darkside

General

Target

151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.zip
Size

31KB
Sample

230830-z6y1ysad7s
MD5

b57c47e3adb9b581585d2ee838ad8212
SHA1

77a57121d2598228ff508a2e720eaf4117d2a654
SHA256

65973ba1a7483de1f4f9b69458e820de950cea7dd8253f5a9adebbee6447c367
SHA512

fa184c29c976224636d03a1f8e41762b7a69499c152ac1af0933f9d00947b048a5c09f302cad1add8e5a32e2d7f5f8318ec63488dc3345313f9de751972aa0bd
SSDEEP

768:OGVKR4VqiuVjTjaA9Tt//aYhvdff5vgS4ikJQ4A2ON:hLtuB/B/PdX5vv5LfHN

Score

10^/10

Malware Config

Extracted

Path

C:\Users\README.6d39d91a.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT

Targets

- Target
  
  151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe
- Size
  
  59KB
- MD5
  
  9d418ecc0f3bf45029263b0944236884
- SHA1
  
  eeb28144f39b275ee1ec008859e80f215710dc57
- SHA256
  
  151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
- SHA512
  
  82ced42a32f18ede4358459e08bed1adff85d49c952aca7a086571c5b71fd8b3185ea4306abd1f4e639a12f11161f43c73bf6049d76902d365c5a5e4c7e71f3d
- SSDEEP
  
  768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1ylvD7Y23W58:0x7Fu4/ihrhDTV1ylbcZ58
Score

10^/10

darkside ransomware spyware stealer
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Renames multiple (159) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral1