ioc[.]one - OSINT Cyber Threat Intelligence Database

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - What The Code Tells Us | McAfee Blog

Tags

country:	Argentina Belgium Ethiopia Latvia Lithuania Moldova Trinidad And Tobago Uzbekistan Romania Russia Syria Togo Tokelau
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Model Domains - T1583.001 Domains - T1584.001 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 File And Directory Discovery - T1083 File Deletion - T1107 Modify Registry - T1112 Query Registry - T1012

Show in Graph

Common Information

Type	Value
UUID	0cb0d2cc-f40d-4731-92fc-cef272f336bb
Fingerprint	8f37583d8da30611
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 2, 2019, 4:05 p.m.
Added to db	Aug. 12, 2023, 8:14 a.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us
Title	McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - What The Code Tells Us \| McAfee Blog
Detected Hints/Tags/Attributes	91/3/7

Source URLs

	Redirection	Url
Details	Source	https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
Details	Source	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/

URL Provider

Details	Provider	Source level domain
Details	mcafee.com	securingtomorrow.mcafee.com
Details	mcafee.com	www.mcafee.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	333	✔	—	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	CVE	49		cve-2018-8453
Details	File	2		sodinokibi.exe
Details	File	9		mysql.exe
Details	File	1260		explorer.exe
Details	File	345		vssadmin.exe
Details	md5	1		ccfde149220e87e97198c23fb8115d5a
Details	Yara rule	1		rule Sodinokobi { meta: author = "McAfee ATR team" version = "1.0" description = "This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future." strings: $a = { 40 0F B6 C8 89 4D FC 8A 94 0D FC FE FF FF 0F B6 C2 03 C6 0F B6 F0 8A 84 35 FC FE FF FF 88 84 0D FC FE FF FF 88 94 35 FC FE FF FF 0F B6 8C 0D FC FE FF FF } $b = { 0F B6 C2 03 C8 8B 45 14 0F B6 C9 8A 8C 0D FC FE FF FF 32 0C 07 88 08 40 89 45 14 8B 45 FC 83 EB 01 75 AA } condition: all of them }