Description
BlackMatter ransomware group claims to be Darkside and REvil succesor.
b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
General
Target
Size
Sample
b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
78KB
211024-srmaaafdck
Score
10 /10
MD5
SHA1
SHA256
SHA512
5e2a1323dbf28eac8b3f4df9cb4f2d45
af77a09387df4ec967a8314ba0f93da0ef8e57ee
b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
c2ba4f7458298129a8d2f1ac50640601d59086048ecc8d3d88985c31edf4014e4f4838308192ab39fb21d71a9b362a38a93edff58b570ec6f5ccfb940d871b94
Malware Config
Extracted
| Family | blackmatter |
| Version | 2.0 |
| Botnet | d58b3b69acc48f82eaa82076f97763d4 |
| C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
| Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
| rsa_pubkey.base64 |
|
| aes.base64 |
|
Extracted
| Path | \??\Z:\f5yX7OyXn.README.txt |
| Family | blackmatter |
| Ransom Note |
~+
* +
' BLACK |
() .-.,='``'=. - o -
'=/_ \ |
* | '=._ |
\ `=./`, '
. '=.__.=' `=' *
+ Matter +
O * ' .
>>> What happens?
Your network is encrypted, and currently not operational.
We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.
>>> What guarantees?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals.
We always keep our promises.
>>> How to contact with us?
1. Download and install TOR Browser (https://www.torproject.org/).
2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR
>>> Warning! Recovery recommendations.
We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
|
| URLs |
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR |
Targets
Target
MD5
Filesize
b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
5e2a1323dbf28eac8b3f4df9cb4f2d45
78KB
Score
10/10
SHA1
SHA256
SHA512
af77a09387df4ec967a8314ba0f93da0ef8e57ee
b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
c2ba4f7458298129a8d2f1ac50640601d59086048ecc8d3d88985c31edf4014e4f4838308192ab39fb21d71a9b362a38a93edff58b570ec6f5ccfb940d871b94
Tags
Signatures
-
BlackMatter Ransomware
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Description
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Tags
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Sets service image path in registry
Tags
TTPs
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
Sets desktop wallpaper using registry
Tags
TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks