General
-
Target
d4647619fa2dc8fef5560d1662cbee6eb7dc95298dd40edf12dd4c8ee902d767.bin.sample
-
Size
79KB
-
Sample
210920-pyvy8aggfr
-
MD5
2c4a733c7eb5b67e02046345d844879d
-
SHA1
a975d15879946ee827be5a5f7ffcf5bc60c93d71
-
SHA256
d4647619fa2dc8fef5560d1662cbee6eb7dc95298dd40edf12dd4c8ee902d767
-
SHA512
6d3f8f111752fa722a02f231b5d40edc19d14dccf26c32ebb9fe1fde5e4e889a2562c9049476679a18dafaddaf0287e5ba2dff7ef9055a31f36eeeb41019025c
Static task
static1
Behavioral task
behavioral1
Sample
d4647619fa2dc8fef5560d1662cbee6eb7dc95298dd40edf12dd4c8ee902d767.bin.sample.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
d4647619fa2dc8fef5560d1662cbee6eb7dc95298dd40edf12dd4c8ee902d767.bin.sample.exe
Resource
win10v20210408
Malware Config
Extracted
blackmatter
2.0
e4aaffc36f5d5b7d597455eb6d497df5
Protocol: smtp- Port:
587 - Username:
[email protected] - Password:
BBis#1ec
Protocol: smtp- Port:
587 - Username:
[email protected] - Password:
k8DbBSZYWWnr0QqrILoo
Protocol: smtp- Port:
587 - Username:
[email protected] - Password:
Smokie@CF
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\SykSKioSK.README.txt
blackmatter
http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T
Targets
-
-
Target
d4647619fa2dc8fef5560d1662cbee6eb7dc95298dd40edf12dd4c8ee902d767.bin.sample
-
Size
79KB
-
MD5
2c4a733c7eb5b67e02046345d844879d
-
SHA1
a975d15879946ee827be5a5f7ffcf5bc60c93d71
-
SHA256
d4647619fa2dc8fef5560d1662cbee6eb7dc95298dd40edf12dd4c8ee902d767
-
SHA512
6d3f8f111752fa722a02f231b5d40edc19d14dccf26c32ebb9fe1fde5e4e889a2562c9049476679a18dafaddaf0287e5ba2dff7ef9055a31f36eeeb41019025c
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-