General

  • Target

    2025-05-18_741e798671e3b351730e5c31970a2cfb_black-basta_cobalt-strike_satacom

  • Size

    527KB

  • Sample

    250518-lxfalaam41

  • MD5

    741e798671e3b351730e5c31970a2cfb

  • SHA1

    26c909c17979cd8b282d4184386af17da327ccec

  • SHA256

    6151a3a1650500712dec094b331a025e157c0c24ebcde7c048290c79a23c13cd

  • SHA512

    585f4656578a345306894988a5d4b804c86c45ba71e677118c7cda15f2abd81e9c049355451a44962c487bde278d8c40a68bd9386c3c04ef39f9f056e9651696

  • SSDEEP

    6144:O7rGDztaY97nTPBPleJ0kDjRPveeDhXHnXgJs4HLVVDPmhVV1yGvZVVFWODhxR2:0GFf7nqJ0kD9neeDxynHhmLt3

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\RecoverYourFiles.txt

Ransom Note
============================================================= DECRYPTION ID (IMPORTANT): 200NV3845M8OI64N ============================================================= ====================================================================== ======== ALL YOUR FILES HAVE BEEN ENCRYPTED ====================== ====================================================================== If you are reading this, its already too late, your system has been compromised. all your important files are SECURLY LOCKED by Desolator locker, including: . Documents . Photos . Videos . Music . Databases . Archives . Projects etc... - But dont worry, the files are recoverable ONLY IF YOU DO WHAT WE SAY - To unlock your files, you have to pay a certain amount of money in crypto - Our team will guide you to pay the ransom and send you a decryption tool ============================================================================================ - Don't be a smart ass and don't try anything, this is the only way to recover your data :) - Don't be a smart ass and don't try anything, this is the only way to recover your data :) - Don't be a smart ass and don't try anything, this is the only way to recover your data :) - Don't be a smart ass and don't try anything, this is the only way to recover your data :) ============================================================================================ We are not politically motivated, our motivations are purely financial. we are an independent group of security professionals. we have no ties to any government or entity. ===================================================================== ================= HOW TO DECRYPT YOUR FILES ===================== ===================================================================== 1. Download Session Messenger from here: https://getsession.org/ 2. Contact our support team at this Session ID: 054ed5c279e4d25add442a8dbe8092c2b7649370f3e61f32234cf78de051449b1e 3. Send your DECRYPTION ID mentioned at the top of this file. 4. our support team will start the ransom negotiation. ===================================================================================== ==================== CONTACT DEADLINE : 48 HOURES ================================= ===================================================================================== After the 48 hour deadline your ONE-TIME decryption keys WILL BE AUTOMATICALLY DISTROYED DO NOT attempt to rename, move, or tamper with encrypted files. Any such actions may result in irreversible data loss. -> DO NOT TRY TO DECRYPT THE FILES USING FREE OR COMMERCIAL TOOLS -> THESE TOOLS WILL ALTER THE FILE STRUCTURE AND IT WON'T BE RECOVERABLE AFTERWARDS -> OUR ENCRYPTION TECHNIQUES ARE SECURE, DONT BOTHER TRYING, YOU ARE NOT THE FIRST ONE :D -> WE WILL NOT GUARANTEE DATA RECOVERY IF THE FILES ARE MODIFIED IN ANY WAY ===================================================================================== ========================== DECRYPTION PROOF ======================================== ===================================================================================== - How can you know that we are not lying? . We provide a sample decryption to prove that your files are recoverable . We are not scammers, this is our business and we care about our reputation . Send one of your files ( size < 100 MB ) that doesn't contain any important info . We will send you a decrypted sample immediately . We will guarantee one-time decryption and you won't be targeted by us ever again -> WE WILL NOT DAMAGE OUR REPUTATION BY SCAMMING AND LYING, THIS IS OUR BUSINESS ===================================================================================== =================== ADVERTISEMENT : PARTNERSHIP & AFFILIATE ======================== ===================================================================================== - We are activly looking for affiliates who can work with us as access brokers or partners - If you are a freelance pentester, cracker or even not a tech guy at all - If you have access to any network or infrastructure or know someone who does, we can work togehter - Your real identity is protected, we don't know who you are and you don't need any verification - You will remain completly anonymous, as a proxy or an affiliate Contact our support team for partnership and affiliate program: Session ID: 054ed5c279e4d25add442a8dbe8092c2b7649370f3e61f32234cf78de051449b1e Regards, - The Desolated Collective
URLs

https://getsession.org/

Targets

    • Target

      2025-05-18_741e798671e3b351730e5c31970a2cfb_black-basta_cobalt-strike_satacom

    • Size

      527KB

    • MD5

      741e798671e3b351730e5c31970a2cfb

    • SHA1

      26c909c17979cd8b282d4184386af17da327ccec

    • SHA256

      6151a3a1650500712dec094b331a025e157c0c24ebcde7c048290c79a23c13cd

    • SHA512

      585f4656578a345306894988a5d4b804c86c45ba71e677118c7cda15f2abd81e9c049355451a44962c487bde278d8c40a68bd9386c3c04ef39f9f056e9651696

    • SSDEEP

      6144:O7rGDztaY97nTPBPleJ0kDjRPveeDhXHnXgJs4HLVVDPmhVV1yGvZVVFWODhxR2:0GFf7nqJ0kD9neeDxynHhmLt3

    • Modifies WinLogon for persistence

    • Renames multiple (937) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Modifies boot configuration data using bcdedit

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v16

Tasks