General
-
Target
BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
-
Size
79KB
-
Sample
211015-skexmabgfn
-
MD5
f1c260c31b9d3f9ff54a142d508ec602
-
SHA1
6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3
-
SHA256
2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
-
SHA512
9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a
Static task
static1
Behavioral task
behavioral1
Sample
BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe
Resource
win10-en-20211014
Malware Config
Extracted
blackmatter
1.9
28cc82fd466e0d0976a6359f264775a8
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\chkvc3MvG.README.txt
blackmatter
https://prnt.sc/1o6e5a2
https://prnt.sc/1o6ei7g
https://prnt.sc/1o6exr8
https://prnt.sc/1o6fbxu
https://prnt.sc/1o6fvkn
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/EBVCVJNCPM6A3NKJ
Targets
-
-
Target
BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
-
Size
79KB
-
MD5
f1c260c31b9d3f9ff54a142d508ec602
-
SHA1
6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3
-
SHA256
2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
-
SHA512
9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-