darkside

General

Target

Trojan-Ransom.Win32.Darkside.m-243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.7z
Size

27KB
Sample

250325-tprbwssmw7
MD5

bc9a60e3d4259018a83f0344031734ed
SHA1

0e739230d538fed4efc4b4074cb67f6e363220db
SHA256

9eab4fb5f7a8336fe681cda5be1c8d443f248d7592022d248d2524eec9cdfdda
SHA512

6f641879ca22ca82bdb989c35beb29556987f089e244cadc7f399fb0a0d4de83b7194afbf85b27f140c7334e47f4aaa32b1d2e437b2c21321698536bfaee1957
SSDEEP

768:FE5N8GlaEDa2u+ncyIfX9Z4G+Vf/XssQDH4GN:FE5NFwEDabPwP8P4GN

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\README.166f76dd.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Targets

- Target
  
  Trojan-Ransom.Win32.Darkside.m-243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.exe
- Size
  
  59KB
- MD5
  
  0ed51a595631e9b4d60896ab5573332f
- SHA1
  
  7ae73b5e1622049380c9b615ce3b7f636665584b
- SHA256
  
  243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
- SHA512
  
  9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5
- SSDEEP
  
  768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1yl3RYY23W58:0x7Fu4/ihrhDTV1ylhZ58
Score

10^/10

darkside credential_access discovery execution ransomware spyware stealer
- DarkSide
  Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
  ransomware darkside
- Darkside family
  darkside
- Renames multiple (187) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2