{
	"id": "088fc78c-8a0c-4ff3-9d00-68782feddb9d",
	"created_at": "2026-04-06T00:13:39.007152Z",
	"updated_at": "2026-04-10T13:11:37.389671Z",
	"deleted_at": null,
	"sha1_hash": "a0291049c26da6ead4de2f84a2425944e46be9bc",
	"title": "GitHub - f0wl/blackCatConf: Configuration Extractor for BlackCat Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 174356,
	"plain_text": "GitHub - f0wl/blackCatConf: Configuration Extractor for\r\nBlackCat Ransomware\r\nBy f0wl\r\nArchived: 2026-04-05 19:20:06 UTC\r\nggoo rreeppoorrtt A +\r\nblackCatConf is a static configuration extractor implemented in Golang for BlackCat Ransomware (targeting\r\nMicrosoft Windows and GNU/Linux + VMware ESXi). By default the script will print the extracted information\r\nto stdout. It is also capable of dumping the malware configuration to disk as a JSON file with the -j flag.\r\nInfo: This tool does currently not support the new version of BlackCat/ALPHV ransomware.\r\nUsage\r\ngo run blackcatconf.go [-j] path/to/blackcat_sample.bin\r\nScreenshots\r\nSensitive victim information in the screenshot below and the example config file has been redacted.\r\nhttps://github.com/f0wl/blackCatConf\r\nPage 1 of 4\n\nConfiguration structure\r\nWith these novel BlackCat Ransomware samples this config extractor could easily be replaced by a bash one-liner\r\n(e.g. strings ... | grep \"{\\\"config_id\" \u003e config.json ), but I expect that there will be config\r\nobfuscation/encryption added in future samples of BlackCat, similar to e.g. the changes made in Darkside\r\nRansomware over time. If this is the case here as well having a structure to unmarshal the json config into will\r\nsave me some time down the road.\r\nSpeaking of Darkside/BlackMatter: The configuration structure and values of BlackCat share significant\r\nsimilarities with those found in BlackMatter. The Korean Threat Intelligence company S2W Lab published a\r\nthorough analysis of the similarities between these two Ransomware strains.\r\nKey Value / Purpose Type\r\nconfig_id\r\nConfiguration ID, empty up until now (= Victim\r\nIdentifier?)\r\nunknown\r\npublic_key RSA Public Key (Base64 encoded) string\r\nextension Extension for encrypted files string\r\nhttps://github.com/f0wl/blackCatConf\r\nPage 2 of 4\n\nKey Value / Purpose Type\r\nnote_file_name Filename of the Ransomnote string\r\nnote_full_text Long version of the Ransomnote string\r\nnote_short_text Short version of the Ransomnote string\r\ndefault_file_mode\r\nFile Encryption Mode (observed: \"auto\" and\r\n\"Smartpattern\")\r\nstring or\r\n[]int\r\ndefault_file_cipher File Encryption Cipher (observed: \"Best\") string\r\ncredentials\r\nArray of compromised credentials for escalation and\r\npropagation\r\n[][]string\r\nkill_services List of services to be terminated []string\r\nkill_processes List of processes to be terminated []string\r\nexclude_directory_names Directories that are excluded from the encryption process []string\r\nexclude_file_names Files that are excluded from the encryption process []string\r\nexclude_file_extensions\r\nFile extensions that are excluded from the encryption\r\nprocess\r\n[]string\r\nexclude_file_path_wildcard Filepaths to be excluded via wildcard []string (?)\r\nenable_network_discovery Switch to enable/disable network discovery bool\r\nenable_self_propagation Switch to enable/disable self propagation bool\r\nenable_set_wallpaper Switch to enable/disable wallpaper change bool\r\nenable_esxi_vm_kill Switch to enable/disable VM termination on ESXi Hosts bool\r\nenable_esxi_vm_snapshot_kill Switch to enable/disable Snapshot deletion on ESXi Hosts bool\r\nstrict_include_paths Hardcoded filepaths (likely victim-specific) []string (?)\r\nesxi_vm_kill_exclude Exclusion list for virtual machines on ESXi Hosts []string (?)\r\nTesting\r\nThis configuration extractor has been tested successfully with the following samples:\r\nSHA-256 OS Sample\r\n59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f Windows Malware Bazaar\r\nhttps://github.com/f0wl/blackCatConf\r\nPage 3 of 4\n\nSHA-256 OS Sample\r\n731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161 Windows Malware Bazaar\r\n5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42 Linux\r\nVX-Underground\r\nf8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6 Linux\r\nVX-Underground\r\nIf you encounter an error with blackCatConf, please file a bug report via an issue. Contributions are always\r\nwelcome :)\r\nSource: https://github.com/f0wl/blackCatConf\r\nhttps://github.com/f0wl/blackCatConf\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/f0wl/blackCatConf"
	],
	"report_names": [
		"blackCatConf"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434419,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0291049c26da6ead4de2f84a2425944e46be9bc.pdf",
		"text": "https://archive.orkl.eu/a0291049c26da6ead4de2f84a2425944e46be9bc.txt",
		"img": "https://archive.orkl.eu/a0291049c26da6ead4de2f84a2425944e46be9bc.jpg"
	}
}