Manuel Statik Analiz (LLM Okumali) — Black Basta Ransomware (Linux ESXi Sifreleyici) | Tehdit: KRITIK
文件 Kimligi
| SHA256 | a8894d8a71082d2a2d8799129eada9db0b280af6bfca02e9c3f214890bc67ea3 |
|---|---|
| Platform | Linux ELF (64-bit) |
| Hedef | VMware ESXi sunuculari |
| 大小 | 174.272 byte |
| Dil | C++ (GCC, ghc::filesystem) |
TOR C2 / Fidye Iletisim (Cleartext)
Kritik IOC: TOR hidden service adresi binary icerisinde cleartext olarak bulunmaktadir.
| TOR Onion URL | https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ |
|---|---|
| TOR Browser | https://torproject.org |
Fidye Notu (Cleartext String)
DECRYPTION
Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
You can contact us and decrypt one file for free on this TOR site
(you should download and install TOR browser first https://torproject.org)
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
You can contact us and decrypt one file for free on this TOR site
(you should download and install TOR browser first https://torproject.org)
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
Gelistirici Izi
C:/Users/dssd/Desktop/src Kullanici adi: dssd Proje: Desktop/src (dogrudan masaustu uzerinde gelistirilmis)
Teknik Ozellikler
- Linux ELF — VMware ESXi hipervizor ortamlarini hedefler
- ghc::filesystem C++ kutuphanesi ile dosya sistemi gezintisi
- pthread — coklu is parcacigi ile paralel sifreleme
- Cift gasp (double extortion): hem veri cikarimi hem de sifreleme
- Sifreleme sureleri loglanir: "Done time: X.XXXX seconds, encrypted: X.XXXX gb"
Black Basta Hakkinda
Black Basta, 2022 yilinda ortaya cikan ve Conti ransomware grubunun dagilmasinin ardından kurulan bir fidye yazilimi operasyonudur. Hem Windows hem de Linux (ESXi) hedefler. Cift gasp yontemiyle kurbanlardan hem sifre cozme ucreti hem de veri silmesi ucreti talep eder.
IOC
| SHA256 | a8894d8a71082d2a2d8799129eada9db0b280af6bfca02e9c3f214890bc67ea3 |
|---|---|
| TOR C2 | aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion |
| Platform | Linux ELF (ESXi hedefi) |
| PDB Dev | dssd |
BlackBasta — 恶意软件档案
Black Basta ransomware grubu loaer/dropper. Microsoft Office Setup Engine (ose.pdb) olarak gizlenir. Global\OfficeSourceEngine64Mutex sahte mutex. Self-modifying .ex_cod section. Minimal import + runtime GetProcAddress API cozme. WinHttp C2. Token manipulasyonu.
恶意软件类型
Ransomware
编程语言
C++
C2协议
—
目标系统
Windows/Linux
能力与行为
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC列表 (1 个指标)
IOC — BlackBasta
# SHA256
a8894d8a71082d2a2d8799129eada9db0b280af6bfca02e9c3f214890bc67ea3
| 类型 | 值 | 备注 |
|---|---|---|
| sha256 | a8894d8a71082d2a2d8799129eada9db0b280af6bfca02e9c3f214890bc67ea3 |
C2服务器 (该家族共有 1 台已记录服务器)
| 地址 | 类型 | 端口 | 协议 | 状态 | 国家 |
|---|---|---|---|---|---|
| aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion | domain | 443 | — | inactive | — |
C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。