Manuel Statik Analiz (LLM Okumali) — Black Basta Ransomware (Linux ESXi Sifreleyici) | Tehdit: KRITIK

Fichier Kimligi

SHA256a8894d8a71082d2a2d8799129eada9db0b280af6bfca02e9c3f214890bc67ea3
PlatformLinux ELF (64-bit)
HedefVMware ESXi sunuculari
Taille174.272 byte
DilC++ (GCC, ghc::filesystem)

TOR C2 / Fidye Iletisim (Cleartext)

Kritik IOC: TOR hidden service adresi binary icerisinde cleartext olarak bulunmaktadir.
TOR Onion URLhttps://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
TOR Browserhttps://torproject.org

Fidye Notu (Cleartext String)

DECRYPTION

Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
You can contact us and decrypt one file for free on this TOR site
(you should download and install TOR browser first https://torproject.org)
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Gelistirici Izi

C:/Users/dssd/Desktop/src
Kullanici adi: dssd
Proje: Desktop/src (dogrudan masaustu uzerinde gelistirilmis)

Teknik Ozellikler

  • Linux ELF — VMware ESXi hipervizor ortamlarini hedefler
  • ghc::filesystem C++ kutuphanesi ile dosya sistemi gezintisi
  • pthread — coklu is parcacigi ile paralel sifreleme
  • Cift gasp (double extortion): hem veri cikarimi hem de sifreleme
  • Sifreleme sureleri loglanir: "Done time: X.XXXX seconds, encrypted: X.XXXX gb"

Black Basta Hakkinda

Black Basta, 2022 yilinda ortaya cikan ve Conti ransomware grubunun dagilmasinin ardından kurulan bir fidye yazilimi operasyonudur. Hem Windows hem de Linux (ESXi) hedefler. Cift gasp yontemiyle kurbanlardan hem sifre cozme ucreti hem de veri silmesi ucreti talep eder.

IOC

SHA256a8894d8a71082d2a2d8799129eada9db0b280af6bfca02e9c3f214890bc67ea3
TOR C2aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion
PlatformLinux ELF (ESXi hedefi)
PDB Devdssd

BlackBasta — Profil du malware

Black Basta ransomware grubu loaer/dropper. Microsoft Office Setup Engine (ose.pdb) olarak gizlenir. Global\OfficeSourceEngine64Mutex sahte mutex. Self-modifying .ex_cod section. Minimal import + runtime GetProcAddress API cozme. WinHttp C2. Token manipulasyonu.

Type de malware
Ransomware
Langage de programmation
C++
Protocole C2
Systèmes ciblés
Windows/Linux

Capacités et comportement

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

Liste IOC (1 indicateurs)

IOC — BlackBasta
# SHA256 a8894d8a71082d2a2d8799129eada9db0b280af6bfca02e9c3f214890bc67ea3
TypeValeurNote
sha256 a8894d8a71082d2a2d8799129eada9db0b280af6bfca02e9c3f214890bc67ea3

Serveurs C2 (1 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion domain 443 — inactive —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
black-bastaransomwarelinux-elfesxivmwaretor-onionc2double-extortionpdb-dssd