blackbasta | e6f463ee1c4b789980b13b9e0b2b5c625dc4b4863c23f6f62237a7f7e7405c7b

General

Target

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.7z
Size

227KB
Sample

250413-vf3h8szlv8
MD5

a76b0cd547d42de6327a1465b2be908e
SHA1

9e798931cf8c3a25f48f0c8f044f19197e811f36
SHA256

e6f463ee1c4b789980b13b9e0b2b5c625dc4b4863c23f6f62237a7f7e7405c7b
SHA512

8bd5ab9719182576fe8b5d1b7712e1f9a22f32fcdcb75829f691703f479d413af5411eb0610e414b600a30c65f95f1a7a576e84bd09625e92ab74d557b5e4e07
SSDEEP

6144:RPnZXClM0TZ5LOKQclPXpz2Rme1pLuij9:RPnZXCtnqbcxX16LPh

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

blackbasta

Ransom Note

All of your files are currently encrypted by no_name_software. These files cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. DON'T move or rename your files. These parameters can be used for encryption/decryption process. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/ Your company id for log in: c98fa42b-3233-45df-bd7c-42529c44cb70 Your company key: 3 of any of your dc through comma. Example: "DC1, DC2, DC3". You can type less if you have no enough YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/

Targets

- Target
  
  17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.7z
- Size
  
  227KB
- MD5
  
  a76b0cd547d42de6327a1465b2be908e
- SHA1
  
  9e798931cf8c3a25f48f0c8f044f19197e811f36
- SHA256
  
  e6f463ee1c4b789980b13b9e0b2b5c625dc4b4863c23f6f62237a7f7e7405c7b
- SHA512
  
  8bd5ab9719182576fe8b5d1b7712e1f9a22f32fcdcb75829f691703f479d413af5411eb0610e414b600a30c65f95f1a7a576e84bd09625e92ab74d557b5e4e07
- SSDEEP
  
  6144:RPnZXClM0TZ5LOKQclPXpz2Rme1pLuij9:RPnZXCtnqbcxX16LPh
Score

10^/10

blackbasta credential_access discovery ransomware spyware stealer
- Black Basta
  A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
  ransomware blackbasta
- Blackbasta family
  blackbasta
- Renames multiple (5665) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Sets desktop wallpaper using registry
  ransomware
behavioral1