Description
BlackMatter ransomware group claims to be Darkside and REvil succesor.
blackmatter.zip
10MB
211122-qgyt8afeem
e1f207575fc9231e6ab7dbe2a7f55d5b
3f701a77482c54c811c661dc21520e166769c511
bf9511517f610387d714553bed6ff59d55c21cd0aa18ae00714585e699a332a3
5a8717cfe195056d89f40d4be7b2c9a4bb85df763667a342545855366f58b7f5d627f6ed44ed380fdcf7440f569ff4f4f8a129ee41da0673bcba2b5570fe8c56
Family | blackmatter |
Version | 1.2 |
Botnet | 512478c08dada2af19e49808fbda5b0b |
Credentials | Protocol: Host: Port: Username: aheisler@hhcp.com Password: 120Heisler Protocol: Host: Port: Username: dsmith@hhcp.com Password: Tesla2019 Protocol: Host: Port: Username: administrator@hhcp.com Password: iteam8** |
C2 |
https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 14a875a2bd63041b2b3e5c323e8d5eee |
Credentials | Protocol: Host: Port: Username: it_lw@corp.group.local Password: Voyager1701!!! Protocol: Host: Port: Username: it_ci@corp.group.local Password: HereGoes321 Protocol: Host: Port: Username: svc_netwrix@corp.group.local Password: QApassw0rd Protocol: Host: Port: Username: it_pl@corp.group.local Password: Aug21!!! Protocol: Host: Port: Username: IT_JJ2@corp.group.local Password: Glasgow0315 Protocol: Host: Port: Username: it_ng@corp.group.local Password: Eleanor22 Protocol: Host: Port: Username: it_jj@corp.group.local Password: Glasgow0315 |
C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 1.2 |
Botnet | bab21ee475b52c0c9eb47d23ec9ba1d1 |
C2 |
https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | b368c1ee6bca2086d8169628466c0d3b |
Attributes |
attempt_auth false
create_mutex false
encrypt_network_shares true
exfiltrate false
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 04bdf8557fa74ea0e3adbd2975efd274 |
C2 |
mepocs memtas veeam svc$ backup sql vss msexchange |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 5791ae39aeab40b5e8e33d8dce465877 |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate false
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 1.9 |
Botnet | 28cc82fd466e0d0976a6359f264775a8 |
C2 |
https://mojobiden.com http://mojobiden.com |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 207aab0afc614ac68359fc63f9665961 |
C2 |
https://fluentzip.org http://fluentzip.org |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 6bed8cf959f0a07170c24bb972efd726 |
Credentials | Protocol: Host: Port: Username: Administrator@rpi Password: P0w3rPl4g Protocol: Host: Port: Username: 2fatest@rpi Password: poiu-0987 Protocol: Host: Port: Username: 2fauser@rpi Password: 1strongpassword! |
C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | e4aaffc36f5d5b7d597455eb6d497df5 |
Credentials | Protocol: Host: Port: Username: pklages@spectrumfurniture.com Password: BBis#1ec Protocol: Host: Port: Username: BackupExec@spectrumfurniture.com Password: k8DbBSZYWWnr0QqrILoo Protocol: Host: Port: Username: admin@Northwoods.com Password: Smokie@CF |
C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | b0e039b42ef6c19c2189651c9f6c390e |
Credentials | Protocol: Host: Port: Username: r.cabello@mflgroup.com Password: Rubcabher96 Protocol: Host: Port: Username: j.berenguel@mflgroup.com Password: Alsa2003 |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate false
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 24483508bccfe72e63b26a1233058170 |
C2 |
https://mojobiden.com http://mojobiden.com |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | d58b3b69acc48f82eaa82076f97763d4 |
C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 64139b5d8a3f06921a9364c262989e1f |
C2 |
https://mojobiden.com http://mojobiden.com |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 1.6.0.2 |
Botnet | bab21ee475b52c0c9eb47d23ec9ba1d1 |
C2 |
http://paymenthacks.com http://mojobiden.com |
rsa_pubkey.plain |
|
aes.plain |
|
Family | blackmatter |
Version | 1.6 |
Botnet | 32bd08ad5e5e881aa2634621d611a1a5 |
Credentials | Protocol: Host: Port: Username: TSMBKP@aiep.corp Password: @iep.2013 |
C2 |
https://mojobiden.com http://mojobiden.com |
Attributes |
attempt_auth true
create_mutex false
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 90a881ffa127b004cec6802588fce307 |
