General

  • Target

    2024-12-13_107d3c9b830ddd884f3ca5761e777f9b_darkside

  • Size

    148KB

  • Sample

    241213-bgcvesvpgn

  • MD5

    107d3c9b830ddd884f3ca5761e777f9b

  • SHA1

    36c6830e16f46d00e16431175b31f3565aa5b4c8

  • SHA256

    bc20b30abf15d6374ef9094a49f0875b53c154a0fcb3ae6e054d678091208f70

  • SHA512

    7a061b642955fc1775e0cec5b4f4deef4e22ad0ceeed4b15c948c3f1fbf42c166554c71212a3c874b8a0177a255f1da6b64af4225d0de99e7d87ccd598c3ecb3

  • SSDEEP

    3072:46glyuxE4GsUPnliByocWepCnkOry1yC8Nwt:46gDBGpvEByocWeSkOmC

Malware Config

Extracted

Path

C:\8gduxxdQN.README.txt

Ransom Note
Ni hao! Your data are stolen and encrypted. In case of nonpayment - all information will be sold or made publicly accessible, and we will also continue to attack your servers. Compared to other ransomware we charge a lot less, so don't be stingy!:-) If you pay - we will provide you with decryption software and remove your data from our servers. We will also let you know about the vulnerability in your servers that we used to infiltrate your network. WARNING! Do not delete or modify any files, it can lead to recovery problems! You can contact us using Session messenger without registration and sms https://getsession.org/download My Session ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f You also can contact us using Tox messenger without registration and SMS https://tox.chat/download.html My Tox ID: BF2FBB22C4CFD24EF9AFE2CAB694D8C1E3E2340393E846514659C59D8C52F43CBD76209603AE You can send us any 1 file for free decryption. Good luck! 您好! 您的数据已被窃取并加密。 如果不付款,所有信息将被出售或公开,我们将继续攻击您的服务器。 与其他勒索软件相比,我们的收费要低得多,所以不要小气! 如果您付款,我们将为您提供解密软件,并从我们的服务器上删除您的数据。 我们还会让你知道我们利用你服务器上的漏洞来渗透你的网络。 警告:请勿删除或修改任何文件,否则可能导致恢复问题! 您可以使用无需注册的会话信使和短信 https://getsession.org/download 与我们联系。 我的会话 ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f 您也可以使用 Tox 使者(无需注册)和 SMS https://tox.chat/download.html 与我们联系。 我的 ID: BF2FBB22C4C4CFD24EF9AF9AFE2CAB694D8C1E3E2340393E846514659C59C59D8C52F43CBD76209603AE 您可以将任意 1 个文件发送给我们进行免费转录。 祝您好运
URLs

https://getsession.org/download

https://tox.chat/download.html

Targets

    • Target

      2024-12-13_107d3c9b830ddd884f3ca5761e777f9b_darkside

    • Size

      148KB

    • MD5

      107d3c9b830ddd884f3ca5761e777f9b

    • SHA1

      36c6830e16f46d00e16431175b31f3565aa5b4c8

    • SHA256

      bc20b30abf15d6374ef9094a49f0875b53c154a0fcb3ae6e054d678091208f70

    • SHA512

      7a061b642955fc1775e0cec5b4f4deef4e22ad0ceeed4b15c948c3f1fbf42c166554c71212a3c874b8a0177a255f1da6b64af4225d0de99e7d87ccd598c3ecb3

    • SSDEEP

      3072:46glyuxE4GsUPnliByocWepCnkOry1yC8Nwt:46gDBGpvEByocWeSkOmC

    • Renames multiple (8043) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks