General

  • Target

    4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e

  • Size

    5MB

  • Sample

    210516-g35l2djmge

  • MD5

    794c5aa1b0e1f9cf2fc7fe5f22117c3f

  • SHA1

    1821fe210298b1d22b25f1a544abcfe092999ff7

  • SHA256

    4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e

  • SHA512

    28c186359035e3f4bc5b4f0420c1e72de5e16fc3fa3b8d41316dd59739c552c810e180feff4637f25696f59b291b7cc00d66d969a4e7d2f460ec4471b1ad83cf

Malware Config

Extracted

Path

C:\\README.f2cbf9aa.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT

Targets

    • Target

      4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e

    • Size

      5MB

    • MD5

      794c5aa1b0e1f9cf2fc7fe5f22117c3f

    • SHA1

      1821fe210298b1d22b25f1a544abcfe092999ff7

    • SHA256

      4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e

    • SHA512

      28c186359035e3f4bc5b4f0420c1e72de5e16fc3fa3b8d41316dd59739c552c810e180feff4637f25696f59b291b7cc00d66d969a4e7d2f460ec4471b1ad83cf

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Impact

Defacement

1
T1491

Tasks