General

  • Target

    c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e.exe

  • Size

    75KB

  • Sample

    240726-ge685sshkb

  • MD5

    82eab016732be7b8b8aa14f205ca69cf

  • SHA1

    818f451044610b1805e4c515d2bf112718fc8125

  • SHA256

    c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e

  • SHA512

    1b87a7b81c1841e6dff89224f386ff52bd752e124e8c1c68e480ba399446404ad29e92172731fccd93e8a89e61f5097c07c9d6e0f41d2131a96d317344343eea

  • SSDEEP

    1536:Dx7Fu4/i6/P3rlckx5+R4VDZ5CRGCq2iW7z:F7FujwPblhx1DZ5yGCH

Malware Config

Extracted

Path

C:\Users\Admin\README.b77a682a.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Targets

    • Target

      c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e.exe

    • Size

      75KB

    • MD5

      82eab016732be7b8b8aa14f205ca69cf

    • SHA1

      818f451044610b1805e4c515d2bf112718fc8125

    • SHA256

      c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e

    • SHA512

      1b87a7b81c1841e6dff89224f386ff52bd752e124e8c1c68e480ba399446404ad29e92172731fccd93e8a89e61f5097c07c9d6e0f41d2131a96d317344343eea

    • SSDEEP

      1536:Dx7Fu4/i6/P3rlckx5+R4VDZ5CRGCq2iW7z:F7FujwPblhx1DZ5yGCH

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Renames multiple (161) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks