General

  • Target

    6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

  • Size

    71KB

  • Sample

    210825-dx5ygg43dx

  • MD5

    10aa058a3ac49e016cad7987b8e09886

  • SHA1

    cca6682330a819592c3b1ea0448ceb4e141593dc

  • SHA256

    6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

  • SHA512

    f115fb62b1ca5e18f6340d42ff4393e2b175917312ae1cc14e7a6a9322cf8adaf22457bc8213e2baafdc2cb19d5db1e5a9c003155cbf142d5a08604495e22f6e

Malware Config

Extracted

Family

blackmatter

Version

1.6

Botnet

32bd08ad5e5e881aa2634621d611a1a5

Credentials
C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Path

C:\1rWCqamCt.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 500 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/OYPF561W4U8HVA0NLVCKJCZB >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/OYPF561W4U8HVA0NLVCKJCZB

Targets

    • Target

      6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

    • Size

      71KB

    • MD5

      10aa058a3ac49e016cad7987b8e09886

    • SHA1

      cca6682330a819592c3b1ea0448ceb4e141593dc

    • SHA256

      6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

    • SHA512

      f115fb62b1ca5e18f6340d42ff4393e2b175917312ae1cc14e7a6a9322cf8adaf22457bc8213e2baafdc2cb19d5db1e5a9c003155cbf142d5a08604495e22f6e

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks