- First seen: November 2021
- Aliases:ALPHV
- Samples:
- bb6b249336cd7001b1c55d3724b5e35a150e752ed795c36e0d5dcba00eedb62a | windows | ransom | pe
- bcb6783f3b526198d2ae54ec12690a6032c41b9c791eef81c182b308f16fd1b6 | windows | ransom | pe
- 5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42 | linux | ransom | elf
- f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6 | linux | ransom | elf
| Property | Value |
|---|---|
| Size | 3077632 bytes |
| CRC32 | 0x694a915c |
| MD5 | bb894b37728d740eefae61bcf764f451 |
| SHA1 | 097341af552574417e3f0d639655f05d1eed9af0 |
| SHA256 | bb6b249336cd7001b1c55d3724b5e35a150e752ed795c36e0d5dcba00eedb62a |
| SHA512 | 62d7532bdce2eddab5b0f3121bbbcd3b2aa5a70b6f083f4c49e8a2c53414ecd2727ff9f2ed5db9c31c2af00cb04cdb2dbb865a5e94f35e6e4e683a2b5f6a2870 |
| Ssdeep | 49152:oQMCsLWDIxeaBzz82uJ6sPBO/syljUnWuNlz5JkiHKAzQmy7:PO7xei83ksPBqanNz7kiHKA |
| Magic | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows |
| Packer | PE: linker: unknown(2.35)[EXE32,console] |
| TrID | 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.4% (.EXE) Win32 Executable (generic) (4505/5/1) |
- Avast: Win32:RansomX-gen [Ransom]
+ Avira: clean
- Bitdefender: Gen:Variant.Fragtor.80966
- Clamav: Win.Ransomware.BlackCat-9974801-0
- Comodo: Malware
- Drweb: Trojan.Encoder.35107
- Eset: Win32/Filecoder.BlackCat.A
- Fsecure: Heuristic.HEUR/AGEN.1250038
- Kaspersky: HEUR:Trojan-Ransom.Win32.Generic
+ Mcafee: clean
+ Sophos: clean
- Symantec: Trojan Horse
- Trendmicro: Ransom.Win32.BLACKCAT.SMYPCC5
- Windefender: Ransom:Win32/BlackCat.A| Property | Value |
|---|---|
| Size | 3148288 bytes |
| CRC32 | 0xb3490ac9 |
| MD5 | e098e625b41c021b883a117b6967a5dc |
| SHA1 | 8b6d29060f12ffa095fafb9ee6b33515f10fb70d |
| SHA256 | bcb6783f3b526198d2ae54ec12690a6032c41b9c791eef81c182b308f16fd1b6 |
| SHA512 | 55d82fbbae1031ac4fcaac6f3b5edd2e1c9e7d346ef3ab3ace28f30ec899d3113366cf6d95171f01ed82965611a595db6d76a662543b93d1d992a35946420713 |
| Ssdeep | 49152:VOOMlMM5YDH5FCfB6u8mlyoTPejk62zuDOIXmfaNuj0yCetf6rkidAmE00pZc:VOblMM5yHfiBAD0Sk6262b0gSkidS |
| Magic | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| Packer | PE: linker: unknown(2.35)[EXE32] |
| TrID | 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.4% (.EXE) Win32 Executable (generic) (4505/5/1) |
- Avast: Win32:RansomX-gen [Ransom]
+ Avira: clean
- Bitdefender: Gen:Variant.Fragtor.80966
- Clamav: Win.Ransomware.BlackCat-9974801-0
+ Comodo: clean
+ Drweb: clean
- Eset: Win32/Filecoder.BlackCat.A
- Fsecure: Heuristic.HEUR/AGEN.1250038
- Kaspersky: HEUR:Trojan-Ransom.Win32.Generic
+ Mcafee: clean
+ Sophos: clean
+ Symantec: clean
- Trendmicro: Ransom.Win32.BLACKCAT.SMYPCC5
- Windefender: Ransom:Win32/BlackCat.A| Property | Value |
|---|---|
| Size | 1922576 bytes |
| CRC32 | 0xea9935b0 |
| MD5 | 843001980e5073c7f0ea8b56873246b8 |
| SHA1 | 36dff07387cf3f2393339d30d0672fcbccc7a73c |
| SHA256 | 5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42 |
| SHA512 | 4b0ddafb90a68db39fdd6294b55c468f66d60e11c784f3ea2e6635b252e704aacc356d500dee78a324b001b05968b7539d140478fe4432cebaf95d1a4e15df3e |
| Ssdeep | 49152:PqMp864yQytAAd//l/GZLGv5REytsEJrtYWdl:PqMalgAAtlBRRF2y |
| Magic | ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=3fb8f32a3c4ac31cbeba467531812e78df928108, stripped |
| Packer | ELF: library: GLIBC(2.9)[shared object 386-32] ELF: compiler: gcc(3.X)[shared object 386-32] |
| TrID | 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1) |
- Avast: ELF:Filecoder-CX [Trj]
- Avira: Linux/Ransom.otvgv
- Bitdefender: Trojan.Ransom.BlackCatALPHV.D
- Clamav: Unix.Ransomware.BlackCat-9974916-0
- Comodo: Malware
- Drweb: Linux.Encoder.116
- Eset: Linux/Filecoder.BlackCat.A
- Fsecure: Malware.LINUX/Ransom.otvgv
- Kaspersky: HEUR:Trojan-Ransom.Linux.Agent.m
- Mcafee: Linux/BlackCat
- Sophos: Troj/Ransom-GMN
- Symantec: Trojan.Gen.NPE
- Trendmicro: Ransom.Linux.BLACKCAT.SMYXBL1A
- Windefender: Ransom:Linux/BlackCat.A!MTB| Property | Value |
|---|---|
| Size | 1922056 bytes |
| CRC32 | 0x491e131 |
| MD5 | 79fea7f741760ea21ff655137af05bd0 |
| SHA1 | 9146a448463935b47e29155da74c68d16e0d7031 |
| SHA256 | f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6 |
| SHA512 | 71246846d806ab436bd54973ca86d351736c2c03fc14e6273591f287c49cf79c148bd7d3d99b9725169728e20fdbd75be2e5d91a008aa5b176833574c414e14e |
| Ssdeep | 49152:Sqem+lTdKGwpizjdRVdjezCFvw9b28vXUG3ao3torK:Sqer/FdjezChPrK |
| Magic | ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b083ba86139be14d1de8f36a22c92dd8a7e9140b, stripped |
| Packer | ELF64: library: GLIBC(2.9)[shared object AMD64-64] ELF64: compiler: gcc(3.X)[shared object AMD64-64] |
| TrID | 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1) |
- Avast: ELF:Filecoder-CX [Trj]
- Avira: Linux/Ransom.trarj
- Bitdefender: Trojan.Ransom.BlackCatALPHV.E
- Clamav: Unix.Ransomware.BlackCat-9974916-0
- Comodo: Malware
- Drweb: Linux.Encoder.116
- Eset: Linux/Filecoder.BlackCat.A
- Fsecure: Malware.LINUX/Ransom.trarj
- Kaspersky: HEUR:Trojan-Ransom.Linux.Agent.m
+ Mcafee: clean
- Sophos: Troj/Ransom-GMN
- Symantec: Trojan.Gen.NPE
- Trendmicro: Ransom.Linux.BLACKCAT.SMYXBL1
- Windefender: Ransom:Linux/BlackCat.A!MTB- https://github.com/f0wl/blackCatConf
- https://blog.group-ib.com/blackcat
- https://www.varonis.com/blog/blackcat-ransomware
- https://unit42.paloaltonetworks.com/blackcat-ransomware/
- https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
- https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware
- https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive/