General
-
Target
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.zip
-
Size
41KB
-
Sample
210922-yh7shsdfh9
-
MD5
b4c2e464602a284fff7b7ff35f5cf863
-
SHA1
7e3a50919f7c8f3a683fbf39b3e01b6cafc444e1
-
SHA256
e146f17a53300e19ec480d069b341688127d46198ff0fdd0e059914130d56f56
-
SHA512
da3245f9e0f90a1c8ecc5adfd4ecc7cb1de9aebbe55e27f6f033ffd47005010c704a80e7fb7290503f327545487202b213d2de1c4b9fb1e442f94e0533aab025
Static task
static1
Behavioral task
behavioral1
Sample
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.exe
Resource
win10-en-20210920
Malware Config
Extracted
| Family |
blackmatter |
| Version |
2.0 |
| Botnet |
e4aaffc36f5d5b7d597455eb6d497df5 |
| Credentials | Protocol: smtp Host: Port: 587 Username: pklages@spectrumfurniture.com Password: BBis#1ec Protocol: smtp Host: Port: 587 Username: BackupExec@spectrumfurniture.com Password: k8DbBSZYWWnr0QqrILoo Protocol: smtp Host: Port: 587 Username: admin@Northwoods.com Password: Smokie@CF |
| C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
| Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
| rsa_pubkey.base64 |
|
| aes.base64 |
|
Extracted
| Path |
C:\1rWCqamCt.README.txt |
| Family |
blackmatter |
| Ransom Note | ~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 250 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79 >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them. |
| URLs |
http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T |
Targets
-
-
Target
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.exe
-
Size
79KB
-
MD5
18c7c940bc6a4e778fbdf4a3e28151a8
-
SHA1
f3589918d71b87c7e764479b79c4a7b485cb746a
-
SHA256
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
-
SHA512
6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation