{
	"id": "64a08e3f-9c90-490d-9273-033afee6b9d6",
	"created_at": "2026-04-06T01:32:32.449162Z",
	"updated_at": "2026-04-10T03:20:35.245914Z",
	"deleted_at": null,
	"sha1_hash": "f59feff14423ea68f0733c860aa432b0481f136f",
	"title": "malware-notes/Ransomware-Windows-DarkBit/README.md at master · albertzsigovits/malware-notes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71010,
	"plain_text": "malware-notes/Ransomware-Windows-DarkBit/README.md at\r\nmaster · albertzsigovits/malware-notes\r\nBy albertzsigovits\r\nArchived: 2026-04-06 01:27:21 UTC\r\nYARA rules:\r\nrule ransomware_darkbit_ransomnote : windows ransomware darkbit {\r\n meta:\r\n author = \"albertzsigovits\"\r\n reference = \"https://twitter.com/vxunderground/status/1624814604936249345\"\r\n date = \"2023-02-13\"\r\n strings:\r\n $note1 = \"But, you can contact us via TOX messenger if you want to recover your files persona\r\n $note2 = \"All your files are encrypted using AES-256 military grade algorithm.\" ascii wide\r\n $note3 = \"They should pay for firing high-skilled experts.\" ascii wide\r\n $tor = \"iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion\" ascii wide\r\n condition:\r\n 2 of ($note*) or $tor\r\n}\r\nrule ransomware_darkbit_windows_Strings : windows ransomware darkbit {\r\n meta:\r\n author = \"albertzsigovits\"\r\n date = \"2023-02-16\"\r\n filetype = \"pe\"\r\n threat = \"Ransomware.DarkBit.Windows\"\r\nsha256 = \"9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff\"\r\n strings:\r\n $goinf = \" Go buildinf:\"\r\n $mingw = \"Mingw-w64 runtime failure:\"\r\n $cgo = \"_cgo_dummy_export\"\r\n $rstr1 = \"Rstrtmgr.dll\"\r\n $rstr2 = \"RmStartSession\"\r\n $rstr3 = \"RmRegisterResources\"\r\n $rstr4 = \"RmGetList\"\r\n $rstr5 = \"RmShutdown\"\r\n $rstr6 = \"RmEndSession\"\r\n $cfg1 = \"\\\"names\\\":\"\r\n $cfg2 = \"\\\"limits\\\":\"\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md\r\nPage 1 of 8\n\n$cfg3 = \"\\\"extensions\\\":\"\r\n $cfg4 = \"\\\"processes\\\":\"\r\n $cfg5 = \"\\\"hostnames\\\":\"\r\n $db1 = \"\\\"darkbit.jpg\\\":\"\r\n $db2 = \"\\\"recovery_darkbit.txt\\\":\"\r\n $db3 = \"\\\"Darkbit\\\":\"\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and uint32(uint32(0x3C)) == 0x00004550\r\n and (\r\n ( $goinf and $mingw and $cgo and 2 of ($rstr*) and 3 of ($cfg*) )\r\n or\r\n ( 2 of ($cfg*) and 1 of ($db*) )\r\n )\r\n}\r\nrule ransomware_darkbit_windows_asm : windows ransomware darkbit {\r\n meta:\r\n author = \"albertzsigovits\"\r\n date = \"2023-02-16\"\r\n filetype = \"pe\"\r\n threat = \"Ransomware.DarkBit.Windows\"\r\nsha256 = \"9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff\"\r\n strings:\r\n $gob1 = {\r\n 45 88 47 ?? // mov byte [r15 + 1], r8b\r\n 90 // nop\r\n 4C 8B 84 24 ?? ?? 00 00 // mov r8, qword [rsp + 0x88]\r\n 49 C1 E8 ?? // shr r8, 4\r\n 49 83 C7 ?? // add r15, 2\r\n 48 8B 44 24 ?? // mov rax, qword [rsp + 0x78]\r\n 4C 8B 8C 24 ?? ?? 