General

  • Target

    2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside

  • Size

    148KB

  • Sample

    241212-b6wc3awldz

  • MD5

    543b24178d7aa05e2eeef7ad056d8311

  • SHA1

    bb74278fce64674315889c09bfbf52c74185ae4b

  • SHA256

    7076b6c554055cb2061d240b670ac904ed5593892a7b99ac39a1b0bd5882e4aa

  • SHA512

    4c96d67e48ce55a45ad36e859e14b35ad49e5488a59a6f86e8ce6611aaae8c64eb19a2e350ccdeade11fb3352dcee55201ca8e27d12665f2dd1ae341534ca46c

  • SSDEEP

    3072:f6glyuxE4GsUPnliByocWepFWGvh+gZqVoq:f6gDBGpvEByocWeNvh+Ro

Malware Config

Extracted

Path

C:\AP8hWv7RB.README.txt

Ransom Note
Ni hao! Your data are stolen and encrypted. In case of nonpayment - all information will be sold or made publicly accessible, and we will also continue to attack your servers. Compared to other ransomware we charge a lot less, so don't be stingy!:-) If you pay - we will provide you with decryption software and remove your data from our servers. We will also let you know about the vulnerability in your servers that we used to infiltrate your network. WARNING! Do not delete or modify any files, it can lead to recovery problems! You can contact us using Session messenger without registration and sms https://getsession.org/download My Session ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f You also can contact us using Tox messenger without registration and SMS https://tox.chat/download.html My Tox ID: BF2FBB22C4CFD24EF9AFE2CAB694D8C1E3E2340393E846514659C59D8C52F43CBD76209603AE You can send us any 1 file for free decryption. Good luck! 您好! 您的数据已被窃取并加密。 如果不付款,所有信息将被出售或公开,我们将继续攻击您的服务器。 与其他勒索软件相比,我们的收费要低得多,所以不要小气! 如果您付款,我们将为您提供解密软件,并从我们的服务器上删除您的数据。 我们还会让你知道我们利用你服务器上的漏洞来渗透你的网络。 警告:请勿删除或修改任何文件,否则可能导致恢复问题! 您可以使用无需注册的会话信使和短信 https://getsession.org/download 与我们联系。 我的会话 ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f 您也可以使用 Tox 使者(无需注册)和 SMS https://tox.chat/download.html 与我们联系。 我的 ID: BF2FBB22C4C4CFD24EF9AF9AFE2CAB694D8C1E3E2340393E846514659C59C59D8C52F43CBD76209603AE 您可以将任意 1 个文件发送给我们进行免费转录。 祝您好运
URLs

https://getsession.org/download

https://tox.chat/download.html

Targets

    • Target

      2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside

    • Size

      148KB

    • MD5

      543b24178d7aa05e2eeef7ad056d8311

    • SHA1

      bb74278fce64674315889c09bfbf52c74185ae4b

    • SHA256

      7076b6c554055cb2061d240b670ac904ed5593892a7b99ac39a1b0bd5882e4aa

    • SHA512

      4c96d67e48ce55a45ad36e859e14b35ad49e5488a59a6f86e8ce6611aaae8c64eb19a2e350ccdeade11fb3352dcee55201ca8e27d12665f2dd1ae341534ca46c

    • SSDEEP

      3072:f6glyuxE4GsUPnliByocWepFWGvh+gZqVoq:f6gDBGpvEByocWeNvh+Ro

    • Renames multiple (8019) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks