Overview

overview

10

Static

static

8

EIS.exe

windows7_x64

10

EIS.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EIS.7z

  • Size

    4.5MB

  • Sample

    210901-1825s4jkrx

  • MD5

    e1dac45d856eb4f1752296bb575f499a

  • SHA1

    b4a724f4b840cc1b6a252aa2f6343843e4a837c0

  • SHA256

    71cce9f320438c262364504a1b0f735f312a399063cce4336d9606ff5950b336

  • SHA512

    537c4f54226e44a572a844e522a24d436c729a2ca8455d0eb03d84c3febcbe6c440dd64c48537024ea68b3a2607f0cec3520e6aa3748b508184af260c4955a69

Score
10/10
blackmatterb8726db5d916731db5625cfc30c4f7d9ransomwarevmprotect

Malware Config

Extracted

Path

C:\1rWCqamCt.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> Hello Eisvogel Hubert Bernegger GmbH >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen of data. If you do not contact us we will publish all your data will send it to the biggest mass media and your customers. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/5PBOYRSETHVDBDPTL >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/5PBOYRSETHVDBDPTL

Extracted

Family

blackmatter

Version

2.0

Botnet

b8726db5d916731db5625cfc30c4f7d9

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Targets

    • Target

      EIS.exe

    • Size

      4.8MB

    • MD5

      3df675b0800e6fc57c81271c440327c4

    • SHA1

      361aaa051121753358ea49bfd05716cdd38fe492

    • SHA256

      c3cc8efd60b85139c9b9f4c62c56ffbafde26c1b22cd7b339a371afde7fc513b

    • SHA512

      321f4b2e5dda2b39268ea057df02f49e96a6ab8461fa9e0ed970202b9a934e816f4885c33534dad35f0301fb1046303a9d2b2207293947997db54e307cc4f06b

    Score
    10/10
    blackmatterb8726db5d916731db5625cfc30c4f7d9ransomwarevmprotect

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks