General
-
Target
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
-
Size
67KB
-
Sample
211005-pr879shgb7
-
MD5
639bb7abbd9bc6a9c275d0bf9555b610
-
SHA1
e4831da0e8fe5f0a01cd42693e607bc611423c16
-
SHA256
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
-
SHA512
f01621fab7ba598b80d52675c20d0d4bb4749b91df3298ee1bd6d6d410eb54d091677f85a2d4673eb9dc3d8cff6f4a328735226de0f5a01bd314dbe6d9af92aa
Static task
static1
Behavioral task
behavioral1
Sample
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll
Resource
win10-en-20210920
Malware Config
Extracted
blackmatter
1.2
bab21ee475b52c0c9eb47d23ec9ba1d1
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\AVx2lZV2X.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R
Targets
-
-
Target
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
-
Size
67KB
-
MD5
639bb7abbd9bc6a9c275d0bf9555b610
-
SHA1
e4831da0e8fe5f0a01cd42693e607bc611423c16
-
SHA256
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
-
SHA512
f01621fab7ba598b80d52675c20d0d4bb4749b91df3298ee1bd6d6d410eb54d091677f85a2d4673eb9dc3d8cff6f4a328735226de0f5a01bd314dbe6d9af92aa
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Blocklisted process makes network request
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-