Overview

overview

10

Static

static

3

BlackBasta_03.bin.exe

windows7-x64

10

BlackBasta_03.bin.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BlackBasta_03.bin.exe

  • Size

    716KB

  • Sample

    241130-a95v8svmax

  • MD5

    ac625552601c190656dcb8cf4c21cd1d

  • SHA1

    acad7a91c2812a0652d62f252774454c217666e9

  • SHA256

    03309c90e6c60a2e3cd44374efa3003ae10cd9e05ba6a39c77aa5289b32cb969

  • SHA512

    9e04dbbc624e808a678e64648dbc12deb286341876ea4590d50f996732dde2b91c6b7defbffcbdd3883c74a98488a0ad26540b364942d3117625770bc4e5e6d3

  • SSDEEP

    12288:nB6xrkyoUKbidQN0M2TNK36YPiCuL1+jZ5tXdAD6x/NJxaZUzrd9gW6PdrO5SAou:nwrkyoUGJJgWQrOUAua

Score
10/10
blackbastacredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 5f19e2b1-ca23-4d1d-b642-de2543c02742 
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Targets

    • Target

      BlackBasta_03.bin.exe

    • Size

      716KB

    • MD5

      ac625552601c190656dcb8cf4c21cd1d

    • SHA1

      acad7a91c2812a0652d62f252774454c217666e9

    • SHA256

      03309c90e6c60a2e3cd44374efa3003ae10cd9e05ba6a39c77aa5289b32cb969

    • SHA512

      9e04dbbc624e808a678e64648dbc12deb286341876ea4590d50f996732dde2b91c6b7defbffcbdd3883c74a98488a0ad26540b364942d3117625770bc4e5e6d3

    • SSDEEP

      12288:nB6xrkyoUKbidQN0M2TNK36YPiCuL1+jZ5tXdAD6x/NJxaZUzrd9gW6PdrO5SAou:nwrkyoUGJJgWQrOUAua

    Score
    10/10
    blackbastacredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Black Basta

      A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

      ransomwareblackbasta

    • Blackbasta family

      blackbasta

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (9743) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks