b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7

General
Target

b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7

Size

78KB

Sample

211021-qjbsgaada3

Score
10 /10
MD5

5e2a1323dbf28eac8b3f4df9cb4f2d45

SHA1

af77a09387df4ec967a8314ba0f93da0ef8e57ee

SHA256

b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7

SHA512

c2ba4f7458298129a8d2f1ac50640601d59086048ecc8d3d88985c31edf4014e4f4838308192ab39fb21d71a9b362a38a93edff58b570ec6f5ccfb940d871b94

Malware Config

Extracted

Family blackmatter
Version 2.0
Botnet d58b3b69acc48f82eaa82076f97763d4
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Path C:\6amPnJyPq.README.txt
Family blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR

Targets
Target

b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7

MD5

5e2a1323dbf28eac8b3f4df9cb4f2d45

Filesize

78KB

Score
10 /10
SHA1

af77a09387df4ec967a8314ba0f93da0ef8e57ee

SHA256

b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7

SHA512

c2ba4f7458298129a8d2f1ac50640601d59086048ecc8d3d88985c31edf4014e4f4838308192ab39fb21d71a9b362a38a93edff58b570ec6f5ccfb940d871b94

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    Defacement Modify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks