General
-
Target
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd.bin.sample
-
Size
78KB
-
Sample
210920-py7b9aebd9
-
MD5
6e5986761cea340dce2efd4cf4f3790c
-
SHA1
4a8ca4b5c04112a753e9ff5989b80f0b12e13654
-
SHA256
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd
-
SHA512
8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af
Static task
static1
Behavioral task
behavioral1
Sample
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd.bin.sample.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd.bin.sample.exe
Resource
win10-en
Malware Config
Extracted
blackmatter
2.0
6bed8cf959f0a07170c24bb972efd726
Protocol: smtp- Port:
587 - Username:
Administrator@rpi - Password:
P0w3rPl4g
Protocol: smtp- Port:
587 - Username:
2fatest@rpi - Password:
poiu-0987
Protocol: smtp- Port:
587 - Username:
2fauser@rpi - Password:
1strongpassword!
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\SykSKioSK.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/GBSLNRB4NL0OG6FX
Targets
-
-
Target
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd.bin.sample
-
Size
78KB
-
MD5
6e5986761cea340dce2efd4cf4f3790c
-
SHA1
4a8ca4b5c04112a753e9ff5989b80f0b12e13654
-
SHA256
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd
-
SHA512
8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-