General

  • Target

    2025-06-04_2a23ed686a701e63091a69dfc3fafe02_darkside_elex_lockbit

  • Size

    148KB

  • Sample

    250604-atpjbahl4z

  • MD5

    2a23ed686a701e63091a69dfc3fafe02

  • SHA1

    fe84d77916e44c2981c0161c709c600691279191

  • SHA256

    04019c35ffd46d6ada63c4494bc47ad5e1471605f3ee78cdac994c2c4f334bb8

  • SHA512

    85a8b46fab0433d19b5ef4705406fddc75cd6a64336b5f1e3dcacead0de8570cb8e0b0371d5146a7cfb4e97f59c7442fffbcc46cddbb7d4a8ba8120ad4aea3d6

  • SSDEEP

    3072:H6glyuxE4GsUPnliByocWepNfF5hOZTdkQDhP25J:H6gDBGpvEByocWenhgpkQDhPAJ

Malware Config

Extracted

Path

C:\2TltSF038.README.txt

Ransom Note
Hello! Your data are stolen and encrypted. In case of non-payment - all information will be sold or made publicly available, and we will continue to attack your servers. If you pay, we will provide you with decryption software and remove your data from our servers. We will also inform you of the vulnerability in your servers that we used to infiltrate your network. WARNING! Do not delete or modify any files, this can lead to recovery problems! You can contact us via Session Messenger without registration and SMS https://getsession.org/download My session ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f You can also contact us without registration via Tox messenger https://tox.chat/download.html My Tox ID: BF2FBB22C4CFD24EF9AFE2CAB694D8C1E3E2340393E846514659C59D8C52F43CBD76209603AE You can send us any 1 file for free decryption. Good luck! 您好! 您的数据已被窃取并加密。 如果不付款,所有信息将被出售或公开,我们将继续攻击您的服务器。 与其他勒索软件相比,我们的收费要低得多,所以不要小气! 如果您付款,我们将为您提供解密软件,并从我们的服务器上删除您的数据。 我们还会让你知道我们利用你服务器上的漏洞来渗透你的网络。 警告:请勿删除或修改任何文件,否则可能导致恢复问题! 您可以使用无需注册的会话信使和短信 https://getsession.org/download 与我们联系。 我的会话 ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f 您也可以使用 Tox 使者(无需注册)和 SMS https://tox.chat/download.html 与我们联系。 我的 ID: BF2FBB22C4C4CFD24EF9AF9AFE2CAB694D8C1E3E2340393E846514659C59C59D8C52F43CBD76209603AE 您可以将任意 1 个文件发送给我们进行免费转录。 祝您好运
URLs

https://getsession.org/download

https://tox.chat/download.html

Targets

    • Target

      2025-06-04_2a23ed686a701e63091a69dfc3fafe02_darkside_elex_lockbit

    • Size

      148KB

    • MD5

      2a23ed686a701e63091a69dfc3fafe02

    • SHA1

      fe84d77916e44c2981c0161c709c600691279191

    • SHA256

      04019c35ffd46d6ada63c4494bc47ad5e1471605f3ee78cdac994c2c4f334bb8

    • SHA512

      85a8b46fab0433d19b5ef4705406fddc75cd6a64336b5f1e3dcacead0de8570cb8e0b0371d5146a7cfb4e97f59c7442fffbcc46cddbb7d4a8ba8120ad4aea3d6

    • SSDEEP

      3072:H6glyuxE4GsUPnliByocWepNfF5hOZTdkQDhP25J:H6gDBGpvEByocWenhgpkQDhPAJ

    • Renames multiple (7957) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks