{
	"id": "e4c17b3a-146b-40c2-b54b-771d5f5283a7",
	"created_at": "2026-04-06T00:11:27.830512Z",
	"updated_at": "2026-04-10T03:21:53.328386Z",
	"deleted_at": null,
	"sha1_hash": "a7f6b33a1c472bed2b4ee19e05b7ed36e982ed8a",
	"title": "GitHub - f0wl/REconfig-linux: Configuration Extractor for the Linux variant of REvil Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 212763,
	"plain_text": "GitHub - f0wl/REconfig-linux: Configuration Extractor for the\r\nLinux variant of REvil Ransomware\r\nBy f0wl\r\nArchived: 2026-04-05 21:28:03 UTC\r\nggoo rreeppoorrtt A +\r\nREconfig-linux is a configuration extractor for the Linux variant of REvil Ransomware. It is capable of extracting\r\nthe json config from the ELF file and decoding the ransomnote within it. By default the script will write the results\r\nto files in the current working directory, but you can also choose to print the config to stdout only by using the -\r\nprint flag.\r\nMy Yara rule for the REvil Linux Ransomware can be found here.\r\nA writeup by AT\u0026T Alien Labs about this Ransomware variant can be found here.\r\nUsage\r\ngo run reconfig-linux.go [-print] path/to/sample.elf\r\nScreenshots\r\nNon-verbose Mode\r\nVerbose Mode\r\nhttps://github.com/f0wl/REconfig-linux\r\nPage 1 of 3\n\nConfiguration contents\r\nThe table below shows the keys used in the JSON configuration of REvil Linux Ransomware.\r\nKey Value / Purpose\r\npk Base64 encoded Public Key\r\npid Affiliate identifier (BCrypt Hash)\r\nsub Campaign identifier\r\ndbg Debug / Development Mode\r\nnbody Base64 encoded Ransomnote\r\nnname Filename of the Ransomnote\r\nrdmcnt Currently unknown integer (RandomCount?)\r\next File Extension (5 characters)\r\nTesting\r\nThis configuration extractor has been tested successfully with the following samples:\r\nhttps://github.com/f0wl/REconfig-linux\r\nPage 2 of 3\n\nSHA-256 Sample\r\nea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4 Malshare\r\n3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d Malshare\r\n796800face046765bd79f267c56a6c93ee2800b76d7f38ad96e5acb92599fcd4 Malshare\r\nd6762eff16452434ac1acc127f082906cc1ae5b0ff026d0d4fe725711db47763 Malshare\r\nIf you encounter an error with REconfig-linux please file a bug report via an issue. Contributions are always\r\nwelcome :)\r\nSource: https://github.com/f0wl/REconfig-linux\r\nhttps://github.com/f0wl/REconfig-linux\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/f0wl/REconfig-linux"
	],
	"report_names": [
		"REconfig-linux"
	],
	"threat_actors": [],
	"ts_created_at": 1775434287,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7f6b33a1c472bed2b4ee19e05b7ed36e982ed8a.pdf",
		"text": "https://archive.orkl.eu/a7f6b33a1c472bed2b4ee19e05b7ed36e982ed8a.txt",
		"img": "https://archive.orkl.eu/a7f6b33a1c472bed2b4ee19e05b7ed36e982ed8a.jpg"
	}
}