General
-
Target
01.exe
-
Size
78KB
-
Sample
211022-hgh5rsbbh2
-
MD5
5e2a1323dbf28eac8b3f4df9cb4f2d45
-
SHA1
af77a09387df4ec967a8314ba0f93da0ef8e57ee
-
SHA256
b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
-
SHA512
c2ba4f7458298129a8d2f1ac50640601d59086048ecc8d3d88985c31edf4014e4f4838308192ab39fb21d71a9b362a38a93edff58b570ec6f5ccfb940d871b94
Static task
static1
Behavioral task
behavioral1
Sample
01.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
01.exe
Resource
win10-en-20211014
Malware Config
Extracted
blackmatter
2.0
d58b3b69acc48f82eaa82076f97763d4
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\chkvc3MvG.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR
Targets
-
-
Target
01.exe
-
Size
78KB
-
MD5
5e2a1323dbf28eac8b3f4df9cb4f2d45
-
SHA1
af77a09387df4ec967a8314ba0f93da0ef8e57ee
-
SHA256
b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
-
SHA512
c2ba4f7458298129a8d2f1ac50640601d59086048ecc8d3d88985c31edf4014e4f4838308192ab39fb21d71a9b362a38a93edff58b570ec6f5ccfb940d871b94
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-