babuk | 3aee5045a26dd6da9d4a21c60ff4175d2bbf6fb48937d118b874feba6a90cb58

General

Target

f9afb31bc17811e5ab4fa406f105b1fe.bin
Size

28KB
Sample

230427-ccfwysfa41
MD5

568dab684fcbf125a459bfca41edc4cb
SHA1

112c7d6e8e525fe5b921091bdfec0a2da4892707
SHA256

3aee5045a26dd6da9d4a21c60ff4175d2bbf6fb48937d118b874feba6a90cb58
SHA512

74bfaf88f4dcc42844d10555ad166dc18299da60aa6a8c160fbbe510254c612607555875950af0b356c32924463e64157e3e974d78202d6e73b51cf009680e60
SSDEEP

768:xUG6QtXkt2cG4iotHiL9my08VlJAPLTHVicGsyX+:IQetDAIemy08V3AXwAyu

Score

10^/10

Malware Config

Extracted

Path

C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\How To Restore Your Files.txt

Family

darkside

Ransom Note

----------- [ Hello! ] -------------> ****BY BABUK LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write us: [email protected] backup address: [email protected] [email protected] TO SEND TO THE EMAIL ONLY PERSONAL ID!!! YOUR PERSONAL ID, ATTACH IT: beRv79st1xwM9NTHA1NluiebVXTdr4FS0eRnD5W9wMjAqbKQctyvdxbYuZ8e !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

Emails

[email protected]

Targets

- Target
  
  01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe
- Size
  
  79KB
- MD5
  
  f9afb31bc17811e5ab4fa406f105b1fe
- SHA1
  
  d1a9449dcc8a3aa0c887bce71f128866175f679a
- SHA256
  
  01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f
- SHA512
  
  6feca3dfa221b704208754e67bcdce02a2253961da098b3e376d11217cd00b9f77e42f37f242e1a1f4b759b5fd172c29c9f153fce32eace48e07e802aff40b55
- SSDEEP
  
  1536:SX6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:uhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Score

10^/10

babuk darkside ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2