Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 19:51
Behavioral task
behavioral1
Sample
blackcat.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
blackcat.exe
Resource
win10v2004-20230915-en
General
-
Target
blackcat.exe
-
Size
2.6MB
-
MD5
bb266486ee8ac70c0687989e02cefa14
-
SHA1
11203786b17bb3873d46acae32a898c8dac09850
-
SHA256
0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
-
SHA512
a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
-
SSDEEP
49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8
Malware Config
Extracted
blackcat
- Username:
KELLERSUPPLY\Administrator - Password:
d@gw00d
- Username:
KELLERSUPPLY\AdminRecovery - Password:
K3ller!$Supp1y
- Username:
.\Administrator - Password:
d@gw00d
- Username:
.\Administrator - Password:
K3ller!$Supp1y
-
enable_network_discovery
true
-
enable_self_propagation
false
-
enable_set_wallpaper
true
-
extension
sykffle
-
note_file_name
RECOVER-${EXTENSION}-FILES.txt
-
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}
Signatures
-
BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.