Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bazaar.abuse...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://bazaar.abuse.ch/sample/731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161/

  • Sample

    230505-llejxshc47

Score
10/10
blackcatdiscoverypersistenceransomware

Malware Config

Extracted

Family

blackcat

Credentials
  • Username:
    CREDITONE\Administrator
  • Password:
    K3ny@2009
  • Username:
    CREDITONE\bexec
  • Password:
    CloneD1sk4Song$%
  • Username:
    CREDITONE\KLarry
  • Password:
    Kl..2021
  • Username:
    CREDITONE\BKuhl
  • Password:
    Gromit2021!
  • Username:
    CREDITONE\rlopez
  • Password:
    Victoria7856!
  • Username:
    CREDITONE\EJaramilla
  • Password:
    1LoveVeros4
  • Username:
    .\Administrator
  • Password:
    $fiji12$
Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    true

  • enable_set_wallpaper

    true

  • extension

    7954i9r

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    >> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/336eb50d-ebf8-436b-937d-ec075de46e7f/419ef3f950d9f346cf86db56db453539dcd51567ea871728e78dbc9918c7efeb >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Targets

    • Target

      https://bazaar.abuse.ch/sample/731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161/

    Score
    10/10
    blackcatdiscoverypersistenceransomware

    • BlackCat

      A Rust-based ransomware sold as RaaS first seen in late 2021.

      ransomwareblackcat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks