{
	"id": "2b996c34-487d-4722-af75-ee2bcb1495ef",
	"created_at": "2026-04-06T00:12:35.45715Z",
	"updated_at": "2026-04-10T03:29:39.77937Z",
	"deleted_at": null,
	"sha1_hash": "704436a5f8a23e3db290d023fccb90675e090955",
	"title": "Malware analysis report: BlackCat ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3729008,
	"plain_text": "Malware analysis report: BlackCat ransomware\r\nBy MSSP Research Lab\r\nPublished: 2023-07-13 · Archived: 2026-04-05 20:56:29 UTC\r\n10 minute read\r\nBlackCat is Rust-based ransomware distributed via the Ransomware-as-a-Service (RaaS) model. BlackCat was\r\nobserved for the first time in November 2021 and has since been used to target multiple sectors and organizations\r\nin numerous countries and regions in Africa, the Americas, Asia, Australia, and Europe.\r\nThis ransomware and group caught our attention after this interesting news: “ALPHV ransomware group claims to\r\nhave ransomed Maruchan, the company that creates instant noodles.”:\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 1 of 26\n\nThe name “BlackCat” was mentioned first by MalwareHunterTeam\r\nhttps://twitter.com/vxunderground/status/1679128724489289728\r\nTechnical summaryPermalink\r\nThis ransomware encrypts the data of business users and corporate networks using the algorithms AES-128 (CTR\r\nmode) and RSA-2048 , and then demands a hefty ransom payment in BTC or Monero to decrypt the files. Instead\r\nof AES , the ChaCha20 algorithm can be used. The configuration file is consulted to retrieve the global public\r\nkey used to encrypt local credentials. Original title: ALPHV-ng RaaS. A striking example of using the Rust\r\nprogramming language. eSXI is capable of encrypting data on Windows, Linux, and VMWare systems.\r\nThreat ActorPermalink\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 2 of 26\n\nMost of threat hunting labs, also MSSP Lab has observed one of these RaaS providers, ALPHV (also known as\r\nBlackCat ransomware), gathering traction since late 2021, actively recruiting new affiliates and targeting\r\norganizations in a variety of industries across the globe. The organization actively recruits former REvil,\r\nBlackMatter, and DarkSide operators. A campaign to attract new affiliates started to be advertised on underground\r\nforums:\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 3 of 26\n\nIdentificationPermalink\r\nSamples is being investigated:\r\nsample.exe:\r\nFile size: 2281472 bytes\r\nMD5 sum: aea5d3cced6725f37e2c3797735e6467\r\nSHA-1 sum: 087497940a41d96e4e907b6dc92f75f4a38d861a\r\nSHA-256 sum: 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83\r\nFirst of all, check our sample via VirusTotal:\r\nhttps://www.virustotal.com/gui/file/3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83/details\r\nAs we can see, 60 of 71 AV engines detect our sample as malicious.\r\nand the most interesting sample written in Rust:\r\nsample2.exe:\r\nFile size: 2281472 bytes\r\nMD5 sum: 701b4b004eecb69046c210237846d46d\r\nSHA-1 sum: 8c70191b12f14eed594388c8fbe05efe6ebaa564\r\nSHA-256 sum: 6dd995d896a9a593b2c48d09da60bd83866d8577273f36d38788d83ad8173e68\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 4 of 26\n\nwhich also checked via VirusTotal:\r\nhttps://www.virustotal.com/gui/file/6dd995d896a9a593b2c48d09da60bd83866d8577273f36d38788d83ad8173e68\r\nAs we can see, 55 of 70 AV engines detect our sample as malicious.\r\nMore of the detect it as Win.Ransomware.BlackCat-9974801-0\r\nStatic analysisPermalink\r\nsample.exe\r\nThe specified sample is a 32-bit PE file:\r\nfile \u003csample.exe\u003e\r\nhexdump -C \u003csample.exe\u003e\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 5 of 26\n\nUse exiftool for looking metadata:\r\nexiftool \u003csample.exe\u003e\r\nFile timestamp is 2021:11:18 05:04:28-05:00\r\nCompiled via MinGW :\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 6 of 26\n\nShannon entropy:\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 7 of 26\n\nsample2.exe\r\nThe specified sample is a 32-bit PE file:\r\nfile \u003csample2.exe\u003e\r\nhexdump -C \u003csample2.exe\u003e\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 8 of 26\n\nUse exiftool for looking metadata:\r\nexiftool \u003csample2.exe\u003e\r\nLinker information GNU binutils :\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 9 of 26\n\nEntropy:\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 10 of 26\n\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 11 of 26\n\nDynamic analysisPermalink\r\nCan be distributed via hacking via an insecure RDP configuration, email spam and malicious attachments,\r\ninaccurate downloads, botnets, exploits, malicious advertisements, web injections, fake updates, repackaged and\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 12 of 26\n\ninfected installers.\r\nRansom Note:\r\n» Introduction\r\nImportant files on your system was ENCRYPTED and now they have have \"sykffle\" extension.\r\nIn order to recover your files you need to follow instructions below.\r\n» Sensitive Data\r\nSensitive data on your system was downloaded and it will be published if you refuse to cooperate.\r\nData includes:\r\n- Employees personal data, CVs, DL , SSN.\r\n- Complete network map including credentials for local and remote services.\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements.\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format\r\n- And more...\r\nPrivate preview is published here: hxxx://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/***\r\n» CAUTION\r\nDO NOT MODIFY FILES YOURSELF.\r\nDO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.\r\nYOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.\r\nYOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.\r\n» Recovery procedure\r\nFollow these simple steps to get in touch and recover your data:\r\n1) Download and install Tor Browser from: https://torprojoject.org\r\n2) Navigate to: hxxx://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=***\r\nSecond sample is written in Rust:\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 13 of 26\n\nInitialisation and propagation - BlackCat samples that we analyzed could be launched with any string provided\r\nas the access token:\r\n.\\sample.exe -v --access-token 1234567\r\nThe malware will immediately attempt to validate the existence of the aforementioned access-token , followed\r\nby a query for the system UUID:\r\ncmd.exe /c wmic csproduct get UUID\r\nAlso, it employs the GetCommandLineW API to determine whether the supplied access token is valid:\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 14 of 26\n\nBlackCat spawns a number of its own processes, with the following syntax (for Windows):\r\nwmic.exe Shadowcopy Delete\"\r\n\"iisreset.exe /stop\"\r\nbcdedit.exe /set {default} recoveryenabled No\r\nor\r\ncmd /c vssadmin.exe delete shadows /all /quiet\r\nAs you can see, in order to prevent the organization from restoring encrypted files, the ransomware first deletes\r\nany available shadow copies, as is characteristic of ransomware attacks.\r\nBlackCat also attempts to propagate via PsExec :\r\nPrivilege Escalation - Using CoGetObject , the ransomware registers itself with the CLSID 3E5FC7F9-9A51-\r\n4367-9063-A120244FBEC7 , which is legitimately used to execute applications with elevated privileges. This\r\ntechnique enables the malware to circumvent the UAC prompt and execute its malicious actions without being\r\ndetected or blocked by the system’s security measures.\r\nAnti-disassembly - Sleep function make stepping through code in a debugger more time-consuming and thus\r\ncomplicate the process of reverse engineering:\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 15 of 26\n\nTerminating all active services and processes - BlackCat will now attempt to terminate any processes or services\r\nspecified in the configuration, such as processes that may inhibit the encryption procedure.\r\nKill services:\r\nbackup memtas mepocs msexchange sql svc$ veeam vss\r\nand processes:\r\n\"kill_processes\": [\r\n \"encsvc\",\r\n \"thebat\",\r\n \"mydesktopqos\",\r\n \"xfssvccon\",\r\n \"firefox\",\r\n \"infopath\",\r\n \"winword\",\r\n \"steam\",\r\n \"synctime\",\r\n \"notepad\",\r\n \"ocomm\",\r\n \"onenote\",\r\n \"mspub\",\r\n \"thunderbird\",\r\n \"agntsvc\",\r\n \"sql\",\r\n \"excel\",\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 16 of 26\n\n\"powerpnt\",\r\n \"outlook\",\r\n \"wordpad\",\r\n \"dbeng50\",\r\n \"isqlplussvc\",\r\n \"sqbcoreservice\",\r\n \"oracle\",\r\n \"ocautoupds\",\r\n \"dbsnmp\",\r\n \"msaccess\",\r\n \"tbirdconfig\",\r\n \"ocssd\",\r\n \"mydesktopservice\",\r\n \"visio\"\r\n]\r\nEncryption process - BlackCat initially traverses the system using a cycle of FindFirstFile and\r\nFindNextFile to locate all system files:\r\nThen ransom note is written using WriteFile to each directory:\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 17 of 26\n\nUsing BCryptGenRandom , the ransomware calculates a random AES key:\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 18 of 26\n\nThe file’s contents are written to the file using ReadFile and WriteFile after it has been encrypted with AES .\r\nThe new file extension is listed in the BlackCat configuration.\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 19 of 26\n\nWe created a simple BlackCat Ransomware configuration extractor:\r\nimport hashlib\r\nimport os\r\nimport json\r\nimport binascii\r\nimport argparse\r\nimport sys\r\nfrom typing import Union\r\nclass BlackCatConfig:\r\n def __init__(self, config: dict):\r\n self.config = config\r\n def __str__(self):\r\n output = \"\"\r\n for key in self.config.keys():\r\n output += f\"{key}: {self.config[key]}\\n\"\r\n return output\r\ndef calc_md5(data: bytes) -\u003e str:\r\n hasher = hashlib.md5()\r\n hasher.update(data)\r\n return hasher.hexdigest()\r\ndef calc_sha256(data: bytes) -\u003e str:\r\n hasher = hashlib.sha256()\r\n hasher.update(data)\r\n return hasher.hexdigest()\r\ndef get_file_info(file: str) -\u003e int:\r\n return os.stat(file).st_size\r\ndef scan_file(data: bytes, search: bytes) -\u003e Union[int, None]:\r\n return data.find(search)\r\ndef main():\r\n parser = argparse.ArgumentParser(description='BlackCat Ransomware conf extractor')\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 20 of 26\n\nparser.add_argument('-j', '--json', action='store_true', help='dump extracted config to a json file')\r\n parser.add_argument('file', type=str, help='path to sample')\r\n args = parser.parse_args()\r\n try:\r\n with open(args.file, 'rb') as f:\r\n data = f.read()\r\n print(f\"file size (bytes): {get_file_info(args.file)}\")\r\n print(f\"MD5: {calc_md5(data)}\")\r\n print(f\"SHA-256: {calc_sha256(data)}\")\r\n off = scan_file(data, binascii.unhexlify(\"7B22636F6E6669675F696422\")) # = {\"config_id\"\r\n if off == -1:\r\n print(\"\\nunable to find config offset :(\\n\\n\")\r\n sys.exit(1)\r\n cfg = data[off: off+8000].strip()\r\n if args.json:\r\n filename = f\"blackCat_config-{calc_md5(data)}.json\"\r\n with open(filename, 'w') as jsonOutput:\r\n jsonOutput.write(cfg.decode('utf-8'))\r\n print(f\"\\nwrote {len(cfg)} bytes to {filename}\\n\\n\")\r\n config = BlackCatConfig(json.loads(cfg))\r\n print(config)\r\n except Exception as e:\r\n print(f\"an error occurred: {e}\")\r\n sys.exit(1)\r\nif __name__ == \"__main__\":\r\n main()\r\nAfter BlackCat has finished encrypting all files on the system, the desktop wallpaper is altered to direct the user to\r\nthe ransom note.\r\nIOCPermalink\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 21 of 26\n\nAnother samples ( SHA-256 ):\r\n0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479\r\n13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31\r\n15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed\r\n1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e\r\n2587001d6599f0ec03534ea823aab0febb75e83f657fadc3a662338cc08646b0\r\n28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169\r\n2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc\r\n38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1\r\n3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83\r\n40f57275721bd74cc59c0c59c9f98c8e0d1742b7ae86a46e83e985cc4039c3a5\r\n4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf\r\n59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f\r\n5bdc0fb5cfbd42de726aacc40eddca034b5fa4afcc88ddfb40a3d9ae18672898\r\n658e07739ad0137bceb910a351ce3fe4913f6fcc3f63e6ff2eb726e45f29e582\r\n731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161\r\n7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487\r\n7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e\r\nbd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117\r\nbe8c5d07ab6e39db28c40db20a32f47a97b7ec9f26c9003f9101a154a5a98486\r\nc3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40\r\nc5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486\r\nc8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283\r\ncefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae\r\nf815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89\r\nf837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb\r\nBitcoin: 1H3JFbyiwv6YeVW7K2mVjxHgNvJdXqJxiP\r\nMonero:\r\n46JqTG57Pv6GBRzjM9kHyCF8XHrAo9sr8dLuvqwcGbxT92dUAW12QpgZJnu32KrTfL1BzLp2sBi9G49JyXuRaKmT6JrJL9r\r\nYara rulesPermalink\r\nYara rule for BlackCat Ransomware threat hunting:\r\nrule win_blackcat_auto {\r\n meta:\r\n author = \"Felix Bilstein - yara-signator at cocacoding dot com\"\r\n date = \"2023-03-28\"\r\n version = \"1\"\r\n description = \"Detects win.blackcat.\"\r\n info = \"autogenerated rule brought to you by yara-signator\"\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 22 of 26\n\ntool = \"yara-signator v0.6.0\"\r\n signator_config = \"callsandjumps;datarefs;binvalue\"\r\n malpedia_reference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\"\r\n malpedia_rule_date = \"20230328\"\r\n malpedia_hash = \"9d2d75cef573c1c2d861f5197df8f563b05a305d\"\r\n malpedia_version = \"20230407\"\r\n malpedia_license = \"CC BY-SA 4.0\"\r\n malpedia_sharing = \"TLP:WHITE\"\r\n /* DISCLAIMER\r\n * The strings used in this rule have been automatically selected from the\r\n * disassembly of memory dumps and unpacked files, using YARA-Signator.\r\n * The code and documentation is published here:\r\n * https://github.com/fxb-cocacoding/yara-signator\r\n * As Malpedia is used as data source, please note that for a given\r\n * number of families, only single samples are documented.\r\n * This likely impacts the degree of generalization these rules will offer.\r\n * Take the described generation method also into consideration when you\r\n * apply the rules in your use cases and assign them confidence levels.\r\n */\r\n strings:\r\n $sequence_0 = { c3 81f90a010000 7e6a 81f9e2030000 0f8fcc000000 81f90b010000 }\r\n // n = 6, score = 600\r\n // c3 | ret\r\n // 81f90a010000 | cmp ecx, 0x10a\r\n // 7e6a | jle 0x6c\r\n // 81f9e2030000 | cmp ecx, 0x3e2\r\n // 0f8fcc000000 | jg 0xd2\r\n // 81f90b010000 | cmp ecx, 0x10b\r\n $sequence_1 = { 85f6 0f8482000000 bb03000000 8d0437 }\r\n // n = 4, score = 600\r\n // 85f6 | test esi, esi\r\n // 0f8482000000 | je 0x88\r\n // bb03000000 | mov ebx, 3\r\n // 8d0437 | lea eax, [edi + esi]\r\n $sequence_2 = { 885405cc 48 eb19 89ca 83fa63 7fbe }\r\n // n = 6, score = 600\r\n // 885405cc | mov byte ptr [ebp + eax - 0x34], dl\r\n // 48 | dec eax\r\n // eb19 | jmp 0x1b\r\n // 89ca | mov edx, ecx\r\n // 83fa63 | cmp edx, 0x63\r\n // 7fbe | jg 0xffffffc0\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 23 of 26\n\n$sequence_3 = { f20f104808 8d45d4 894dec c645f004 8d4dec }\r\n // n = 5, score = 600\r\n // f20f104808 | movsd xmm1, qword ptr [eax + 8]\r\n // 8d45d4 | lea eax, [ebp - 0x2c]\r\n // 894dec | mov dword ptr [ebp - 0x14], ecx\r\n // c645f004 | mov byte ptr [ebp - 0x10], 4\r\n // 8d4dec | lea ecx, [ebp - 0x14]\r\n $sequence_4 = { 3d32210000 747b 3d33210000 0f8571050000 8b07 }\r\n // n = 5, score = 600\r\n // 3d32210000 | cmp eax, 0x2132\r\n // 747b | je 0x7d\r\n // 3d33210000 | cmp eax, 0x2133\r\n // 0f8571050000 | jne 0x577\r\n // 8b07 | mov eax, dword ptr [edi]\r\n $sequence_5 = { b005 5e 5d c3 81f90a010000 7e6a 81f9e2030000 }\r\n // n = 7, score = 600\r\n // b005 | mov al, 5\r\n // 5e | pop esi\r\n // 5d | pop ebp\r\n // c3 | ret\r\n // 81f90a010000 | cmp ecx, 0x10a\r\n // 7e6a | jle 0x6c\r\n // 81f9e2030000 | cmp ecx, 0x3e2\r\n $sequence_6 = { 747b 3d33210000 0f8571050000 8b07 83f00a }\r\n // n = 5, score = 600\r\n // 747b | je 0x7d\r\n // 3d33210000 | cmp eax, 0x2133\r\n // 0f8571050000 | jne 0x577\r\n // 8b07 | mov eax, dword ptr [edi]\r\n // 83f00a | xor eax, 0xa\r\n $sequence_7 = { b806000000 c7460400000000 894608 c70601000000 83c430 }\r\n // n = 5, score = 600\r\n // b806000000 | mov eax, 6\r\n // c7460400000000 | mov dword ptr [esi + 4], 0\r\n // 894608 | mov dword ptr [esi + 8], eax\r\n // c70601000000 | mov dword ptr [esi], 1\r\n // 83c430 | add esp, 0x30\r\n $sequence_8 = { 89d0 ba3e000000 897e0c f7e2 }\r\n // n = 4, score = 600\r\n // 89d0 | mov eax, edx\r\n // ba3e000000 | mov edx, 0x3e\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 24 of 26\n\n// 897e0c | mov dword ptr [esi + 0xc], edi\r\n // f7e2 | mul edx\r\n $sequence_9 = { c6410b00 66c741090000 8b45ec 894110 c7411400000000 b801000000 8901 }\r\n // n = 7, score = 600\r\n // c6410b00 | mov byte ptr [ecx + 0xb], 0\r\n // 66c741090000 | mov word ptr [ecx + 9], 0\r\n // 8b45ec | mov eax, dword ptr [ebp - 0x14]\r\n // 894110 | mov dword ptr [ecx + 0x10], eax\r\n // c7411400000000 | mov dword ptr [ecx + 0x14], 0\r\n // b801000000 | mov eax, 1\r\n // 8901 | mov dword ptr [ecx], eax\r\n condition:\r\n 7 of them and filesize \u003c 29981696\r\n}\r\nMITRE ATT\u0026CKPermalink\r\nT1027.002 - Obfuscated Files or Information: Software Packing\r\nT1027 - Obfuscated Files or Information\r\nT1007 - System Service Discovery\r\nT1059 - Command and Scripting Interpreter\r\nTA0010 - Exfiltration\r\nT1082 - System Information Discovery\r\nT1490 - Inhibit System Recovery\r\nT1485 - Data Destruction\r\nT1078 - Valid Accounts\r\nT1486 - Data Encrypted For Impact\r\nT1140 - Encode/Decode Files or Information\r\nT1202 - Indirect Command Execution\r\nT1543.003 - Create or Modify System Process: Windows Service\r\nT1550.002 - Use Alternate Authentication Material: Pass The Hash\r\nBy Cyber Threat Hunters from MSSPLab:\r\n@cocomelonc\r\n@wqkasper\r\n@mgmadr\r\nReferencesPermalink\r\nMITRE ATT\u0026CK: BlackCat\r\nSalsa20 wikipedia\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 25 of 26\n\nAn ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’\r\nmalpedia: BlackCat\r\nThanks for your time happy hacking and good bye!\r\nAll drawings and screenshots are MSSPLab’s\r\nSource: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nhttps://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html"
	],
	"report_names": [
		"malware-analysis-blackcat.html"
	],
	"threat_actors": [
		{
			"id": "86ab9be8-ce67-4866-9f66-1df471e9d251",
			"created_at": "2024-05-29T02:00:03.942487Z",
			"updated_at": "2026-04-10T02:00:03.641939Z",
			"deleted_at": null,
			"main_name": "Alpha Spider",
			"aliases": [
				"ALPHV Ransomware Group"
			],
			"source_name": "MISPGALAXY:Alpha Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434355,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/704436a5f8a23e3db290d023fccb90675e090955.pdf",
		"text": "https://archive.orkl.eu/704436a5f8a23e3db290d023fccb90675e090955.txt",
		"img": "https://archive.orkl.eu/704436a5f8a23e3db290d023fccb90675e090955.jpg"
	}
}