00 00 // mov r9, qword [rsp + 0xb0]\r\n 48 89 D0 // mov rax, rdx\r\n 48 8B 94 24 ?? ?? 00 00 // mov rdx, qword [rsp + 0xc0]\r\n 4C 89 84 24 ?? ?? 00 00 // mov qword [rsp + 0x88], r8\r\n 41 ?? ?? ?? // and r8d, 0xf\r\n 49\r\n }\r\n $gob2 = {\r\n 48 89 84 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+D0],rax\r\n 48 89 5C 24 ?? // mov qword ptr ss:[rsp+60],rbx\r\n 31 C0 // xor eax,eax\r\n 48 8D 5C 24 ?? // lea rbx,qword ptr ss:[rsp+44]\r\n B9 ?? 00 00 00 // mov ecx,6\r\n }\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md\r\nPage 2 of 8\n\n$wyhash = {\r\n 4D 8B 88 ?? ?? 00 00 // mov r9, qword [r8 + 0xf0]\r\n 49 BA 2F 64 BD 78 64 1D 76 A0 // movabs r10, 0xa0761d6478bd642f\r\n 4D 01 D1 // add r9, r10\r\n 49 BB DB 28 B4 A0 D1 7E 03 E7 // movabs r11, 0xe7037ed1a0b428db\r\n 4D 31 CB // xor r11, r9\r\n }\r\n $vss1 = {\r\n 48 8B 94 24 ?? ?? 00 00 // mov rdx,qword ptr ss:[rsp+C8] [rsp+C8]:\"delete\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+138],rdx [rsp+138]:\"delet\r\n 48 8B 54 24 ?? // mov rdx,qword ptr ss:[rsp+58]\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+140],rdx\r\n 48 8B 94 24 ?? ?? 00 00 // mov rdx,qword ptr ss:[rsp+F0] [rsp+F0]:\"shadows\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+148],rdx [rsp+148]:\"shado\r\n 48 8B 94 24 ?? ?? 00 00 // mov rdx,qword ptr ss:[rsp+80]\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+150],rdx\r\n 48 8B 94 24 ?? ?? 00 00 // mov rdx,qword ptr ss:[rsp+C0] [rsp+C0]:\"/all\"\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+158],rdx [rsp+158]:\"/all\r\n 48 8B 54 24 ?? // mov rdx,qword ptr ss:[rsp+50]\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+160],rdx\r\n 48 89 84 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+168],rax [rsp+168]:\"/Quie\r\n 48 89 9C 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+170],rbx\r\n 48 8B 84 24 ?? ?? 00 00 // mov rax,qword ptr ss:[rsp+D0] [rsp+D0]:\"vssadmi\r\n 48 8B 5C 24 ?? // mov rbx,qword ptr ss:[rsp+60]\r\n 48 8D 8C 24 ?? ?? 00 00 // lea rcx,qword ptr ss:[rsp+138] [rsp+138]:\"delet\r\n }\r\n $vss2 = {\r\n 48 BA CB BB 16 11 B4 B1 42 AD // mov rdx,AD42B1B41116BBCB\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+B1],rdx\r\n 48 BA AD 6D A1 5B 11 15 7B 7B // mov rdx,7B7B15115BA16DAD\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+B8],rdx\r\n 48 BA 9D C8 65 70 D0 DC 2B C3 // mov rdx,C32BDCD07065C89D\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+A2],rdx\r\n 48 BA C3 4D C5 3E 7D 70 0F 1E // mov rdx,1E0F707D3EC54DC3\r\n 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+A9],rdx\r\n }\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and uint32(uint32(0x3C)) == 0x00004550\r\n and 3 of them\r\n}\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md\r\nPage 3 of 8\n\nDarkBit diary:\r\nSHA256: 9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff\r\nPacker: None\r\nCompile time: 2023-02-11 22:10:54\r\nPEInfo: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows\r\nLanguage: Golang (CGO)\r\nObfuscation: Gobfuscate\r\nHashing: Wyhash hash algorithm and wyrand PRNG\r\nRansomware Mutex: Global\\dbdbdbdb\r\nRansomware Note: RECOVERY_DARKBIT.txt\r\nSHA256: fca050431ba94630d691a7d6cbdd491354c69f738b0d8e03b531173a741ad286\r\nTOR: hxxp://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad[.]onion/support\r\nTOX ID: AB33BC51AFAC64D98226826E70B483593C81CB22E6A3B504F7A75348C38C862F00042F5245AC\r\nTelegram: DarkBitChannel\r\nTwitter: DarkBitTW\r\nDarkBit parameters:\r\n-h | Help\r\n-all | Run on all without timeout counter\r\n-domain | Domain\r\n-force | Force blacklisted computers\r\n-list | List\r\n-nomutex | Force not checking mutex\r\n-noransom | No encryption\r\n-password | Password\r\n-path | Path\r\n-t | Threads\r\n-username | Username\r\nVirusTotal perks:\r\nvhash:0560b76d5555151c051d1az3f1d\u0026z1\r\nauthentihash:8a1db8d4c117daa25ab31735b9866cb989907cf524fe2c052ffa9e67f582c79c\r\nimphash:9bcadd8ed34a63728178995d1b006421\r\nssdeep:\"49152:S4mkYp+03HbhndpeoVK9/0cjXd77yg6PxHuy7vDKD12K5EKGHg1q14gUynCLgIMk:UF31ed/XB7AbvbAEKGpTI7\"\r\nbehaviour_files:\"%HOMEPATH%\\\\recovery_darkbit.txt\"\r\nbehaviour_files:\"%HOMEPATH%\\\\appdata\\\\recovery_darkbit.txt\"\r\nbehaviour:\"Global\\\\dbdbdbdb\"\r\nbehaviour:\"\\\\Sessions\\\\1\\\\BaseNamedObjects\\\\Global\\\\dbdbdbdb\"\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md\r\nPage 4 of 8\n\nConfig template:\r\n \"limits\": [\r\n \"limitMB\": 25,\r\n \"parts\": 1,\r\n \"eachPart\": -1\r\n },\r\n {\r\n \"limitMB\": 1000,\r\n \"parts\": 2,\r\n \"eachPart\": 12000\r\n },\r\n {\r\n \"limitMB\": 4000,\r\n \"parts\": 3,\r\n \"eachPart\": 10000\r\n },\r\n {\r\n \"limitMB\": 7000,\r\n \"parts\": 2,\r\n \"eachPart\": 20000\r\n },\r\n {\r\n \"limitMB\": 11000,\r\n \"parts\": 3,\r\n \"eachPart\": 30000\r\n },\r\n {\r\n \"limitMB\": 51000,\r\n \"parts\": 5,\r\n \"eachPart\": 30000\r\n },\r\n {\r\n \"limitMB\": 1000000,\r\n \"parts\": 3,\r\n \"eachPart\": 1000000\r\n },\r\n {\r\n \"limitMB\": 5000000,\r\n \"parts\": 5,\r\n \"eachPart\": 1000000\r\n },\r\n {\r\n \"limitMB\": 6000000,\r\n \"parts\": 20,\r\n \"eachPart\": 10000000\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md\r\nPage 5 of 8\n\n}\r\n ],\r\n \"extensions\": {\r\n \"msilog\": 1,\r\n \"log\": 1,\r\n \"ldf\": 1,\r\n \"lock\": 1,\r\n \"theme\": 1,\r\n \"msi\": 1,\r\n \"sys\": 1,\r\n \"wpx\": 1,\r\n \"cpl\": 1,\r\n \"adv\": 1,\r\n \"msc\": 1,\r\n \"scr\": 1,\r\n \"key\": 1,\r\n \"ico\": 1,\r\n \"dll\": 1,\r\n \"hta\": 1,\r\n \"deskthemepack\": 1,\r\n \"nomedia\": 1,\r\n \"msu\": 1,\r\n \"rtp\": 1,\r\n \"msp\": 1,\r\n \"idx\": 1,\r\n \"ani\": 1,\r\n \"386\": 1,\r\n \"diagcfg\": 1,\r\n \"bin\": 1,\r\n \"mod\": 1,\r\n \"ics\": 1,\r\n \"com\": 1,\r\n \"hlp\": 1,\r\n \"spl\": 1,\r\n \"nls\": 1,\r\n \"cab\": 1,\r\n \"diagpkg\": 1,\r\n \"icl\": 1,\r\n \"ocx\": 1,\r\n \"rom\": 1,\r\n \"prf\": 1,\r\n \"themepack\": 1,\r\n \"msstyles\": 1,\r\n \"icns\": 1,\r\n \"mpa\": 1,\r\n \"drv\": 1,\r\n \"cur\": 1,\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md\r\nPage 6 of 8\n\n\"diagcab\": 1,\r\n \"exe\": 1,\r\n \"cmd\": 1,\r\n \"shs\": 1,\r\n \"Darkbit\": 1\r\n },\r\n \"names\": {\r\n \"thumbs.db\": 1,\r\n \"desktop.ini\": 1,\r\n \"darkbit.jpg\": 1,\r\n \"recovery_darkbit.txt\": 1,\r\n \"system volume information\": 1\r\n },\r\n \"processes\": [],\r\n \"hostnames\": [\r\n--- LIST OF TARGET HOSTNAMES ---\r\n]\r\nRansom note:\r\nDear Colleagues,\r\nWe’re sorry to inform you that we’ve had to hack Technion network completely and transfer “all” data to our secu\r\nSo, keep calm, take a breath and think about an apartheid regime that causes troubles here and there.\r\nThey should pay for their lies and crimes, their names and shames. They should pay for occupation, war crimes ag\r\nkilling the people (not only Palestinians’ bodies, but also Israelis’ souls) and destroying the future and all d\r\nThey should pay for firing high-skilled experts.\r\nAnyway, there is nothing for you (as an individual) to be worried.\r\nThat’s the task of the administration to follow up our instruction for recovering the network.\r\nBut, you can contact us via TOX messenger if you want to recover your files personally. (TOX ID: AB33BC51AFAC64D\r\nOur instruction for the administration:\r\nAll your files are encrypted using AES-256 military grade algorithm. So,\r\n1. Don't try to recover data, because the encrypted files are unrecoverable unless you have the key.\r\nAny try for recovering data without the key (using third-party applications/companies) causes PERMANENT\r\n2. You have to trust us. This is our business (after firing from high-tech companies) and the reputatio\r\n3. All you need to do is following up the payment procedure and then you will receive decrypting key us\r\n4. Payment method:\r\nEnter the link below\r\nhttp://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion/support\r\nEnter the ID below and pay the bill (80 BTC)\r\n$TARGETID\r\nYou will receive decrypting key after the payment.\r\nNotice that you just have 48 hours. After the deadline, a 30% penalty will be added to the price.\r\nWe put data for sale after 5 days.\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md\r\nPage 7 of 8\n\nTake it serious and don’t listen to probable advices of a stupid government.\r\nGood Luck!\r\n“DarkBit”\r\nSource: https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md"
	],
	"report_names": [
		"README.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775439152,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f59feff14423ea68f0733c860aa432b0481f136f.pdf",
		"text": "https://archive.orkl.eu/f59feff14423ea68f0733c860aa432b0481f136f.txt",
		"img": "https://archive.orkl.eu/f59feff14423ea68f0733c860aa432b0481f136f.jpg"
	}
}