Overview

overview

10

Static

static

3

ENCRYPT_C_...RY.exe

windows7-x64

10

ENCRYPT_C_...RY.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ENCRYPT_C_VISIBLEENTRY.exe.bin

  • Size

    391KB

  • Sample

    250124-zctt5symdn

  • MD5

    4be7c8cdc4eb344bc3bce1e9d2bf4b6d

  • SHA1

    5c18b5a920917420dfba267853769ce0e11ef57f

  • SHA256

    6aabcc25ae4ca7804b2f70fdf4b9fd17ca8cfd70bb0c9903a8d537570ebb9405

  • SHA512

    46492322b2392ab8ce9bde3f8ad62bd95e62de1d8c0a0c284ef58334a2e3e7a38ad193c2f69a0f6a5d769d12f6bc9fe815cb9699aa256dd474836c8d8bd7395c

  • SSDEEP

    12288:SUyh8ETAbg65kkZ7oZXu6PWHzXzroCvczjCo:3dDbgerajCo

Score
10/10
blackbastadiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\instructions_read_me.txt

Family

blackbasta

Ransom Note
Hello! If you are reading this, it means we have encrypted your data and took your files. DO NOT PANIC! Yes, this is bad news, but we will have a good ones as well. YES, this is entirely fixable! Our name is BlackBasta Syndicate, and we are the largest, most advanced, and most prolific organized group currently existing. We are the ultimate cyber tradecraft with a credential record of taking down the most advanced, high-profile, and defended companies one can ever imagine. You can Google us later; what you need to know now is that we are business people just like you. We have your data and encrypted your files, but in less than an hour, we can put things back on track: if you pay for our recovery services, you get a decryptor, the data will be deleted from all of our systems and returned to you, and we will give you a security report explaining how we got you. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login: 461cccc9-8580-4474-845d-6f4c916b64cd This is a link to a secure chat. We will talk there. Inside that chat, we will share a second designated link that only your special team will be able to see. For now, think about the following. This incident hits your network and is stopping you from operating properly. The sooner you get back on track, the better it is. See you in the secure chat.
URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Targets

    • Target

      ENCRYPT_C_VISIBLEENTRY.exe.bin

    • Size

      391KB

    • MD5

      4be7c8cdc4eb344bc3bce1e9d2bf4b6d

    • SHA1

      5c18b5a920917420dfba267853769ce0e11ef57f

    • SHA256

      6aabcc25ae4ca7804b2f70fdf4b9fd17ca8cfd70bb0c9903a8d537570ebb9405

    • SHA512

      46492322b2392ab8ce9bde3f8ad62bd95e62de1d8c0a0c284ef58334a2e3e7a38ad193c2f69a0f6a5d769d12f6bc9fe815cb9699aa256dd474836c8d8bd7395c

    • SSDEEP

      12288:SUyh8ETAbg65kkZ7oZXu6PWHzXzroCvczjCo:3dDbgerajCo

    Score
    10/10
    blackbastadiscoveryransomwarespywarestealer

    • Black Basta

      A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

      ransomwareblackbasta

    • Blackbasta family

      blackbasta

    • Renames multiple (9633) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks