Malware analysis report: BlackCat ransomware By MSSP Research Lab Published: 2023-07-13 · Archived: 2026-04-05 20:56:29 UTC 10 minute read BlackCat is Rust-based ransomware distributed via the Ransomware-as-a-Service (RaaS) model. BlackCat was observed for the first time in November 2021 and has since been used to target multiple sectors and organizations in numerous countries and regions in Africa, the Americas, Asia, Australia, and Europe. This ransomware and group caught our attention after this interesting news: “ALPHV ransomware group claims to have ransomed Maruchan, the company that creates instant noodles.”: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 1 of 26 The name “BlackCat” was mentioned first by MalwareHunterTeam https://twitter.com/vxunderground/status/1679128724489289728 Technical summaryPermalink This ransomware encrypts the data of business users and corporate networks using the algorithms AES-128 (CTR mode) and RSA-2048 , and then demands a hefty ransom payment in BTC or Monero to decrypt the files. Instead of AES , the ChaCha20 algorithm can be used. The configuration file is consulted to retrieve the global public key used to encrypt local credentials. Original title: ALPHV-ng RaaS. A striking example of using the Rust programming language. eSXI is capable of encrypting data on Windows, Linux, and VMWare systems. Threat ActorPermalink https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 2 of 26 Most of threat hunting labs, also MSSP Lab has observed one of these RaaS providers, ALPHV (also known as BlackCat ransomware), gathering traction since late 2021, actively recruiting new affiliates and targeting organizations in a variety of industries across the globe. The organization actively recruits former REvil, BlackMatter, and DarkSide operators. A campaign to attract new affiliates started to be advertised on underground forums: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 3 of 26 IdentificationPermalink Samples is being investigated: sample.exe: File size: 2281472 bytes MD5 sum: aea5d3cced6725f37e2c3797735e6467 SHA-1 sum: 087497940a41d96e4e907b6dc92f75f4a38d861a SHA-256 sum: 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83 First of all, check our sample via VirusTotal: https://www.virustotal.com/gui/file/3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83/details As we can see, 60 of 71 AV engines detect our sample as malicious. and the most interesting sample written in Rust: sample2.exe: File size: 2281472 bytes MD5 sum: 701b4b004eecb69046c210237846d46d SHA-1 sum: 8c70191b12f14eed594388c8fbe05efe6ebaa564 SHA-256 sum: 6dd995d896a9a593b2c48d09da60bd83866d8577273f36d38788d83ad8173e68 https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 4 of 26 which also checked via VirusTotal: https://www.virustotal.com/gui/file/6dd995d896a9a593b2c48d09da60bd83866d8577273f36d38788d83ad8173e68 As we can see, 55 of 70 AV engines detect our sample as malicious. More of the detect it as Win.Ransomware.BlackCat-9974801-0 Static analysisPermalink sample.exe The specified sample is a 32-bit PE file: file hexdump -C https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 5 of 26 Use exiftool for looking metadata: exiftool File timestamp is 2021:11:18 05:04:28-05:00 Compiled via MinGW : https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 6 of 26 Shannon entropy: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 7 of 26 sample2.exe The specified sample is a 32-bit PE file: file hexdump -C https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 8 of 26 Use exiftool for looking metadata: exiftool Linker information GNU binutils : https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 9 of 26 Entropy: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 10 of 26 https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 11 of 26 Dynamic analysisPermalink Can be distributed via hacking via an insecure RDP configuration, email spam and malicious attachments, inaccurate downloads, botnets, exploits, malicious advertisements, web injections, fake updates, repackaged and https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 12 of 26 infected installers. Ransom Note: » Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. » Sensitive Data Sensitive data on your system was downloaded and it will be published if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: hxxx://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/*** » CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. » Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torprojoject.org 2) Navigate to: hxxx://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=*** Second sample is written in Rust: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 13 of 26 Initialisation and propagation - BlackCat samples that we analyzed could be launched with any string provided as the access token: .\sample.exe -v --access-token 1234567 The malware will immediately attempt to validate the existence of the aforementioned access-token , followed by a query for the system UUID: cmd.exe /c wmic csproduct get UUID Also, it employs the GetCommandLineW API to determine whether the supplied access token is valid: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 14 of 26 BlackCat spawns a number of its own processes, with the following syntax (for Windows): wmic.exe Shadowcopy Delete" "iisreset.exe /stop" bcdedit.exe /set {default} recoveryenabled No or cmd /c vssadmin.exe delete shadows /all /quiet As you can see, in order to prevent the organization from restoring encrypted files, the ransomware first deletes any available shadow copies, as is characteristic of ransomware attacks. BlackCat also attempts to propagate via PsExec : Privilege Escalation - Using CoGetObject , the ransomware registers itself with the CLSID 3E5FC7F9-9A51- 4367-9063-A120244FBEC7 , which is legitimately used to execute applications with elevated privileges. This technique enables the malware to circumvent the UAC prompt and execute its malicious actions without being detected or blocked by the system’s security measures. Anti-disassembly - Sleep function make stepping through code in a debugger more time-consuming and thus complicate the process of reverse engineering: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 15 of 26 Terminating all active services and processes - BlackCat will now attempt to terminate any processes or services specified in the configuration, such as processes that may inhibit the encryption procedure. Kill services: backup memtas mepocs msexchange sql svc$ veeam vss and processes: "kill_processes": [ "encsvc", "thebat", "mydesktopqos", "xfssvccon", "firefox", "infopath", "winword", "steam", "synctime", "notepad", "ocomm", "onenote", "mspub", "thunderbird", "agntsvc", "sql", "excel", https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 16 of 26 "powerpnt", "outlook", "wordpad", "dbeng50", "isqlplussvc", "sqbcoreservice", "oracle", "ocautoupds", "dbsnmp", "msaccess", "tbirdconfig", "ocssd", "mydesktopservice", "visio" ] Encryption process - BlackCat initially traverses the system using a cycle of FindFirstFile and FindNextFile to locate all system files: Then ransom note is written using WriteFile to each directory: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 17 of 26 Using BCryptGenRandom , the ransomware calculates a random AES key: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 18 of 26 The file’s contents are written to the file using ReadFile and WriteFile after it has been encrypted with AES . The new file extension is listed in the BlackCat configuration. https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 19 of 26 We created a simple BlackCat Ransomware configuration extractor: import hashlib import os import json import binascii import argparse import sys from typing import Union class BlackCatConfig: def __init__(self, config: dict): self.config = config def __str__(self): output = "" for key in self.config.keys(): output += f"{key}: {self.config[key]}\n" return output def calc_md5(data: bytes) -> str: hasher = hashlib.md5() hasher.update(data) return hasher.hexdigest() def calc_sha256(data: bytes) -> str: hasher = hashlib.sha256() hasher.update(data) return hasher.hexdigest() def get_file_info(file: str) -> int: return os.stat(file).st_size def scan_file(data: bytes, search: bytes) -> Union[int, None]: return data.find(search) def main(): parser = argparse.ArgumentParser(description='BlackCat Ransomware conf extractor') https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 20 of 26 parser.add_argument('-j', '--json', action='store_true', help='dump extracted config to a json file') parser.add_argument('file', type=str, help='path to sample') args = parser.parse_args() try: with open(args.file, 'rb') as f: data = f.read() print(f"file size (bytes): {get_file_info(args.file)}") print(f"MD5: {calc_md5(data)}") print(f"SHA-256: {calc_sha256(data)}") off = scan_file(data, binascii.unhexlify("7B22636F6E6669675F696422")) # = {"config_id" if off == -1: print("\nunable to find config offset :(\n\n") sys.exit(1) cfg = data[off: off+8000].strip() if args.json: filename = f"blackCat_config-{calc_md5(data)}.json" with open(filename, 'w') as jsonOutput: jsonOutput.write(cfg.decode('utf-8')) print(f"\nwrote {len(cfg)} bytes to {filename}\n\n") config = BlackCatConfig(json.loads(cfg)) print(config) except Exception as e: print(f"an error occurred: {e}") sys.exit(1) if __name__ == "__main__": main() After BlackCat has finished encrypting all files on the system, the desktop wallpaper is altered to direct the user to the ransom note. IOCPermalink https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 21 of 26 Another samples ( SHA-256 ): 0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479 13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31 15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed 1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e 2587001d6599f0ec03534ea823aab0febb75e83f657fadc3a662338cc08646b0 28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169 2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc 38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83 40f57275721bd74cc59c0c59c9f98c8e0d1742b7ae86a46e83e985cc4039c3a5 4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf 59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f 5bdc0fb5cfbd42de726aacc40eddca034b5fa4afcc88ddfb40a3d9ae18672898 658e07739ad0137bceb910a351ce3fe4913f6fcc3f63e6ff2eb726e45f29e582 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161 7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487 7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117 be8c5d07ab6e39db28c40db20a32f47a97b7ec9f26c9003f9101a154a5a98486 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40 c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486 c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283 cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89 f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb Bitcoin: 1H3JFbyiwv6YeVW7K2mVjxHgNvJdXqJxiP Monero: 46JqTG57Pv6GBRzjM9kHyCF8XHrAo9sr8dLuvqwcGbxT92dUAW12QpgZJnu32KrTfL1BzLp2sBi9G49JyXuRaKmT6JrJL9r Yara rulesPermalink Yara rule for BlackCat Ransomware threat hunting: rule win_blackcat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.blackcat." info = "autogenerated rule brought to you by yara-signator" https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 22 of 26 tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c3 81f90a010000 7e6a 81f9e2030000 0f8fcc000000 81f90b010000 } // n = 6, score = 600 // c3 | ret // 81f90a010000 | cmp ecx, 0x10a // 7e6a | jle 0x6c // 81f9e2030000 | cmp ecx, 0x3e2 // 0f8fcc000000 | jg 0xd2 // 81f90b010000 | cmp ecx, 0x10b $sequence_1 = { 85f6 0f8482000000 bb03000000 8d0437 } // n = 4, score = 600 // 85f6 | test esi, esi // 0f8482000000 | je 0x88 // bb03000000 | mov ebx, 3 // 8d0437 | lea eax, [edi + esi] $sequence_2 = { 885405cc 48 eb19 89ca 83fa63 7fbe } // n = 6, score = 600 // 885405cc | mov byte ptr [ebp + eax - 0x34], dl // 48 | dec eax // eb19 | jmp 0x1b // 89ca | mov edx, ecx // 83fa63 | cmp edx, 0x63 // 7fbe | jg 0xffffffc0 https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 23 of 26 $sequence_3 = { f20f104808 8d45d4 894dec c645f004 8d4dec } // n = 5, score = 600 // f20f104808 | movsd xmm1, qword ptr [eax + 8] // 8d45d4 | lea eax, [ebp - 0x2c] // 894dec | mov dword ptr [ebp - 0x14], ecx // c645f004 | mov byte ptr [ebp - 0x10], 4 // 8d4dec | lea ecx, [ebp - 0x14] $sequence_4 = { 3d32210000 747b 3d33210000 0f8571050000 8b07 } // n = 5, score = 600 // 3d32210000 | cmp eax, 0x2132 // 747b | je 0x7d // 3d33210000 | cmp eax, 0x2133 // 0f8571050000 | jne 0x577 // 8b07 | mov eax, dword ptr [edi] $sequence_5 = { b005 5e 5d c3 81f90a010000 7e6a 81f9e2030000 } // n = 7, score = 600 // b005 | mov al, 5 // 5e | pop esi // 5d | pop ebp // c3 | ret // 81f90a010000 | cmp ecx, 0x10a // 7e6a | jle 0x6c // 81f9e2030000 | cmp ecx, 0x3e2 $sequence_6 = { 747b 3d33210000 0f8571050000 8b07 83f00a } // n = 5, score = 600 // 747b | je 0x7d // 3d33210000 | cmp eax, 0x2133 // 0f8571050000 | jne 0x577 // 8b07 | mov eax, dword ptr [edi] // 83f00a | xor eax, 0xa $sequence_7 = { b806000000 c7460400000000 894608 c70601000000 83c430 } // n = 5, score = 600 // b806000000 | mov eax, 6 // c7460400000000 | mov dword ptr [esi + 4], 0 // 894608 | mov dword ptr [esi + 8], eax // c70601000000 | mov dword ptr [esi], 1 // 83c430 | add esp, 0x30 $sequence_8 = { 89d0 ba3e000000 897e0c f7e2 } // n = 4, score = 600 // 89d0 | mov eax, edx // ba3e000000 | mov edx, 0x3e https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 24 of 26 // 897e0c | mov dword ptr [esi + 0xc], edi // f7e2 | mul edx $sequence_9 = { c6410b00 66c741090000 8b45ec 894110 c7411400000000 b801000000 8901 } // n = 7, score = 600 // c6410b00 | mov byte ptr [ecx + 0xb], 0 // 66c741090000 | mov word ptr [ecx + 9], 0 // 8b45ec | mov eax, dword ptr [ebp - 0x14] // 894110 | mov dword ptr [ecx + 0x10], eax // c7411400000000 | mov dword ptr [ecx + 0x14], 0 // b801000000 | mov eax, 1 // 8901 | mov dword ptr [ecx], eax condition: 7 of them and filesize < 29981696 } MITRE ATT&CKPermalink T1027.002 - Obfuscated Files or Information: Software Packing T1027 - Obfuscated Files or Information T1007 - System Service Discovery T1059 - Command and Scripting Interpreter TA0010 - Exfiltration T1082 - System Information Discovery T1490 - Inhibit System Recovery T1485 - Data Destruction T1078 - Valid Accounts T1486 - Data Encrypted For Impact T1140 - Encode/Decode Files or Information T1202 - Indirect Command Execution T1543.003 - Create or Modify System Process: Windows Service T1550.002 - Use Alternate Authentication Material: Pass The Hash By Cyber Threat Hunters from MSSPLab: @cocomelonc @wqkasper @mgmadr ReferencesPermalink MITRE ATT&CK: BlackCat Salsa20 wikipedia https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 25 of 26 An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’ malpedia: BlackCat Thanks for your time happy hacking and good bye! All drawings and screenshots are MSSPLab’s Source: https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html Page 26 of 26