darkside

General

Target

Trojan-Ransom.Win32.Darkside.m-243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.7z
Size

27KB
Sample

250325-tmceysyvg1
MD5

bc9a60e3d4259018a83f0344031734ed
SHA1

0e739230d538fed4efc4b4074cb67f6e363220db
SHA256

9eab4fb5f7a8336fe681cda5be1c8d443f248d7592022d248d2524eec9cdfdda
SHA512

6f641879ca22ca82bdb989c35beb29556987f089e244cadc7f399fb0a0d4de83b7194afbf85b27f140c7334e47f4aaa32b1d2e437b2c21321698536bfaee1957
SSDEEP

768:FE5N8GlaEDa2u+ncyIfX9Z4G+Vf/XssQDH4GN:FE5NFwEDabPwP8P4GN

Score

10^/10

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\README.8f290682.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Targets

- Target
  
  Trojan-Ransom.Win32.Darkside.m-243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.7z
- Size
  
  27KB
- MD5
  
  bc9a60e3d4259018a83f0344031734ed
- SHA1
  
  0e739230d538fed4efc4b4074cb67f6e363220db
- SHA256
  
  9eab4fb5f7a8336fe681cda5be1c8d443f248d7592022d248d2524eec9cdfdda
- SHA512
  
  6f641879ca22ca82bdb989c35beb29556987f089e244cadc7f399fb0a0d4de83b7194afbf85b27f140c7334e47f4aaa32b1d2e437b2c21321698536bfaee1957
- SSDEEP
  
  768:FE5N8GlaEDa2u+ncyIfX9Z4G+Vf/XssQDH4GN:FE5NFwEDabPwP8P4GN
Score

10^/10

darkside credential_access discovery execution ransomware spyware stealer
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Darkside family
  darkside
- Renames multiple (140) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Sets desktop wallpaper using registry
  ransomware
behavioral1