4d9415d5daf15172f6fcbc577021a932f66da049ca750a73e3506015028b8674

Analysis

max time kernel
105s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
Size

2.7MB
MD5

b5b3cfe0287ec45c69472d2f2c9b1ea0
SHA1

e1544896b9e25a024f624314db4187805eba54b5
SHA256

4d9415d5daf15172f6fcbc577021a932f66da049ca750a73e3506015028b8674
SHA512

602aa8482375dcd0e20e21f07f7152f36e1b31e23e1a7372a91b88aba1864f993da3ae86d8b7290d3222c7aba2fff1b03beb370bfbedcfc63f801ce275de4959
SSDEEP

49152:JmhzrOZLOIaI6HMaJTtGbADeksRNfuv0P/9QXRNqFsZOxc1isfayXKvITLc66OY2:GzruaI6HMaJTtGb2sxENsoOxc1isCyXV

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\CheckpointEnter.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
6040	5432	WerFault.exe	84
5860	5432	WerFault.exe	84
3604	5156	WerFault.exe	88
4384	5156	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5432	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
5432	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
5156	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
5156	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5432 wrote to memory of 5156	5432	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe	88
PID 5432 wrote to memory of 5156	5432	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe	88
PID 5432 wrote to memory of 5156	5432	2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe	88

C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5432
- C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 416
    3⤵
    - Program crash
    PID:3604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 432
    3⤵
    - Program crash
    PID:4384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 460
  2⤵
  - Program crash
  PID:6040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 460
  2⤵
  - Program crash
  PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5432 -ip 5432
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5432 -ip 5432
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5156 -ip 5156
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5156 -ip 5156
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pUc590D.tmp

Filesize
976KB

MD5
8707f286d3f8ba555fa9d854ac9a5081

SHA1
41dad29baf015cc3b94598d4f830634a5a928a5e

SHA256
062bd2114d216adc79ed58505bc02d5ecb8f095f188e294e0b602dc845d6c677

SHA512
a152ef1ab121813e7f47e5ff5868fbeadc1db5cc13669933437e416c77c4fbde88d56cdec035a69a40e45c52e9d78357244ff24effee7dc7e0b1e608e424816f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc593F.tmp

Filesize
2.7MB

MD5
b5b3cfe0287ec45c69472d2f2c9b1ea0

SHA1
e1544896b9e25a024f624314db4187805eba54b5

SHA256
4d9415d5daf15172f6fcbc577021a932f66da049ca750a73e3506015028b8674

SHA512
602aa8482375dcd0e20e21f07f7152f36e1b31e23e1a7372a91b88aba1864f993da3ae86d8b7290d3222c7aba2fff1b03beb370bfbedcfc63f801ce275de4959

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc5951.tmp

Filesize
1.2MB

MD5
fa1d7965a8cc9b71967329991c87842a

SHA1
33b4713bc704c6562a077de88a5f04b54eac7fff

SHA256
f93601be6bce1283840d5f59cb8a92d68aae82c3c8c078494dbd7ce1d413ff37

SHA512
6aa62d9080203fe06997cd5599b55bf00338331ac537f1ad0841366cb991a44b2850da0796b3597ca031786a93a2231f6e209e4703725de8b6b98d611fb27a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc5973.tmp

Filesize
1.2MB

MD5
2fc59aa41fbccf02436bc992d5f46511

SHA1
92edb987b358de8e2f8edf58e275e127026bca17

SHA256
4f32e58c8d67d177529286b00a784706d3e8a9731653d8a686f73ebb3767207d

SHA512
362cab4044e92fad598fa792359d99dadf1e2e39d2c75ed1285eca505e86bb652b830a5088de3270ff2caa27091d722ae2084cccb4157f837a6eba08481db392

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc5986.tmp

Filesize
512KB

MD5
f17c45349962ba1cb0716b0547fe1abb

SHA1
86d77868f9e16adaf71a1115b7739d2c66a4eb13

SHA256
9ad5484276f6e4342e2b423d6390c9426e74c6a3e47ce4b46523e9fe09b1fb42

SHA512
b6efda56e5b994bde4792b1ee68d6225d8b5966bcfd0546a7fa857d6d5a31da6915d09fab7c42f1ffdceca657a14acb29e992ee48f2f80d3b5926bad6fdd3cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc5999.tmp

Filesize
2.6MB

MD5
aa37482c65da92de1c26c8edb07fc1f6

SHA1
e56852500639d5a8a982d0e32c3e06b569ffccae

SHA256
b2b46f68fd44359ad7f909ad19e4b45e3f62dc1dac5a2e5cf0b0ea02eff18156

SHA512
7ecf8579e1f741993b028c3108aade6d992565c2febc91affd66952726e07bef2dd50c3daf001f0dab63f0563e1effa4ddaf5752f4850e863b76b636c92d8be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc59BB.tmp

Filesize
784KB

MD5
acddccbee295d6af8b75ad6a6f284fcd

SHA1
1976db56f34b6f5c9ea9240599487de08f1616e0

SHA256
17bbc59af2eb3984f596aeb631f7d793a73b8a99dff16198cd3c96dc14e04a80

SHA512
5c8acd076dcbc2b8cbda6fd2b4485ddbc6d286a47361ef9a802d0b32e5a8156b58a3efc9e48c82e71463c3d4edb6b53ae6c18e99ef54497c8c67a0526e541225

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc59CE.tmp

Filesize
550KB

MD5
db89d002488de07d6f5a37df9b5685df

SHA1
270e10a322ea5239b147687a2ff4fffc52153a72

SHA256
00e9a597a59acec31b0505a88b88dba3fe99fd80cf5161049028f351d3714c14

SHA512
2f92bed7feda2a83625850ba73fa125e19a7be04af85621d1e16d3ef2aa8969d8b346872847f29054739896a9184f1b3d33a9a2805648c2996763e951b73a615

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc59F0.tmp

Filesize
4.4MB

MD5
116c7080a3442e77abf29c4c42af8944

SHA1
97e9c3b878579bd406b405b934a0febe1c020539

SHA256
7b1e251a55b6f990ac1205c938d7273b94eb737eace22a89e649fd086b7dbc81

SHA512
ae589927909d78c01170196968ece0b455a6329e7a70f3aa87e5a2a5b895c0905823c681a7dc6fc9ac4e7d7cf268603f6e249d5cc74847c797426a4db54980b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc5A12.tmp

Filesize
861KB

MD5
e81c1a202930e81b921e8bea2251ad24

SHA1
72440d06324d9679903d1239ab9da15203fecbcb

SHA256
c96cec64624f28e3f9f919ea98a1db2dfcca1e2403c2290345d8fc9b056177e3

SHA512
eeccac69217a2d621c7d538c94446de186da05f6e6dc18393b30ca75ad515c0498653c9c91f6df028ea750942f77d0d4157b632f22a1650ff81af07754eeed4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc5A73.tmp

Filesize
23.8MB

MD5
ee99819cb2a00a47498d1493ef3b9d78

SHA1
96eca495a39709e87a8673ee66f24feb67bcaf88

SHA256
0756a287d8fda6fd427fb708dca91a2473773f4d87092234af432d1320bbf63f

SHA512
38d58c8c67ccbd0a86a44b6fae0e65ea8a9ce97f9d0829970bf793bc24e1d848fd3de685a24a5935ab43ac8660cff084a46ed4db43121c5361091a767cbdd8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc6A46.tmp

Filesize
646KB

MD5
3bc3f772bd67659133552d529305f146

SHA1
63def4031aa0cdef47a2c835b1dba96f71949741

SHA256
496fa1a81a855feb405a2c70c00319c39a8bb521e3f11cb69c88e4562f7c533e

SHA512
be3d5bd6398aa6a159329f3683fba9615e66bad3650cadbe43381d9445fa69d54351188eb5b979a21dfd17e7fb41c5123bc3523d1f4e8dfb9c949f0f5e8d06a6

Download Submit
memory/5156-249-0x0000000000400000-0x00000000006B5000-memory.dmp

Filesize
2.7MB

Download
memory/5432-201-0x0000000000400000-0x00000000006B5000-memory.dmp

Filesize
2.7MB

Download