bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893

General
Target

bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893

Size

54KB

Sample

210501-wxddtht5wx

Score
10 /10
MD5

a3d964aaf642d626474f02ba3ae4f49b

SHA1

a4e2deb65f97f657b50e48707b883ce2b138e787

SHA256

bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893

SHA512

f424466a1019e82a11b3317160f2009c572179355d6a48a42547cb3e57d99eaa4bf3425fc0c002f3be154270abc5ff97e53a39e0c3a7c09db2354ef87de96e4f

Malware Config

Extracted

Path C:\\README.53411c86.TXT
Family darkside
Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. DATA LEAK ---------------------------------------------- We have uploaded more than 400 GB of data from your company (Contracts, payments, reports, personal data of your customers, employees, user data, usernames and passwords of various accounts, and much more) If you do not contact us, we will publish all the data on the Internet (media), as well as send it to all the controlling organizations in your country, your customers, partners and competitors. PROOFS (screenshots): https://ibb.co/87JcyNT https://ibb.co/QfBfq0y https://ibb.co/L5cwM9L https://ibb.co/Tr6JvBd https://ibb.co/Wcw1MsD https://ibb.co/y0GtL0z https://ibb.co/v1ykbV3 https://ibb.co/G5bLyFj https://ibb.co/YpY238t Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/122/primehealthservices/2HL7CQH8SIgjDOC6Drmy91ks9uF-8tH01iNecY1tAkFnQK2c0TEWlOek8biiBK9K On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/LD73WIA272ABZP7ZPOH20QAECU6KOF3IBL2EVVZVFIQDZSADZFKOCUIYRMBI0PSN When you open our website, put the following data in the input form: Key: 9IR1ywMyPS8wZBRyw5ktYCt3yswjTOAqeEclFvVHR0PvF5G9UFTs9CVEblaBZSg0KnyEvAAuCQqEUUNPAWrQaPF7or237uZYOqBPhDMieVcD2bQJj1Mg1eZOqbGsP6HLaV5DpPASx3SstF5g5RKwL9eB3tFgR2G5ZMIXkvy5SVJrLSYATjoLzphlO7AZKunk1uZbwc1qCicb38xKGAD6StSRXx7ZKi4cUER5ossLugktxWCYbdTmra3hSAOab1SzdF7c6jTEZbMJ7WMueZsHuAOn9iXYwszbQtO5Z8SiLCmm2KUHimeSSysSP5H7P9vrBTeaEcE2l80FFb8Me3xo0oWhmvu4isSYO3mTMTjAOT0NsHrwARv8dB3vAE0Ddy5oM995IqqKLLbUO3Fe68wIiooHcxMAqcSVNTNrhLuVW1Tj5Yvvzw6E8OOb1HtXXPf5m0lUpY3ml5q0GqL9wqUClENY0wk3fXE9H5AMpxg16G8Huc09TdSh55ytLbYSwzMyXDdDYWHiHIhfaJ4nyJ09bDzEbrk0iqUAW0nmolcF95DEacwaYZJHkdn !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

https://ibb.co/87JcyNT

https://ibb.co/QfBfq0y

https://ibb.co/L5cwM9L

https://ibb.co/Tr6JvBd

https://ibb.co/Wcw1MsD

https://ibb.co/y0GtL0z

https://ibb.co/v1ykbV3

https://ibb.co/G5bLyFj

https://ibb.co/YpY238t

http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/122/primehealthservices/2HL7CQH8SIgjDOC6Drmy91ks9uF-8tH01iNecY1tAkFnQK2c0TEWlOek8biiBK9K

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/LD73WIA272ABZP7ZPOH20QAECU6KOF3IBL2EVVZVFIQDZSADZFKOCUIYRMBI0PSN

Targets
Target

bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893

MD5

a3d964aaf642d626474f02ba3ae4f49b

Filesize

54KB

Score
10 /10
SHA1

a4e2deb65f97f657b50e48707b883ce2b138e787

SHA256

bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893

SHA512

f424466a1019e82a11b3317160f2009c572179355d6a48a42547cb3e57d99eaa4bf3425fc0c002f3be154270abc5ff97e53a39e0c3a7c09db2354ef87de96e4f

Tags

Signatures

  • DarkSide

    Description

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Tasks

                static1