General

  • Target

    e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

  • Size

    79KB

  • Sample

    211005-mjgf6shfa8

  • MD5

    5de71f0e1ad0e2c2968153809ffaff05

  • SHA1

    f023f314327acd96cd8a0f8e32451b2d2dee61d0

  • SHA256

    e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

  • SHA512

    2fce4fbdf3bc7e0dfa9cc90581c08ea6578522c65891e12359bd464b1ea007006979491b9049e4a20fabd196bf321275cc003d537236c2bd5bf8826f85543c05

Malware Config

Extracted

Family

blackmatter

Version

2.0

Botnet

e4aaffc36f5d5b7d597455eb6d497df5

Credentials
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Path

C:\1rWCqamCt.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 250 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79 >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T

Targets

    • Target

      e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

    • Size

      79KB

    • MD5

      5de71f0e1ad0e2c2968153809ffaff05

    • SHA1

      f023f314327acd96cd8a0f8e32451b2d2dee61d0

    • SHA256

      e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

    • SHA512

      2fce4fbdf3bc7e0dfa9cc90581c08ea6578522c65891e12359bd464b1ea007006979491b9049e4a20fabd196bf321275cc003d537236c2bd5bf8826f85543c05

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks