General
-
Target
https://bazaar.abuse.ch/sample/c50bca08a8e80850ec18d258ff937b7b72a500d9027c730c86b05aa73c938b5d/
-
Sample
230505-kyxqlaba7t
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bazaar.abuse.ch/sample/c50bca08a8e80850ec18d258ff937b7b72a500d9027c730c86b05aa73c938b5d/
Resource
win10v2004-20230220-en
Malware Config
Extracted
blackcat
- Username:
Administrator - Password:
Vivit5on0640
- Username:
Administrator@FAIRWAY - Password:
Vivit5on0640
- Username:
admin - Password:
Onegl@ss2020
-
enable_network_discovery
true
-
enable_self_propagation
true
-
enable_set_wallpaper
true
-
extension
hat2gck
-
note_file_name
RECOVER-${EXTENSION}-FILES.txt
-
note_full_text
----Welcome to the Black Cat Ransomware----- Failure to contact us, will result in higher costs at every level for you. And all you / your customers files. >> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your network was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: -Customers financial info -Your financial info with LLoyds and any other banks. -Invoices. -All the emails database - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://cmzh4nkisvkvyxc6o25ympbq52xphnexikkto5fyx52saaaxfv7piuyd.onion/?access-key=${ACCESS_KEY}
Targets
-
-
Target
https://bazaar.abuse.ch/sample/c50bca08a8e80850ec18d258ff937b7b72a500d9027c730c86b05aa73c938b5d/
Score10/10-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-