General

  • Target

    1.bin

  • Size

    2.2MB

  • MD5

    aea5d3cced6725f37e2c3797735e6467

  • SHA1

    087497940a41d96e4e907b6dc92f75f4a38d861a

  • SHA256

    3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83

  • SHA512

    5489753ae1c3ba0dbd3e0ce1b78b0ccba045e534e77fb87c80d56b16229f928c46a15721020142bbc6bd4d1ba5c295f4bec3596efa7b46c906889c156dadbd66

  • SSDEEP

    49152:BEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW:BbyaALKjwWXV1P9oVvwwW

Score
10/10

Malware Config

Extracted

Family

blackcat

Credentials
  • Username:
    KELLERSUPPLY\Administrator
  • Password:
    d@gw00d
  • Username:
    KELLERSUPPLY\AdminRecovery
  • Password:
    K3ller!$Supp1y
  • Username:
    .\Administrator
  • Password:
    d@gw00d
  • Username:
    .\Administrator
  • Password:
    K3ller!$Supp1y
Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    false

  • enable_set_wallpaper

    true

  • extension

    sykffle

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    >> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

  • Blackcat family
  • Detects command variations typically used by ransomware 1 IoCs
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • 1.bin
    .exe windows:4 windows x86 arch:x86

    2c3e267ae163c15bfc251e74ea5319b2


    Headers

    Imports

    Sections