5b9b1df2edcdddc88c613abed6ffebea61aaea766649473769d501e7f5dc23cb

General

Target

blackbasta.exe
Size

636KB
MD5

267d5c3137d313ce1a86c2f255a835e6
SHA1

c7a37c0edeffd23777cca44f9b49076be1bd43e6
SHA256

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90
SHA512

9c119a9f973dae77f2cdd6a855ae45c20660aadc5c592f6d06f6360dd0bb5a380d0ed1fcc23c0cb721da70bcca7d32db46181be675bf0587276d35d6da26a31e
SSDEEP

12288:aEky5bwpy02iRaeXCP2CIcdoKAXMr+Mr+kJZ4:j02iRaeHPcdo18rTrf6

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 30 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

blackbasta.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnableStep.tiff => C:\Users\Admin\Pictures\EnableStep.tiffencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\ExpandLock.png => C:\Users\Admin\Pictures\ExpandLock.pngencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\SetUnregister.raw => C:\Users\Admin\Pictures\SetUnregister.rawencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendUnblock.rawencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockRepair.pngencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandLock.pngencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\SearchDebug.tiff => C:\Users\Admin\Pictures\SearchDebug.tiffencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\SuspendUnblock.raw => C:\Users\Admin\Pictures\SuspendUnblock.rawencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\SyncImport.tiff => C:\Users\Admin\Pictures\SyncImport.tiffencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\CloseUninstall.raw => C:\Users\Admin\Pictures\CloseUninstall.rawencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\CopyRedo.rawencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\DenyConfirm.crwencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\RepairBlock.raw => C:\Users\Admin\Pictures\RepairBlock.rawencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\SetUnregister.rawencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromExit.pngencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\CopyRedo.raw => C:\Users\Admin\Pictures\CopyRedo.rawencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\EnableStep.tiffencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\UnlockRepair.png => C:\Users\Admin\Pictures\UnlockRepair.pngencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromConvertTo.raw => C:\Users\Admin\Pictures\ConvertFromConvertTo.rawencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromConvertTo.rawencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\DenyConfirm.crw => C:\Users\Admin\Pictures\DenyConfirm.crwencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\RepairBlock.rawencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\SetComplete.crwencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\SyncImport.tiffencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\SetComplete.crw => C:\Users\Admin\Pictures\SetComplete.crwencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\CloseUninstall.rawencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromExit.png => C:\Users\Admin\Pictures\ConvertFromExit.pngencrypted	blackbasta.exe
File renamed	C:\Users\Admin\Pictures\RemoveConvert.png => C:\Users\Admin\Pictures\RemoveConvert.pngencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveConvert.pngencrypted	blackbasta.exe
File opened for modification	C:\Users\Admin\Pictures\SearchDebug.tiffencrypted	blackbasta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

blackbasta.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper blackbasta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper	blackbasta.exe

Drops file in Program Files directory 64 IoCs

Processes:

blackbasta.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dllencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04267_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188667.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPGencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPGencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Austin.eftxencrypted	blackbasta.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exeencrypted	blackbasta.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.dllencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPHPROXY.DLLencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287024.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files\Java\jre7\lib\flavormap.propertiesencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01797_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXTencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPGencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMPencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02045_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286068.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.REST.IDX_DLLencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXCencrypted	blackbasta.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\axvlc.dllencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01193_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MOR6INT.REST.IDX_DLLencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txtencrypted	blackbasta.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.pngencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153305.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OCEAN_01.MIDencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\HxRuntime.HxSencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dllencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_hu.dllencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPGencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXTencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXEencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106124.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285796.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files\PopSync.wplencrypted	blackbasta.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.pngencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01701_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xmlencrypted	blackbasta.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalogencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01368_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPGencrypted	blackbasta.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ant-javafx.jarencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLLencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACER3X.DLLencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xmlencrypted	blackbasta.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONFILTER.DLLencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105520.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPGencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02423_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.DPVencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXCencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.muiencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMPencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMFencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIFencrypted	blackbasta.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txtencrypted	blackbasta.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.muiencrypted	blackbasta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107708.WMFencrypted	blackbasta.exe

C:\Users\Admin\AppData\Local\Temp\blackbasta.exe
"C:\Users\Admin\AppData\Local\Temp\blackbasta.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
PID:624