Overview

overview

10

Static

static

3

ddn/BDDark...or.exe

windows11-21h2-x64

10

acer.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ddn.zip

  • Size

    9.6MB

  • Sample

    250408-e29axaxydt

  • MD5

    6f2982e7ffac0d62f23d367b117ca8d1

  • SHA1

    c20282f94d7d1fa8749555fa6242a0dba67b2095

  • SHA256

    a2c5641802ebce37fe3b84d87c9a1b2acd3556054a0dc8ed72139728c148a64a

  • SHA512

    e7caf61a62cd4329b8f0c70bf1571ac8cd61b9db1fcff4fdd4537f00693ff1b43bd20fd8d52f55fb5c45aa0cb83eb5b4dbad89740262ae20b6bd3dba3d08b9da

  • SSDEEP

    196608:7EQcdOJkjbGw1+mIw6cpf3QLlojLd6bU9dSKF6HUgqvs:7EQcdz7+mI7iQLliy0sk6HUgqU

Score
10/10
darksidediscoveryransomware

Malware Config

Extracted

Path

C:\b98faef33da7484fae2c\README.1e2d78e0.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have downloaded more then 500GB data from your network. Included: -Accounting data -Finance data -HR -Employees confidential data(photos, benefits, taxes, etc) -Marketing -Budgets -Taxes(sales tax compliance, property, income and franchise taxes, etc) -Payrolls -Banking data -Arbitration -Scans -Insurance -Reconciliations -Reports(monthly bank inventory, monthly financial, claims reports, etc) -Audits(DHG, insurance audits, etc) -B2B clients config data -Confidentiality 2020 -2020, 2021 Business plans -2019, 2020, 2021 years Closing (full dumps) -and a lot of other sensitive data Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM When you open our website, put the following data in the input form: Key: ug8lgpX3WrFzlEJ6HBWlwJnf7jemhfnlxBw9porj1uuYFTgKbxJQJLYiteQS7DwgZn7dH0fs7qPPWmZ6inPv5GTmSJZNAjGLVIjd4SoiyTdGyophf0zPBxx6uEAOJxM0Woo4ZGeKVoUDHtZsqZNnhMF7aPh54VnKpIJXiZDbZZw4P06xTuw1UMeiTE7wdg7HWZMepAVTzEI2W04RbkPFQHfUgEDcslDxbr83BvopYTYGKFRmtNUMH8OsOZQrOtv50xWDaOfbqxbzfHMJm30QGaGpgylJHQZsscz3XBnwIdvlwBJ9KN4DVgFgziRdvwJrfCP6YN1CYTOQgw1rzqmIU4G1xGYv7rE3jiBY1s4D3Y26SbppTceAVMu1mKx5CFIE3EbtcAsNtEqLHDbPnMCvU6Apwp17TXGob8xXJpEDBZhIzdTaCuybcprwcFNTOzccjbIH81W39MrcJi9mNO3kHRe5fxmIFKvc9v8aQDihGyC65DtdabyBjidXI1NyNONT4PTyrxYqgffPsNDFuzz2yMrXiTAwtAQPqny5BBJQsfVhpLXTtnLvWg1 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\BDRansomDecryptor\BitdefenderLog.txt

Ransom Note
Decryptor Started at Tue Apr 8 04:31:24 2025 This utility decrypts files encrypted by several versions of DarkSide ransomware. It can also decrypt files encrypted by the Linux version (with [.darkside] extension) This tool doesn't require internet access! Preparing decryption key ... Key ready! Sending init request.

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\BDRansomDecryptor\BitdefenderLog.txt

Ransom Note
Decryptor Started at Tue Apr 8 04:31:24 2025 This utility decrypts files encrypted by several versions of DarkSide ransomware. It can also decrypt files encrypted by the Linux version (with [.darkside] extension) This tool doesn't require internet access! Preparing decryption key ... Key ready! Sending init request. Done. Decrypt Files ... Sending finish request. Done. Total decrypted files: [0] Scan finished! Decryptor Started at Tue Apr 8 04:31:39 2025 This utility decrypts files encrypted by several versions of DarkSide ransomware. It can also decrypt files encrypted by the Linux version (with [.darkside] extension) This tool doesn't require internet access! Preparing decryption key ... Key ready! Sending init request.

Targets

    • Target

      ddn/BDDarkSideDecryptor.exe

    • Size

      9.5MB

    • MD5

      cb1b67988c63e6e951be00b3eda7f74f

    • SHA1

      049fff52f877516a756c6333d12b3c1c1cfbe519

    • SHA256

      1a72fe563f588580440da34a03b1af3ba072e66404608c521b4adbcb034a33f6

    • SHA512

      ef1d74da565026fef631f83dee70fafb661bea74cad69b70035f10700b733f64ce34b3308c0fee59222d1eb0767b87672f1f824ea923008c70a3e8be229ff289

    • SSDEEP

      196608:IdJEHHWtwPlARRmtejsum3/DBekLV58IzN6+ZR62Wi:IbEn9PlAGMivDdjxNF762W

    Score
    10/10
    darksidediscoveryransomware

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

      ransomwaredarkside

    • Darkside family

      darkside

    • Renames multiple (139) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

    • Target

      acer.exe

    • Size

      56KB

    • MD5

      979692cd7fc638beea6e9d68c752f360

    • SHA1

      c511ae4d80aaa281c610190aa13630de61ca714c

    • SHA256

      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9

    • SHA512

      d7b7b6a968e6d7b7f3e7f98decb6b331b08122e491bf0b0dbe243223fb177218a758c34830f20c47f2a799acdd146297ec7f930c2bb4d5c6830ce65c8274ea6d

    • SSDEEP

      768:piN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy8fIaJ/ZB49j9xOOLd9kvAx0:g4HHerjZX7pLjJKjSO5i

    Score
    10/10
    darksidediscoveryransomware

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

      ransomwaredarkside

    • Darkside family

      darkside

    • Renames multiple (155) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral2

MITRE ATT&CK Enterprise v15

Tasks