General
-
Target
5095304324087808.zip
-
Size
41KB
-
Sample
210806-fp1dtwm7yn
-
MD5
4e72c0ce46a26305c198196e03d90035
-
SHA1
99b59b404fb31d3938a23181c1e02acef134678c
-
SHA256
02ec55a8f4f97a84370ca72b03912ae8625d344b7bd1af92a2de4b636183f2ab
-
SHA512
fa4c2e5f711dcf5b4546d95bc49b7ae088cb2a1bc88d9816dfab942e53a987eb582400667c1f4a78e7a95990be843d789241b837c075451de7f402af71603187
Static task
static1
Behavioral task
behavioral1
Sample
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
Resource
win10v20210410
Malware Config
Extracted
blackmatter
1.2
512478c08dada2af19e49808fbda5b0b
Protocol: smtp- Port:
587 - Username:
[email protected] - Password:
120Heisler
Protocol: smtp- Port:
587 - Username:
[email protected] - Password:
Tesla2019
Protocol: smtp- Port:
587 - Username:
[email protected] - Password:
iteam8**
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\tgln8vJnC.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV
Targets
-
-
Target
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
-
Size
67KB
-
MD5
598c53bfef81e489375f09792e487f1a
-
SHA1
80a29bd2c349a8588edf42653ed739054f9a10f5
-
SHA256
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
-
SHA512
6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-