darkside

General

Target

a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774
Size

166KB
Sample

240728-cx3w8ashrl
MD5

be1c18efa764b1b32421b6beb57cd3e9
SHA1

9fff40b4653ab368e04e398d9c54a1aa3a320d49
SHA256

a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774
SHA512

f35e3f123f4b0378626de52035390d2b8c9cf42f5b1882c66d8a79c58cd798a89506fb402a93a7ceaba1078226d7eba80e9c8a93321fc0a17e4e012fc8b15824
SSDEEP

3072:o/0Lu+FKdYM69P6padn/DDonc8oOgajAnPvNHwcW0m1QTj:o/d+FKdYMQPrdn/HovAnlwx0cC

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\README.6caf1429.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Targets

- Target
  
  a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774
- Size
  
  166KB
- MD5
  
  be1c18efa764b1b32421b6beb57cd3e9
- SHA1
  
  9fff40b4653ab368e04e398d9c54a1aa3a320d49
- SHA256
  
  a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774
- SHA512
  
  f35e3f123f4b0378626de52035390d2b8c9cf42f5b1882c66d8a79c58cd798a89506fb402a93a7ceaba1078226d7eba80e9c8a93321fc0a17e4e012fc8b15824
- SSDEEP
  
  3072:o/0Lu+FKdYM69P6padn/DDonc8oOgajAnPvNHwcW0m1QTj:o/d+FKdYMQPrdn/HovAnlwx0cC
Score

10^/10

darkside credential_access discovery execution ransomware spyware stealer
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Renames multiple (172) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2