lockbit | 33468dfd84a2959acebb97c26fdc31ab7185045c18b383ce9cc662b6932e9a48

General

Target

2023-05-05_d5854b99391a49d6dd0f35b9adcc0fae_darkside.exe
Size

148KB
Sample

230506-drw26afg77
MD5

d5854b99391a49d6dd0f35b9adcc0fae
SHA1

5503f0eac6b16671ff1e2a6f0952b01e4147a2a3
SHA256

33468dfd84a2959acebb97c26fdc31ab7185045c18b383ce9cc662b6932e9a48
SHA512

1d29ec82e2d9c578f7fc71763926301b26a1db7e34c9212013674f76dcbe643983d002730af2335a2ff1a6e059907a7c0f9eebb5545b0ec6aa630fa1409c2836
SSDEEP

3072:fqJogYkcSNm9V7DcvCwDg/TMjaodQQFIUcXwT:fq2kc4m9tDYfDwMjaou

Score

10^/10

Malware Config

Extracted

Path

C:\6I8yEuZYM.README.txt

Ransom Note

All of your files are currently encrypted by MONTI strain. If you don't know who we are - just "Google it." As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid.onion/chat/80f89f5ee852f130671de62e43d6640a/ Our blog : (also through TOR) http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm! 1F99C2A8AD4DE8DCDA5689CFC0B7880A

URLs

http://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid.onion/chat/80f89f5ee852f130671de62e43d6640a/

http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion

Extracted

Path

C:\6I8yEuZYM.README.txt

Ransom Note

All of your files are currently encrypted by MONTI strain. If you don't know who we are - just "Google it." As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid.onion/chat/80f89f5ee852f130671de62e43d6640a/ Our blog : (also through TOR) http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm! 1F99C2A8AD4DE8DCF370E722FDA7A07D

URLs

http://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid.onion/chat/80f89f5ee852f130671de62e43d6640a/

http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion

Targets

- Target
  
  2023-05-05_d5854b99391a49d6dd0f35b9adcc0fae_darkside.exe
- Size
  
  148KB
- MD5
  
  d5854b99391a49d6dd0f35b9adcc0fae
- SHA1
  
  5503f0eac6b16671ff1e2a6f0952b01e4147a2a3
- SHA256
  
  33468dfd84a2959acebb97c26fdc31ab7185045c18b383ce9cc662b6932e9a48
- SHA512
  
  1d29ec82e2d9c578f7fc71763926301b26a1db7e34c9212013674f76dcbe643983d002730af2335a2ff1a6e059907a7c0f9eebb5545b0ec6aa630fa1409c2836
- SSDEEP
  
  3072:fqJogYkcSNm9V7DcvCwDg/TMjaodQQFIUcXwT:fq2kc4m9tDYfDwMjaou
Score

10^/10

ransomware spyware stealer
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Modifies extensions of user files

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2