojan-Ransom.Win32.Sodin.ace
+ Mcafee: clean
- Sophos: Mal/Sodino-B
+ Symantec: clean
- Trendmicro: Ransom.Win32.SODINOKIB.SMZTIC-B
- Windefender: Ransom:Win32/Revil.A- https://blog.qualys.com/vulnerabilities-threat-research/2021/07/07/analyzing-the-revil-ransomware-attack
- https://www.amossys.fr/fr/ressources/blog-technique/sodinokibi-malware-analysis/
- https://www.acronis.com/en-us/cyber-protection-center/posts/sodinokibi-ransomware/
- https://www.cybereason.com/blog/research/the-sodinokibi-ransomware-attack
- https://unit42.paloaltonetworks.com/revil-threat-actors/
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
- https://analyst1.com/file-assets/History-of-REvil.pdf
- https://www.hhs.gov/sites/default/files/revil-update-tlpwhite.pdf
- https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope
- https://www.youtube.com/watch?v=0raUaL4TIo4
- https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html
- https://hatching.io/blog/ransomware-part2/
- https://www.certego.net/en/news/malware-tales-sodinokibi/