General
-
Target
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
-
Size
59KB
-
Sample
220210-nx72qahabm
-
MD5
f9fc1a1a95d5723c140c2a8effc93722
-
SHA1
ce2480dec2ee0a47549fad355c3cf154f9aab836
-
SHA256
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
-
SHA512
3816029ac654cfc546e78c5f331ad61ef21ebab0e92bacdba5a5d2cd9149002930cf46c9a1dab357697540849229d2fc0a490433aa95713d36685334ce8e8b11
Static task
static1
Behavioral task
behavioral1
Sample
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
C:\\README.27a6f0b5.TXT
darkside
http://darksidfqzcuhtk2.onion/DZYNTXY9RP5P8DQ96EFKV2YTOVAMA3VVHL5V0RASUBLBWZGLG51U4LOOBSHV9R0Y
Targets
-
-
Target
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
-
Size
59KB
-
MD5
f9fc1a1a95d5723c140c2a8effc93722
-
SHA1
ce2480dec2ee0a47549fad355c3cf154f9aab836
-
SHA256
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
-
SHA512
3816029ac654cfc546e78c5f331ad61ef21ebab0e92bacdba5a5d2cd9149002930cf46c9a1dab357697540849229d2fc0a490433aa95713d36685334ce8e8b11
Score10/10-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
suricata: ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI
suricata: ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-