{
	"id": "e5f74235-0687-4659-bb93-bbfe2a576fb1",
	"created_at": "2026-04-06T00:12:34.688756Z",
	"updated_at": "2026-04-10T03:22:11.06561Z",
	"deleted_at": null,
	"sha1_hash": "ed3bc64c6c42f77ee8fb0417e781b5778b5357bb",
	"title": "CatB Ransomware | File Locker Sharpens Its Claws to Steal Data with MSDTC Service DLL Hijacking",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3338213,
	"plain_text": "CatB Ransomware | File Locker Sharpens Its Claws to Steal Data\r\nwith MSDTC Service DLL Hijacking\r\nBy Jim Walter\r\nPublished: 2023-03-13 · Archived: 2026-04-05 16:29:12 UTC\r\nThe CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with\r\ncampaigns being observed steadily since November. The group’s activities have gained attention due to their\r\nongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch\r\nransomware payloads.\r\nString similarities in the ransom notes as well as modifications left by the ransomware payloads suggest that CatB\r\nmay be either an evolution or direct rebrand of the Pandora ransomware, which was active in early to mid-2022\r\nand targeted the automotive industry.\r\nIn this post, we offer a technical analysis of the CatB ransomware and its abuse of the legitimate MSDTC service,\r\ndescribing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.\r\nCatB Ransomware Technical Information\r\nCatB payloads are distributed as a two DLL set. A dropper DLL is responsible for initial evasive environmental\r\nchecks as well as dropping and launching the second DLL, which serves the ransomware payload.\r\nhttps://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/\r\nPage 1 of 8\n\nCatB Ransomware Process Graph\r\nFirst, the dropper is distributed in the form of a UPX-packed DLL ( versions.dll ). This dropper deposits the\r\nsecond DLL payload ( oci.dll ) onto the target host. The dropper DLL is responsible for any sandbox evasion\r\ntechniques required by the threat actor. Sandbox evasion inhibits the analysis process and ultimately leads to more\r\ntime in the target environment for the attacker.\r\nCatB performs three primary checks in an attempt to determine if the payload is being executed within a virtual\r\nenvironment. These are direct checks for type and size of physical RAM, type and size of physical hard disks, and\r\nchecking for odd or anomalous combinations of processors and cores.\r\nUpon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The\r\ndropper ( versions.dll ) drops the payload ( oci.dll ) into the System32 directory.\r\nOci.dll payloads in System32 (view from Singularity™ Console)\r\nThe malware then abuses the MSDTC service, manipulating the permissions and startup parameters. As a result,\r\nthe system will inject the malicious oci.dll into the service’s executable ( msdtc.exe ) when the MSDTC\r\nservice is restarted. Taskill.exe is used to terminate the msdtc.exe process once the service configuration\r\nchanges have been made.\r\nhttps://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/\r\nPage 2 of 8\n\nMsdtc.exe termination syntax\r\nCatB ransomware excludes the following files and extensions from the encryption process: .msi , .dll , .sys ,\r\n.iso and NTUSER.DAT .\r\nEncryption exclusions in payload DLL\r\nIn addition to the hardcoded exclusions, the local disk volumes to be encrypted are also configured in a similar\r\nmanner. By default, the oci.dll payload will attempt to encrypt C:\\users (crawl whole tree), I: , H: , G: ,\r\nF: , E: , and D: .\r\nLocal encryption targets in oci.dll\r\nThe lack of post-encryption alterations is a trait that sets CatB apart from other contemporaries. Once encrypted,\r\nthere is no blatant indicator – no separate ransom note dropped, no change to the desktop wallpaper, and no\r\nantagonizing file extensions. Instead, what could be considered the ransom note is inserted into the beginning of\r\neach encrypted file.\r\nhttps://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/\r\nPage 3 of 8\n\nRansom note appended to head of encrypted file (catb991 variation)\r\nPer the ransom note, the only way to engage the threat actor is via email at the provided catB9991 protonmail\r\naddress. Beyond that, a single Bitcoin (BTC) address is provided for payment submissions. The ransom price is\r\nset to increase each day for five days and, following the fifth day, there will be “permanent data loss” if the victim\r\ndoes not comply.\r\nBased on observations, there is no evidence to indicate that CatB operators are generating payment wallets for\r\neach victim as the Bitcoin address provided is not unique to each sample.\r\nGeneration of unique key file\r\nA key file is deposited onto each infected host in c:\\users\\public\\ . This file must be included in email\r\ncorrespondence with the attackers as it is, ideally, a unique identifier for each victim or host.\r\nhttps://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/\r\nPage 4 of 8\n\nKey file dropped for each victim\r\nExample CatB ‘key’ file\r\nCredential and Browser Data Theft\r\nIn addition to file encryption and obfuscation, the CatB malware will attempt to gather specific, sensitive\r\ninformation from targeted systems. This includes browser session and credential data.\r\nThe ransomware contains functionality to discover and extract user data from Mozilla Firefox, Google Chrome,\r\nMicrosoft Edge as well as Internet Explorer. Data extracted from browsers includes bookmarks, blocklists, crash\r\nlogs, history, user profile data, autofill data, environmental settings, browser session keys, and more.\r\nCatB malware will also attempt to locate and extract sensitive information from Windows Mail profile data\r\n( \\AppData\\Local\\Microsoft\\Windows Mail\\ ).\r\nVariations of CatB Threat Campaigns\r\nSamples pulled from a November 2022 campaign feature a different contact email address,\r\nfishA001[@]protonmail.com . This later changes to the catB9991 protonmail address mentioned above. This is\r\nthe only difference with regards to the ransom notes. Other details such as payment-per-day breakdowns and the\r\nBTC payment address are identical.\r\nhttps://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/\r\nPage 5 of 8\n\nAlternate ransom note (fisha001)\r\nWe have also encountered variations which include both email addresses. When these ‘double email’ notes are\r\nappended to the head of files, it looks as follows:\r\nAlternate ransom note (double-email, no BTC)\r\nThese ransom notes display all the same features minus the BTC payment address. Also missing is the\r\nrequirement to submit the key file in c\\users\\public\\key . Notes that are missing the key submission feature\r\nsuggest that they are artifacts of an earlier ‘test’ version of the ransomware.\r\nBTC Payment / Blockchain Status\r\nAs the time of writing, the BTC address associated with CatB ransomware have zero transactions and a zero\r\nbalance.\r\nhttps://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/\r\nPage 6 of 8\n\nBTC Balance for Wallet – bc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz\r\nConclusion\r\nCatB joins a long line of ransomware families that embrace semi-novel techniques and atypical behaviors such as\r\nappending notes to the head of files. These behaviors appear to be implemented in the interest of detection evasion\r\nand some level of anti-analysis trickery. For example, many environments rely solely on the appearance of ransom\r\nnotes to alert them to the potential of a ransomware outbreak. This is not the case with CatB.\r\nDespite that, the threat lacks in overall sophistication, and a modern, properly configured, XDR/EDR solution\r\nshould alert quickly upon initiation of a CatB attack in the environment.\r\nSentinelOne Singularity™ fully prevents and protects customers against malicious behaviors associated with CatB\r\nRansomware.\r\nIndicators of Compromise\r\nSHA1 CatB Samples\r\n1028a0e6cecb8cfc4513abdbe3b9d948cf7a5567\r\n8c11109da1d7b9d3e0e173fd24eb4b7462073174\r\n951e603af10ec366ef0f258bf8d912efedbb5a4b (early version note example)\r\nhttps://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/\r\nPage 7 of 8\n\ndb99fc79a64873bef25998681392ac9be2c1c99c\r\ndd3d62a6604f28ebeeec36baa843112df80b0933\r\nEmail addresses\r\ncatB9991[at]protonmail[.]com\r\nfishA001[at]protonmail[.]com\r\nBTC Wallets\r\nbc1qakuel0s4nyge9rxjylsqdxnn9nvyhc2z6k27gz\r\nSource: https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/\r\nhttps://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/"
	],
	"report_names": [
		"decrypting-catb-ransomware-analyzing-their-latest-attack-methods"
	],
	"threat_actors": [],
	"ts_created_at": 1775434354,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed3bc64c6c42f77ee8fb0417e781b5778b5357bb.pdf",
		"text": "https://archive.orkl.eu/ed3bc64c6c42f77ee8fb0417e781b5778b5357bb.txt",
		"img": "https://archive.orkl.eu/ed3bc64c6c42f77ee8fb0417e781b5778b5357bb.jpg"
	}
}