General

  • Target

    2024-02-13_49c13fa47493dc01b6eab0e0ee6e4424_darkside

  • Size

    146KB

  • Sample

    240213-waa3gafc98

  • MD5

    49c13fa47493dc01b6eab0e0ee6e4424

  • SHA1

    a5fe39cdb940ac230d5212e6236af2757630db79

  • SHA256

    a84c96a8dc3628260d2d95a5acadb258bb64f2cb690c54fa63df1e1537655a68

  • SHA512

    12b7b3850ce6d1444ad6d79a17b97d64b8b5344c070c33f2ffb52b9b4d9bbff9e256d94be98a5b8f09a84866823d544339c6c77cebb38d61b7333aa145b244e0

  • SSDEEP

    3072:TqJogYkcSNm9V7DHiWQxLrPibgPSetV9T:Tq2kc4m9tD/2qK

Malware Config

Targets

    • Target

      2024-02-13_49c13fa47493dc01b6eab0e0ee6e4424_darkside

    • Size

      146KB

    • MD5

      49c13fa47493dc01b6eab0e0ee6e4424

    • SHA1

      a5fe39cdb940ac230d5212e6236af2757630db79

    • SHA256

      a84c96a8dc3628260d2d95a5acadb258bb64f2cb690c54fa63df1e1537655a68

    • SHA512

      12b7b3850ce6d1444ad6d79a17b97d64b8b5344c070c33f2ffb52b9b4d9bbff9e256d94be98a5b8f09a84866823d544339c6c77cebb38d61b7333aa145b244e0

    • SSDEEP

      3072:TqJogYkcSNm9V7DHiWQxLrPibgPSetV9T:Tq2kc4m9tD/2qK

    • Renames multiple (305) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks