darkside

General

Target

59ac1b76180d491293be58b14b7aee0070e232202445bb9eea676c8fa3c381da
Size

257KB
Sample

240531-klzdnadd77
MD5

d1dc9cd84b9ba5e462e9f76513928d42
SHA1

0f2df217f5970048692bc2365a07c7cd52c55c17
SHA256

59ac1b76180d491293be58b14b7aee0070e232202445bb9eea676c8fa3c381da
SHA512

599051b030f54a589fff0b0977f69cd5adbadb7393b45db831debdd41cbf85252a1019041bad3fae48f981a71ff9b2118343ab01e69c90963e4ea53c5c74503e
SSDEEP

6144:mqhaoZZRrvPJtomDFQv8ldJ6EkJOcT4sOXGOrrlae+q92:m8ftLromBQv+dMeerOrrlPJ92

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\README.622dec8a.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V When you open our website, put the following data in the input form: Key: lmrlfxpjZBun4Eqc4Xd4XLJxEOL5JTOTLtwCOqxqxtFfu14zvKMrLMUiGV36bhzV5nfRPSSvroQiL6t36hV87qDIDlub946I5ud5QQIZC3EEzHaIy04dBugzgWIBf009Hkb5C7IdIYdEb5wH80HMVhurYzet587o6GinzDBOip4Bz7JIznXkqxIEHUN77hsUM8pMyH8twWettemxqB3PIOMvr7Aog9AIl1QhCYXC1HX97G5tp7OTlUfQOwtZZt5gvtMkOJ9UwgXZrRSDRc8pcCgmFZhGsCalBmIC08HCA40P7r5pcEn2PdBA6tt5oHma19OMBra3NwlkZVUVfIql643VPuvDLNiDtdR1EZhP1vb2t2HsKlGOffG7ql9Y2JWcu2uwjqwVdSzQtlXWM6mEy3xdm3lcJnztQ5Nh7jJ7bYgAb1hODbN9UektcOzYC0e0ZqjPVLY3opxNvYgCk8Bz9clmNXqsvMjBQXJQVb8o0IPMcDjYyhJuG0EevGlAWVq8WGS7JraW22zvlz8SQ4HdgUEJR0VbrsitXqIbIF9S2XGZmtxEsRStAey !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V

Targets

- Target
  
  59ac1b76180d491293be58b14b7aee0070e232202445bb9eea676c8fa3c381da
- Size
  
  257KB
- MD5
  
  d1dc9cd84b9ba5e462e9f76513928d42
- SHA1
  
  0f2df217f5970048692bc2365a07c7cd52c55c17
- SHA256
  
  59ac1b76180d491293be58b14b7aee0070e232202445bb9eea676c8fa3c381da
- SHA512
  
  599051b030f54a589fff0b0977f69cd5adbadb7393b45db831debdd41cbf85252a1019041bad3fae48f981a71ff9b2118343ab01e69c90963e4ea53c5c74503e
- SSDEEP
  
  6144:mqhaoZZRrvPJtomDFQv8ldJ6EkJOcT4sOXGOrrlae+q92:m8ftLromBQv+dMeerOrrlPJ92
Score

10^/10

darkside ransomware spyware stealer
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Blocklisted process makes network request
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2