General

  • Target

    5602495258853376.zip

  • Size

    1.1MB

  • Sample

    210823-x3sw7v2l5s

  • MD5

    a3d5610af86633ee689b53347b95c30b

  • SHA1

    975c08c0a41d9a2819e52d2da22d9106bee06781

  • SHA256

    08dca840a349cd814b1f5aae53ba95f204c8207d02b44561f5760482eb84fbfe

  • SHA512

    b47484821c809412402e8049b25260dd917d3094be0c94ad0f7439a02ae7c648769fa4720f69f01da626d929eb60c33d18e4c4a3763fa86217ad21641133133a

Malware Config

Extracted

Family

blackmatter

Version

1.4

Botnet

caa0d21adc7bdc4dc424497512a8f37d

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Path

C:\UCzUExPUL.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 100 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/8ZHJ2G2FJDX9JSHTA6S >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/8ZHJ2G2FJDX9JSHTA6S

Targets

    • Target

      cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7

    • Size

      1.3MB

    • MD5

      da3ab4d40944c077f92e52d2c1de8fca

    • SHA1

      6676ef8826b9e5419958761f3a71464105290288

    • SHA256

      cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7

    • SHA512

      1dcc1259105c730fff76e518d7d57bce8cacacfebc05cf7b3294ccdbf8286635bfe43532f7a19507d3fd42973429f2c9335d031cbd473b356cba1bab79ce318a

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Impact

Defacement

1
T1491

Tasks