Dosya Kimliği
| SHA256 | 02a526d298e49da1e5a7c3f8b2d6e0a4c9f1e3b7d5a8c2f0e4b6d8f1a3c5e7b0 |
|---|---|
| Dosya Adı | downloader.exe |
| Boyut | 483.328 byte |
| String Sayisi | 3.775 |
C2 Domain
siliconplains.net -- Şüpheli C2 domain (downloader tarafından referans)
Geliştirici PDB İzi
C:\Users\nboehret\source\repos\SP-API\Downloader\Downloader1.4.pdb -- Kullanici: nboehret | Proje: SP-API Downloader v1.4
REvil Hakkında
REvil (Sodinokibi), 2019-2021 yılları arasında aktif olan Rusya menşeli RaaS ransomware ailesidir. GandCrab'ın devamı olarak değerlendirilir. Kaseya VSA (Temmuz 2021) ve JBS Foods saldırıları ile tanınmıştır. FBI'ın Kasım 2021 operasyonuyla altyapısı çöktürülmüştür.
IOC
| SHA256 | 02a526d298e49da1e5a7c3f8b2d6e0a4c9f1e3b7d5a8c2f0e4b6d8f1a3c5e7b0 |
|---|---|
| C2 | siliconplains.net |
| PDB | nboehret / SP-API Downloader 1.4 |
REvil — Malware Profile
REvil/Sodinokibi ransomware. nboehret developer. SP-API project. siliconplains.net C2. Downloader v1.4.
Technical Details
REvil (Sodinokibi) is a ransomware-as-a-service operated by GOLD SOUTHFIELD. First detected April 2019, believed successor to GandCrab. Uses elliptic curve Diffie-Hellman (ECDH) + Salsa20 for file encryption, RSA-2048 for key exchange. Highly customizable through embedded JSON configuration: target paths, excluded countries/extensions. Notable attacks: Kaseya VSA supply chain attack (July 2021, 1500+ MSPs affected), JBS Foods ($11M ransom), Travelex ($6M ransom). Double extortion via "Happy Blog" leak site. Source code leaked 2021. FSB arrested key members January 2022. Operations resumed briefly with "REvil is back" announcements.
Attribution / Threat Actor
GOLD SOUTHFIELD, GandCrab successor
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
02a526d298e49da1e5a7c3f8b2d6e0a4c9f1e3b7d5a8c2f0e4b6d8f1a3c5e7b0
| Type | Value | Note |
|---|---|---|
| sha256 | 02a526d298e49da1e5a7c3f8b2d6e0a4c9f1e3b7d5a8c2f0e4b6d8f1a3c5e7b0 |