General
-
Target
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b.bin.sample
-
Size
78KB
-
Sample
210921-qkwh9shfb8
-
MD5
62a70f74d6ac64829a8a31e306e9d41d
-
SHA1
ec26b38a29549272cc5f0cf548e208030ff114b0
-
SHA256
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b
-
SHA512
0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372
Static task
static1
Behavioral task
behavioral1
Sample
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b.bin.sample.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b.bin.sample.exe
Resource
win10v20210408
Malware Config
Extracted
blackmatter
2.0
b0e039b42ef6c19c2189651c9f6c390e
Protocol: smtp- Port:
587 - Username:
[email protected] - Password:
Rubcabher96
Protocol: smtp- Port:
587 - Username:
[email protected] - Password:
Alsa2003
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
false
-
mount_volumes
true
Extracted
C:\chkvc3MvG.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/LH2WLI60XU9O283RYADWV
Targets
-
-
Target
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b.bin.sample
-
Size
78KB
-
MD5
62a70f74d6ac64829a8a31e306e9d41d
-
SHA1
ec26b38a29549272cc5f0cf548e208030ff114b0
-
SHA256
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b
-
SHA512
0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-