{ "id": "17dd80bd-88c2-4472-a28d-5384050e9435", "created_at": "2026-04-06T00:13:44.252761Z", "updated_at": "2026-04-10T03:23:51.616607Z", "deleted_at": null, "sha1_hash": "814f925aa258143c170e1412405acbbc6a0c1fa9", "title": "Germanwiper's big brother? gandgrab's kid ? sodinokibi!", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1651073, "plain_text": "Germanwiper's big brother? gandgrab's kid ? sodinokibi!\r\nBy f0wL\r\nPublished: 2019-08-10 · Archived: 2026-04-05 23:36:52 UTC\r\nSat 10 August 2019 in Ransomware\r\nAfter last week's analysis on GermanWiper I thought it would be about time to have a Look at Sodinokibi aka\r\nREvil, the new weird kid on the block.\r\nAccording to Cybereason the Sodinokibi Ransomware was written by the same guys who created GandCrab,\r\nwhich is a pretty big deal after GandCrab retired recently. The samples that I'll be looking at today were first\r\ndropped in Asia, but it did not take long to reach other continents as well.\r\nA general disclaimer as always: downloading and running the samples linked below will lead to the encryption\r\nof your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/\r\nsources might be illegal depending on where you live.\r\nWhere I dug up the samples this time:\r\nSodinokibi #1 available @ https://malshare.com/sample.php?\r\naction=detail\u0026hash=6cb6fda0b353d411a30c5b945e53ea52 sha256\r\nbace25c1ec587d099b4c566b1a07978dd9cb3bd67c2acaa55d2e4644a7877070\r\nSodinokibi #2 available @ https://malshare.com/sample.php?\r\naction=detail\u0026hash=7354af1a63f222ede4c9e0a6f84d57c2 sha256\r\n2fea45f7be7c7313ee6e4fe7ad9ef64d9966a2391003a00dcbbd6214e9c522ef\r\nhttps://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html\r\nPage 1 of 8\n\nRunning it through VirusTotal we get a pretty good detection rate, but that is to be expected since REvil is around\r\nfor a few days already. Here's a direct Link to the VT Analysis.\r\nhttps://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html\r\nPage 2 of 8\n\nLooking at Detect it easy we don't see anything special either. The PE seems to be built with MS Visual Studio\r\n2015 (Linker Version 14).\r\nEntropy-wise we can observe a huge drop near the end of the binary.\r\nhttps://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html\r\nPage 3 of 8\n\nThe imports definitely indicate that somethings is wrong here. Only loading kernel32.dll with 3 entries is a bit\r\nminimalistic for ransomware.\r\nhttps://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html\r\nPage 4 of 8\n\nFor one to get his/her Hands on the actual PE with an intact/complete IAT there are a couple of possible ways.\r\nSergei Frankoff explained a very fast, but slightly \"messy\" Method on OALive. I'll try to replay this technique and\r\nplan to come back to this sample soon to try and script my way out of this hole.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nhttps://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html\r\nPage 5 of 8\n\nA dump of the strings in the binary file can be found here. Likewise a sample of the ransomnote dropped as a\r\ntextfile by the malware is available here.\r\nThe Decryptor\r\nThanks to a businessman who shall remain nameless but decided to pay the ransom we can take a look at the\r\nDecryptor V1.3 as well. My feeling about this executable is, that it is being built to order rather than prepared in\r\ncase a decryption is requested. The tool feels relatively unpolished because of the active debugging, no\r\nobfuscation or anti-evasion.\r\nhttps://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html\r\nPage 6 of 8\n\nRunning it through Detect it Easy there is nothing spectacular going on here. Consistent with the ransomware\r\nitself the decryptor was built with Visual Studio 2015 as well. Entropy-wise there are no surprises either at\r\n4.64889.\r\nOL4/y7znO6S6W7qPdbyz7S1iWvOlwRAz6y4Y0qL0+1g= 31869wv07x\r\nhttps://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html\r\nPage 7 of 8\n\nIOCs\r\nSodinokibi / REvil Ransomware (SHA256)\r\nbace25c1ec587d099b4c566b1a07978dd9cb3bd67c2acaa55d2e4644a7877070\r\n2fea45f7be7c7313ee6e4fe7ad9ef64d9966a2391003a00dcbbd6214e9c522ef\r\nada9794bcc8e87af05f9982522e26f7ead3d1cb07bb76ce58fac1bf98e41cf53\r\nURLs\r\nhttx://decryptor[.]top\r\nhttx://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion\r\nSource: https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html\r\nhttps://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html" ], "report_names": [ "germanwipers-big-brother-gandgrabs-kid-sodinokibi.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434424, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/814f925aa258143c170e1412405acbbc6a0c1fa9.pdf", "text": "https://archive.orkl.eu/814f925aa258143c170e1412405acbbc6a0c1fa9.txt", "img": "https://archive.orkl.eu/814f925aa258143c170e1412405acbbc6a0c1fa9.jpg" } }