General
-
Target
blackcat.exe
-
Size
2.6MB
-
Sample
230925-p8r1bafa2y
-
MD5
bb266486ee8ac70c0687989e02cefa14
-
SHA1
11203786b17bb3873d46acae32a898c8dac09850
-
SHA256
0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
-
SHA512
a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
-
SSDEEP
49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8
Behavioral task
behavioral1
Sample
blackcat.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
blackcat
- Username:
KELLERSUPPLY\Administrator - Password:
d@gw00d
- Username:
KELLERSUPPLY\AdminRecovery - Password:
K3ller!$Supp1y
- Username:
.\Administrator - Password:
d@gw00d
- Username:
.\Administrator - Password:
K3ller!$Supp1y
-
enable_network_discovery
true
-
enable_self_propagation
false
-
enable_set_wallpaper
true
-
extension
sykffle
-
note_file_name
RECOVER-${EXTENSION}-FILES.txt
-
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}
Extracted
C:\RECOVER-sykffle-FILES.txt
http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21
http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=ofxtqXVtehGhd%2FM1%2BW7n5iVIrnzOVt755SYbzReOqI%2F1ElZBG5zJZcTql1uTWKKuwijscCtpsridvGYEEyKb6OMd5pUha5Epi0suGlWVMF7byOWYdDzy4m1OMNDiDe%2FB71Y8PGgjo4wm7%2BtZ0VQaoWYJV39%2Fqe%2Be0ihkF0InbZisFct8d5A5Vx20e3nC9q%2BjYpxYKAUyLyW6brsiP1KtLXT%2B1XweQ2Nk8nDMgVlN1X5hR3TfU1%2Fi0yj8S5WopqVMRJGF6Xi6NhX%2FTdUExjZ63ylEqtLUSFOQaYiKedGN4UBRDuVgHJVzMdzKHsqHCYrpvCNEP3q4nOXxKzImvBt2Fw%3D%3D
Targets
-
-
Target
blackcat.exe
-
Size
2.6MB
-
MD5
bb266486ee8ac70c0687989e02cefa14
-
SHA1
11203786b17bb3873d46acae32a898c8dac09850
-
SHA256
0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
-
SHA512
a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
-
SSDEEP
49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8
Score10/10-
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-