Credentials | Protocol: Host: Port: Username: Administrator@adroot.newcoop.com Password: Q7Q" Protocol: Host: Port: Username: bbanneker@soilmap.com Password: !$(AYw94+PJ,rX Protocol: Host: Port: Username: jmiklo@@adroot.newcoop.com Password: sanfran85 Protocol: Host: Port: Username: da.rob@adroot.newcoop.com Password: sanfran85 Protocol: Host: Port: Username: da.jeff@adroot.newcoop.com Password: sanfran85 |
C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 3e8e2ab5fbb392508535983b7446ba17 |
C2 |
https://fluentzip.org http://fluentzip.org |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 1.6 |
Botnet | 0c6ca0532355a106258791f50b66c153 |
Attributes |
attempt_auth false
create_mutex false
encrypt_network_shares false
exfiltrate false
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 09c87c28bed23dbe6ff5aa561d38766b |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate false
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 506d1d0f4ed51ecc3e9cf1839a4b21a7 |
Attributes |
attempt_auth false
create_mutex false
encrypt_network_shares true
exfiltrate false
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 3.0 |
Botnet | 4e591a315c54e8800dae714320555fa5 |
Credentials | Protocol: Host: Port: Username: OFMO220@R5-CORE.R5.AIG.NET Password: yhU6VJ$& Protocol: Host: Port: Username: OSYST93@R5-CORE.R5.AIG.NET Password: RPo@ndf9 Protocol: Host: Port: Username: OFMO225@R5-CORE.R5.AIG.NET Password: DH5U87@rA0ELa2 |
C2 |
https://fluentzip.org http://fluentzip.org |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | d73c69209fbe768d5fa7ffbcad509c66 |
C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 879194e26a0ed7cf50f13c681e711c82 |
Credentials | Protocol: Host: Port: Username: _vpn@xnet.oe.olympus Password: vpnvpn08 Protocol: Host: Port: Username: adm_sprinx@xnet.oe.olympus Password: Apr@123456 Protocol: Host: Port: Username: dom_ecopysupport@xnet.oe.olympus Password: Olympus$12345 Protocol: Host: Port: Username: DOM_Jannick.Berghaeu@xnet.oe.olympus Password: Olympus@12345 Protocol: Host: Port: Username: ofr-tina@xnet.oe.olympus Password: ofrt!n@ Protocol: Host: Port: Username: svc_ciscoise@xnet.oe.olympus Password: Is3@dmin Protocol: Host: Port: Username: adm_ArunachaNa@xnet.oe.olympus Password: Sinchan@12345 Protocol: Host: Port: Username: ascuser@xnet.oe.olympus Password: HappyDays.12 Protocol: Host: Port: Username: dom_admanager@xnet.oe.olympus Password: Qwerasdzx123!@# Protocol: Host: Port: Username: dom_hasansy@xnet.oe.olympus Password: Coro@12345 Protocol: Host: Port: Username: Dom_HMarme@xnet.oe.olympus Password: Ultimate06! Protocol: Host: Port: Username: dom_obuehring@xnet.oe.olympus Password: Olympus@12345 Protocol: Host: Port: Username: Dom_SadasivaPa@xnet.oe.olympus Password: Zxcasd@123 Protocol: Host: Port: Username: dom_Supportat@xnet.oe.olympus Password: Qweasdzxc@12345 Protocol: Host: Port: Username: ofi-backup@xnet.oe.olympus Password: Helmi-2005 Protocol: Host: Port: Username: SVC_AcrossEvent@xnet.oe.olympus Password: Acr0$$@123 Protocol: Host: Port: Username: svc_vCenterILMT@xnet.oe.olympus Password: V1rtu@1c3! |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate false
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 1.6.0.4 |
Botnet | b0e039b42ef6c19c2189651c9f6c390e |
C2 |
http://mojobiden.com http://nowautomation.com |
rsa_pubkey.plain |
|
aes.plain |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 10d51524bc007aa845e77556cdcab174 |
Credentials | Protocol: Host: Port: Username: itjmorrow@pbigordon.com Password: tGv7R79N9rC@Y$RfLCkwb*byl*mxLv Protocol: Host: Port: Username: inetadmin@pbigordon.com Password: V3D174taC8Zb0EIz^cysiARR& Protocol: Host: Port: Username: itmungerman@pbigordon.com Password: YmedEwW& Protocol: Host: Port: Username: ithrutledge@pbigordon.com Password: exiAClEU!wcrEi0R7szO087oH0h13B |
C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | 6e46d36711d8be390c2b8121017ab146 |
C2 |
mepocs memtas veeam svc$ backup sql vss msexchange |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 1.2 |
Family | blackmatter |
Version | 2.0 |
Botnet | 5ecf7b9cde33f85a3eec9350275b5c4f |
C2 |
https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com |
Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Family | blackmatter |
Version | 2.0 |
Botnet | d0e84579a05c8e92e95eee8f5d0000e5 |
Credentials | Protocol: Host: Port: Username: Administrator@cat5.local Password: Mouseman02 |
C2 |
https://fluentzip.org http://fluentzip.org |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486
b06e2455a9c7c9485b85e9bdcceb8078
34KB
a63304592f422656d7abcb086915f9e799ad4641
072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486
adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4
900b7b852674521b306bb03eb991b94a
79KB
ed5b159b94ed5977efc1f3e05490545d7cb6a93e
0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4
04db23845665c6152a965d8401502588d09f6a4d30f83797cd772c179db8e445463ec5988e381d3a83789d4f20cd0378631e90560040f44a4b0b6634f373a093
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c
e1f8b95beb02cd39e55cd8b31419b10f
66KB
c544440a305f429926cd3cad2fac4a4cf0fb31ba
14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c
fb1f7838140de46c05ee4715aa206fc1dff0812658a843138daa7dd370bd5aa2f004ca603d768a1ac9f4c3895a937d3b700c6d302f9f0cbd0704dc4c6e723a08
1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849
f019a40b28dd58603fa3c5194dae6cba
79KB
08e09a6ef7650f5e7d4bf3fa8850ac4ca762da7d
1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849
22fba76bbeb356ba97412938ab882768f831273251e25b1078c8a31d720dd14c73e8977054bf24cf40952f143635b205917cc905f371499cbbc639388c3df487
BlackMatter ransomware group claims to be Darkside and REvil succesor.
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2
5a8491587ab0f96ba141ae59365bc911
81KB
1ab2fac4f2dc92893a9f89fc6621f66bd47cb783
1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2
97e760f60e4db99983d05db69776058cf2f2c5ab98adea76000001a94a24f3b23feee4464baa23cf49dfa017e331c3b8b19c9da5b696f961f63cd65fc864c5c7
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41
7b125a148ce0e0c126b95395dbf02b0e
78KB
778f954480ca76029109fd6bf34904bfb1109e84
20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41
daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
598c53bfef81e489375f09792e487f1a
67KB
80a29bd2c349a8588edf42653ed739054f9a10f5
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
f1c260c31b9d3f9ff54a142d508ec602
79KB
6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3
2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
5c66cd4f21254f83663819138e634dd9
80KB
6626cae85970e6490b8b0bf9da9aa4b57a79bb62
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
a55bc3368a10ca5a92c1c9ecae97ced9
66KB
72ed32b0e8692c7caa25d61e1828cdb48c4fe361
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd
6e5986761cea340dce2efd4cf4f3790c
78KB
4a8ca4b5c04112a753e9ff5989b80f0b12e13654
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd
8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
18c7c940bc6a4e778fbdf4a3e28151a8
79KB
f3589918d71b87c7e764479b79c4a7b485cb746a
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117
b07ff2183904731e4905b1bc1e23d24e
31KB
3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687
3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117
e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40
35aaa2a2208956d1b8752954722ff76d
79KB
fccda267f03d8dcd815f662f0fdc1e18e9fd4be3
3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40
25cca12fd228932402aa4ee3f88f1d1db45ff8167aa4a260ecc1d1911f500c239a9d0465547974abfa3ed6f330a4654932df0fa820b8bcd9c9acfb99ccbcb1e3
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.
4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91
ad260da314d2f8f3f1531cc5779cbba9
64KB
30e15cf49a97e4560c96eed7e0c68ed9a8502023
4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91
3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b
62a70f74d6ac64829a8a31e306e9d41d
78KB
ec26b38a29549272cc5f0cf548e208030ff114b0
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b
0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Ransomware generally changes the extension on encrypted files.
Attempts to read the root path of hard drives other than the default C: drive.