blackbasta | 753a66f032d0d7a7c310a2e5f98c54e95e3d404400224d592657a02079c668d5

General

Target

loader.bat
Size

94B
MD5

921239f27bb2234b67d59178f126c4e3
SHA1

dcfb337b410b40159c6cecc298728246745250e8
SHA256

72098b728205382cccae1513b4758851372139a8e881066c679ce7321fb29ba6
SHA512

3df002ba6bf11f6b6b0d2dac2f940090b9160b8af124f9c36fefa57964562b9f4edffc2aa250633704f26fa720c770814d693a9ba0f93a55cbae8b0e65fcc7a1

Score

10^/10

blackbasta ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\instructions_read_me.txt

Family

blackbasta

Ransom Note

ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: ab2bada7-004d-468c-8c25-a08517ea2fa0 *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.

URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops desktop.ini file(s) 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15135_.GIF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04326_.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299587.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\HAMMER.WAV	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.LEX	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Maceio	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00330_.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7db.kic	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHDHM.POC	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_K_COL.HXK	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS	rundll32.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcor.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	rundll32.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEODBCI.DLL	rundll32.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar	rundll32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\instructions_read_me.txt	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183168.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\VIBE.WAV	rundll32.exe
File opened for modification	C:\Program Files\Windows Sidebar\settings.ini	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\instructions_read_me.txt	rundll32.exe
File created	C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292152.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47F.GIF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05870_.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ms.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251871.WMF	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tehran	rundll32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml	rundll32.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmpt0z3lb	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmpt0z3lb\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmpt0z3lb\DefaultIcon	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2124 notepad.exe

pid	process
2124	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exerundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 2872 wrote to memory of 2268	2872	cmd.exe	rundll32.exe
PID 2872 wrote to memory of 2268	2872	cmd.exe	rundll32.exe
PID 2872 wrote to memory of 2268	2872	cmd.exe	rundll32.exe
PID 2268 wrote to memory of 2920	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2920	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2920	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2920	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2920	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2920	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2920	2268	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 1544	2920	rundll32.exe	cmd.exe
PID 2920 wrote to memory of 1544	2920	rundll32.exe	cmd.exe
PID 2920 wrote to memory of 1544	2920	rundll32.exe	cmd.exe
PID 2920 wrote to memory of 1544	2920	rundll32.exe	cmd.exe
PID 1544 wrote to memory of 2124	1544	cmd.exe	notepad.exe
PID 1544 wrote to memory of 2124	1544	cmd.exe	notepad.exe
PID 1544 wrote to memory of 2124	1544	cmd.exe	notepad.exe
PID 1544 wrote to memory of 2124	1544	cmd.exe	notepad.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\system32\rundll32.exe
  rundll32.exe fea155f714b3153192dfc11fba84609edf1e78bbb7f1d6979de6a9ab4077099d.dll,VisibleEntry
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe fea155f714b3153192dfc11fba84609edf1e78bbb7f1d6979de6a9ab4077099d.dll,VisibleEntry
    3⤵
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /MAX notepad.exe c:\instructions_read_me.txt
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad.exe c:\instructions_read_me.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\instructions_read_me.txt

Filesize
1KB

MD5
a1858e97c794b6dd91c84c4117972a63

SHA1
e0166104ea97fc4dd52349113ac1eb2047b237e5

SHA256
bb3b4e779a5f43494e237b1979f0eddc9beb0a2a7c1e0b451a32c77795f1a58e

SHA512
da4a96ba2e3078b14784496af289097a8a0d21bc8486627c932c48bacc9e05d3837c671526f0f1d3f679c14e4a2bc1fd6b3a3196233e5fb194a7e2a8a029c9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.bat

Filesize
421B

MD5
1d3551468d87e7793535b2f96d6b7399

SHA1
436fdff9c3daceb4c5e7380afd13484b73035eb4

SHA256
39e9cab2f2e8a130b99a6ff173ad36c4a42eeda9bd1b94d598c598530c968848

SHA512
e45ad423b8b8099f0a8959bbf59c3e4c4216dfc3c4fe6f31c110949e3d73b4871365c531d68837bb79b2509b2dbaec69beb9834835e7b29369adb800b1132f57

Download Submit
memory/2920-11-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-6-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-5-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-7-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-10-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-12-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-0-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-8-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-2-0x00000000020F0000-0x00000000021D7000-memory.dmp

Filesize
924KB

Download
memory/2920-4-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-1797-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-11818-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-11820-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-11830-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-11832-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-11833-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download
memory/2920-1-0x00000000003B0000-0x000000000047D000-memory.dmp

Filesize
820KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads