General
-
Target
9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a
-
Size
78KB
-
Sample
211005-mj2gcahheq
-
MD5
d298d54961823dd20b7a4d14b9326964
-
SHA1
5b70fd4f2ef2000cf2af1d2eb8a5158cc8802c90
-
SHA256
9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a
-
SHA512
64be2de822607f8d85066a972468528706133cc3133f90f0fb51cd5874e83d0bce5d240d9aabc021730dbd654a26069933850db5de895011fc4d4045564ba6ca
Static task
static1
Behavioral task
behavioral1
Sample
9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a.exe
Resource
win10-en-20210920
Malware Config
Extracted
blackmatter
2.0
d73c69209fbe768d5fa7ffbcad509c66
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\1rWCqamCt.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/1ILW209PJZUAJJEX
Targets
-
-
Target
9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a
-
Size
78KB
-
MD5
d298d54961823dd20b7a4d14b9326964
-
SHA1
5b70fd4f2ef2000cf2af1d2eb8a5158cc8802c90
-
SHA256
9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a
-
SHA512
64be2de822607f8d85066a972468528706133cc3133f90f0fb51cd5874e83d0bce5d240d9aabc021730dbd654a26069933850db5de895011fc4d4045564ba6ca
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-