blackbasta | ca0273c55507c3aae95539812c2c5d9bbdc80deb8e714360fe4bcc65d257aeb0

Sharing

Copy URL

Twitter E-mail

General

Target

ca0273c55507c3aae95539812c2c5d9bbdc80deb8e714360fe4bcc65d257aeb0
Size

3.0MB
Sample

240326-p763vadg3w
MD5

1bcea13bd6b7223e04ca71ee4b78647e
SHA1

32ae0e093011c1f5e4637d3cc081600ad6de2874
SHA256

ca0273c55507c3aae95539812c2c5d9bbdc80deb8e714360fe4bcc65d257aeb0
SHA512

426fe0b135e68e256aef76ad2a032911dcb979e5cde29c51ac4f960fe4305abbb3a3e3891cf2ec45aafb7dbeaffc5983b0072dbbcbba0b757ef14dd50c1fd8fc
SSDEEP

98304:7pZaH5gP6rItqsK3PFAK1x59fnwQXFpqug5fA:7J6r5b3+Kf59fw0fOy

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/ Your company id for log in: ba7a7058-3531-4b67-bae6-d602e9110361

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 41bdf082-8936-4e21-9f70-5446160a730f

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Extracted

Path

C:\Program Files\instructions_read_me.txt

Family

blackbasta

Ransom Note

ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Login ID: 2943b2b6-dc20-44a7-9dc4-94f7cb67f695 *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Extracted

Path

C:\Program Files\instructions_read_me.txt

Family

blackbasta

Ransom Note

ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Login ID: 51fa64da-8ee3-4977-9535-14cf6f2fb971 *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Targets

- Target
  
  07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799
- Size
  
  838KB
- MD5
  
  afa27795c0c86b6afeb138d0fb09506b
- SHA1
  
  d32e44f7e04a8c84e7159ed020dcf26b6e51416e
- SHA256
  
  07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799
- SHA512
  
  85e92d60000981d836c8fe102a191e21c94f6add14fef0dd33816060699dfa5a05e1db38bd8b7194ad9e1ff30240bfdf807f91d0abe535733e2a2fc1d7264fc0
- SSDEEP
  
  24576:pyAo7FAIP03acBtXWKe25ep59MxQU08wHG3MJAQof1hB:Lo7ARBtmKe28MSU08wHaM6Qo1hB
Score

1^/10
behavioral1 behavioral2
- Target
  
  1391c20a26f248f7c602f20096bf1886cfe7e4d151602a1258a9bbe7c02c1c80
- Size
  
  524KB
- MD5
  
  20d03f8272648fa3fd31e222b8e2220f
- SHA1
  
  ac20624e8aff3d4f9c42a8e2ddd493250e631f47
- SHA256
  
  1391c20a26f248f7c602f20096bf1886cfe7e4d151602a1258a9bbe7c02c1c80
- SHA512
  
  3bcfde35141671b4de022ae2423d020e53de35075c9a2c0a2dde45dc993364543af443dc97e6d3cc96c9a1d34533d6adb50c2495a23b5c4de97f64b3176ebd70
- SSDEEP
  
  12288:SwCt9ZABL6wADs7yjyYTW3nMxIg/NmGta1WeGcvc4OulNI:AHUADs+jVW3nMxIKMOa1Wpecule
Score

10^/10

blackbasta ransomware
- Black Basta
  A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
  ransomware blackbasta
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (208) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Sets desktop wallpaper using registry
  ransomware
behavioral3 behavioral4
- Target
  
  350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd
- Size
  
  737KB
- MD5
  
  0bf7bc20496143a9f028e77ab47b4698
- SHA1
  
  aa54013aeb502b4a936331deb76a6411f1f1ade7
- SHA256
  
  350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd
- SHA512
  
  5e94cd77c4ad6dfa1064915ca0f4d117a2e3a4e924d05a16df0b223a5a0cbcb6124627e41d184aa0584f3ff3bbd5f9f913964887c7eb140e105317d4f5709981
- SSDEEP
  
  12288:bO+sm75a7DI9Mv53VI/XfaUs442JbV24chSS1i2wZbDFMMWzVFq:rh75a7M9S3VYa4npY4cFM2MWhY
Score

10^/10

ransomware blackbasta
- Black Basta
  A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
  ransomware blackbasta
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (4589) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
behavioral5 behavioral6
- Target
  
  51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e
- Size
  
  839KB
- MD5
  
  e83d6092439a90af2b4b1db2ad3a9c5a
- SHA1
  
  4da6fef533b37a12ed1e357df66802de29c1ab5c
- SHA256
  
  51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e
- SHA512
  
  0d695785c00fa1dfa2c1825b8f8de757daae9336a674e8e723586cbe105832fbaba1c886a6554073baab725bfa9ad47042ec95a43ba94b76788dd9f8198dddd4
- SSDEEP
  
  24576:zvA0H/qL9fu4c8JZHSE6biXLemW34Mi+4LKH:UHL9fu4hSLbiXLer4MD4WH
Score

10^/10

blackbasta ransomware
- Black Basta
  A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
  ransomware blackbasta
- Renames multiple (2402) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
behavioral7 behavioral8
- Target
  
  17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90
- Size
  
  636KB
- MD5
  
  267d5c3137d313ce1a86c2f255a835e6
- SHA1
  
  c7a37c0edeffd23777cca44f9b49076be1bd43e6
- SHA256
  
  17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90
- SHA512
  
  9c119a9f973dae77f2cdd6a855ae45c20660aadc5c592f6d06f6360dd0bb5a380d0ed1fcc23c0cb721da70bcca7d32db46181be675bf0587276d35d6da26a31e
- SSDEEP
  
  12288:aEky5bwpy02iRaeXCP2CIcdoKAXMr+Mr+kJZ4:j02iRaeHPcdo18rTrf6
Score

9^/10

ransomware spyware stealer
- Renames multiple (4138) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral10 behavioral9
- Target
  
  5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
- Size
  
  563KB
- MD5
  
  3f400f30415941348af21d515a2fc6a3
- SHA1
  
  bd0bf9c987288ca434221d7d81c54a47e913600a
- SHA256
  
  5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
- SHA512
  
  0d4c3ee8807bbbf635ce2d1ce1b747c23cc2724ff999580169e5514c7c97109083bea169bd6a5f8be35f3b679bb8446839fcc7a38f78503658eda306bec69154
- SSDEEP
  
  12288:TFx0B/O7JxPzW9JPlHKtxYRkG7zLfpXE6SbJ:Rx7zW9JPlGskG1v
Score

10^/10

blackbasta evasion ransomware
- Black Basta
  A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
  ransomware blackbasta
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Sets desktop wallpaper using registry
  ransomware
behavioral11 behavioral12
- Target
  
  7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a
- Size
  
  543KB
- MD5
  
  998022b70d83c6de68e5bdf94e0f8d71
- SHA1
  
  b87a947f3e85701fcdadd733e9b055a65a3b1308
- SHA256
  
  7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a
- SHA512
  
  2744b77f951bd2bb34b094dd3b54fcf8f7dca76e03c745809edc045749c814c7d88c9ddd69ad684a1c156716afae76b5ebec3f932d0f2a72b242878134f65647
- SSDEEP
  
  12288:M1DTMHixr1moQqUiXINDl/m1s6BQio67VlA:AzmoQqUiXw2s6yiVx
Score

10^/10

blackbasta ransomware spyware stealer
- Black Basta
  A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
  ransomware blackbasta
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (9536) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral13 behavioral14
- Target
  
  ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
- Size
  
  543KB
- MD5
  
  53fdeb923b1890d29b8f29da77995938
- SHA1
  
  a996ccd0d58125bf299e89f4c03ff37afdab33fc
- SHA256
  
  ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
- SHA512
  
  7c78e880f3d2dfc163625ff3d0b4676aa6a083dbbeac270520679f6b21d1c449c5af720ca7b9a68b5b3309e2de8d586cfed5d9b3a78d006e6d981a1aaf88c535
- SSDEEP
  
  12288:M1DTMHixr1moQqUiXINDl/m1s6BQio67VlAU:AzmoQqUiXw2s6yiVxR
Score

10^/10

blackbasta ransomware
- Black Basta
  A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
  ransomware blackbasta
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (498) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral15 behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Black Basta

Deletes shadow copies

Renames multiple (208) files with added filename extension

Sets desktop wallpaper using registry

Black Basta

Deletes shadow copies

Renames multiple (4589) files with added filename extension

Black Basta

Renames multiple (2402) files with added filename extension

Renames multiple (4138) files with added filename extension

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Black Basta

Deletes shadow copies

Modifies boot configuration data using bcdedit

Checks computer location settings

Sets desktop wallpaper using registry

Black Basta

Deletes shadow copies

Renames multiple (9536) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Black Basta

Deletes shadow copies

Renames multiple (498) files with added filename extension

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16