Overview

overview

10

Static

static

3

9c1b4c49ec...dN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9c1b4c49ecfd2dc93ee842591422483e0c573f115f8d17c5fb58f9130ee0c70dN

  • Size

    1.5MB

  • Sample

    241105-dslb2swken

  • MD5

    eae2c3ed7ce3e11a0668304b21077320

  • SHA1

    ab97d3d1b6120e4124b5c4f1188fa93118de84f1

  • SHA256

    9c1b4c49ecfd2dc93ee842591422483e0c573f115f8d17c5fb58f9130ee0c70d

  • SHA512

    7c556d89e4aee9250eced80ce8dcd05b7c3d57bcacaf263ffc5b71ec8f7aa28cf63b02871d1c3c4a9d46a75e3a9d5a67d8372f275aae2655804ab032ca4aae81

  • SSDEEP

    24576:tKWeNczWidc+ysoJfQdGky80RYk9vbQotm/SXlk4QBb3Isa20y:gczWrsoJgy8oYgvbH8/slZm3If2d

Score
10/10
blackbastadiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\instructions_read_me.txt

Family

blackbasta

Ransom Note
Hello! If you are reading this, it means we have encrypted your data and took your files. DO NOT PANIC! Yes, this is bad news, but we will have a good ones as well. YES, this is entirely fixable! Our name is BlackBasta Syndicate, and we are the largest, most advanced, and most prolific organized group currently existing. We are the ultimate cyber tradecraft with a credential record of taking down the most advanced, high-profile, and defended companies one can ever imagine. You can Google us later; what you need to know now is that we are business people just like you. We have your data and encrypted your files, but in less than an hour, we can put things back on track: if you pay for our recovery services, you get a decryptor, the data will be deleted from all of our systems and returned to you, and we will give you a security report explaining how we got you. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login: 4f80cd7d-b588-4df3-a267-724e8a3383b8 This is a link to a secure chat. We will talk there. Inside that chat, we will share a second designated link that only your special team will be able to see. For now, think about the following. This incident hits your network and is stopping you from operating properly. The sooner you get back on track, the better it is. See you in the secure chat.
URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Targets

    • Target

      9c1b4c49ecfd2dc93ee842591422483e0c573f115f8d17c5fb58f9130ee0c70dN

    • Size

      1.5MB

    • MD5

      eae2c3ed7ce3e11a0668304b21077320

    • SHA1

      ab97d3d1b6120e4124b5c4f1188fa93118de84f1

    • SHA256

      9c1b4c49ecfd2dc93ee842591422483e0c573f115f8d17c5fb58f9130ee0c70d

    • SHA512

      7c556d89e4aee9250eced80ce8dcd05b7c3d57bcacaf263ffc5b71ec8f7aa28cf63b02871d1c3c4a9d46a75e3a9d5a67d8372f275aae2655804ab032ca4aae81

    • SSDEEP

      24576:tKWeNczWidc+ysoJfQdGky80RYk9vbQotm/SXlk4QBb3Isa20y:gczWrsoJgy8oYgvbH8/slZm3If2d

    Score
    10/10
    blackbastadiscoverypersistenceransomwarespywarestealer

    • Black Basta

      A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

      ransomwareblackbasta

    • Blackbasta family

      blackbasta

    • Renames multiple (10692) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks