General

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials
  • Username:
    aheisler@hhcp.com
  • Password:
    120Heisler
  • Username:
    dsmith@hhcp.com
  • Password:
    Tesla2019
  • Username:
    administrator@hhcp.com
  • Password:
    iteam8**
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

14a875a2bd63041b2b3e5c323e8d5eee

Credentials
  • Username:
    it_lw@corp.group.local
  • Password:
    Voyager1701!!!
  • Username:
    it_ci@corp.group.local
  • Password:
    HereGoes321
  • Username:
    svc_netwrix@corp.group.local
  • Password:
    QApassw0rd
  • Username:
    it_pl@corp.group.local
  • Password:
    Aug21!!!
  • Username:
    IT_JJ2@corp.group.local
  • Password:
    Glasgow0315
  • Username:
    it_ng@corp.group.local
  • Password:
    Eleanor22
  • Username:
    it_jj@corp.group.local
  • Password:
    Glasgow0315
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b368c1ee6bca2086d8169628466c0d3b

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

04bdf8557fa74ea0e3adbd2975efd274

C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

5791ae39aeab40b5e8e33d8dce465877

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.9

Botnet

28cc82fd466e0d0976a6359f264775a8

C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

207aab0afc614ac68359fc63f9665961

C2

https://fluentzip.org

http://fluentzip.org

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

6bed8cf959f0a07170c24bb972efd726

Credentials
  • Username:
    Administrator@rpi
  • Password:
    P0w3rPl4g
  • Username:
    2fatest@rpi
  • Password:
    poiu-0987
  • Username:
    2fauser@rpi
  • Password:
    1strongpassword!
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

e4aaffc36f5d5b7d597455eb6d497df5

Credentials
  • Username:
    pklages@spectrumfurniture.com
  • Password:
    BBis#1ec
  • Username:
    BackupExec@spectrumfurniture.com
  • Password:
    k8DbBSZYWWnr0QqrILoo
  • Username:
    admin@Northwoods.com
  • Password:
    Smokie@CF
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b0e039b42ef6c19c2189651c9f6c390e

Credentials
  • Username:
    r.cabello@mflgroup.com
  • Password:
    Rubcabher96
  • Username:
    j.berenguel@mflgroup.com
  • Password:
    Alsa2003
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

24483508bccfe72e63b26a1233058170

C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d58b3b69acc48f82eaa82076f97763d4

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

64139b5d8a3f06921a9364c262989e1f

C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6.0.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

http://paymenthacks.com

http://mojobiden.com

rsa_pubkey.plain
aes.plain

Extracted

Family

blackmatter

Version

1.6

Botnet

32bd08ad5e5e881aa2634621d611a1a5

Credentials
  • Username:
    TSMBKP@aiep.corp
  • Password:
    @iep.2013
C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

90a881ffa127b004cec6802588fce307

Credentials
  • Username:
    Administrator@adroot.newcoop.com
  • Password:
    Q7Q&quot
  • Username:
    bbanneker@soilmap.com
  • Password:
    !$(AYw94+PJ,rX
  • Username:
    jmiklo@@adroot.newcoop.com
  • Password:
    sanfran85
  • Username:
    da.rob@adroot.newcoop.com
  • Password:
    sanfran85
  • Username:
    da.jeff@adroot.newcoop.com
  • Password:
    sanfran85
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

3e8e2ab5fbb392508535983b7446ba17

C2

https://fluentzip.org

http://fluentzip.org

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6

Botnet

0c6ca0532355a106258791f50b66c153

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    false

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

09c87c28bed23dbe6ff5aa561d38766b

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

506d1d0f4ed51ecc3e9cf1839a4b21a7

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

3.0

Botnet

4e591a315c54e8800dae714320555fa5

Credentials
  • Username:
    OFMO220@R5-CORE.R5.AIG.NET
  • Password:
    yhU6VJ$&amp
  • Username:
    OSYST93@R5-CORE.R5.AIG.NET
  • Password:
    RPo@ndf9
  • Username:
    OFMO225@R5-CORE.R5.AIG.NET
  • Password:
    DH5U87@rA0ELa2
C2

https://fluentzip.org

http://fluentzip.org

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d73c69209fbe768d5fa7ffbcad509c66

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

879194e26a0ed7cf50f13c681e711c82

Credentials
  • Username:
    _vpn@xnet.oe.olympus
  • Password:
    vpnvpn08
  • Username:
    adm_sprinx@xnet.oe.olympus
  • Password:
    Apr@123456
  • Username:
    dom_ecopysupport@xnet.oe.olympus
  • Password:
    Olympus$12345
  • Username:
    DOM_Jannick.Berghaeu@xnet.oe.olympus
  • Password:
    Olympus@12345
  • Username:
    ofr-tina@xnet.oe.olympus
  • Password:
    ofrt!n@
  • Username:
    svc_ciscoise@xnet.oe.olympus
  • Password:
    Is3@dmin
  • Username:
    adm_ArunachaNa@xnet.oe.olympus
  • Password:
    Sinchan@12345
  • Username:
    ascuser@xnet.oe.olympus
  • Password:
    HappyDays.12
  • Username:
    dom_admanager@xnet.oe.olympus
  • Password:
    Qwerasdzx123!@#
  • Username:
    dom_hasansy@xnet.oe.olympus
  • Password:
    Coro@12345
  • Username:
    Dom_HMarme@xnet.oe.olympus
  • Password:
    Ultimate06!
  • Username:
    dom_obuehring@xnet.oe.olympus
  • Password:
    Olympus@12345
  • Username:
    Dom_SadasivaPa@xnet.oe.olympus
  • Password:
    Zxcasd@123
  • Username:
    dom_Supportat@xnet.oe.olympus
  • Password:
    Qweasdzxc@12345
  • Username:
    ofi-backup@xnet.oe.olympus
  • Password:
    Helmi-2005
  • Username:
    SVC_AcrossEvent@xnet.oe.olympus
  • Password:
    Acr0$$@123
  • Username:
    svc_vCenterILMT@xnet.oe.olympus
  • Password:
    V1rtu@1c3!
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6.0.4

Botnet

b0e039b42ef6c19c2189651c9f6c390e

C2

http://mojobiden.com

http://nowautomation.com

rsa_pubkey.plain
aes.plain

Extracted

Family

blackmatter

Version

2.0

Botnet

10d51524bc007aa845e77556cdcab174

Credentials
  • Username:
    itjmorrow@pbigordon.com
  • Password:
    tGv7R79N9rC@Y$RfLCkwb*byl*mxLv
  • Username:
    inetadmin@pbigordon.com
  • Password:
    V3D174taC8Zb0EIz^cysiARR&amp
  • Username:
    itmungerman@pbigordon.com
  • Password:
    YmedEwW&amp
  • Username:
    ithrutledge@pbigordon.com
  • Password:
    exiAClEU!wcrEi0R7szO087oH0h13B
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

6e46d36711d8be390c2b8121017ab146

C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Extracted

Family

blackmatter

Version

2.0

Botnet

5ecf7b9cde33f85a3eec9350275b5c4f

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d0e84579a05c8e92e95eee8f5d0000e5

Credentials
  • Username:
    Administrator@cat5.local
  • Password:
    Mouseman02
C2

https://fluentzip.org

http://fluentzip.org

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Targets

    • Target

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • Size

      34KB

    • MD5

      b06e2455a9c7c9485b85e9bdcceb8078

    • SHA1

      a63304592f422656d7abcb086915f9e799ad4641

    • SHA256

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • SHA512

      adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

    • Size

      79KB

    • MD5

      900b7b852674521b306bb03eb991b94a

    • SHA1

      ed5b159b94ed5977efc1f3e05490545d7cb6a93e

    • SHA256

      0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

    • SHA512

      04db23845665c6152a965d8401502588d09f6a4d30f83797cd772c179db8e445463ec5988e381d3a83789d4f20cd0378631e90560040f44a4b0b6634f373a093

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

    • Size

      66KB

    • MD5

      e1f8b95beb02cd39e55cd8b31419b10f

    • SHA1

      c544440a305f429926cd3cad2fac4a4cf0fb31ba

    • SHA256

      14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

    • SHA512

      fb1f7838140de46c05ee4715aa206fc1dff0812658a843138daa7dd370bd5aa2f004ca603d768a1ac9f4c3895a937d3b700c6d302f9f0cbd0704dc4c6e723a08

    Score
    3/10
    • Target

      1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

    • Size

      79KB

    • MD5

      f019a40b28dd58603fa3c5194dae6cba

    • SHA1

      08e09a6ef7650f5e7d4bf3fa8850ac4ca762da7d

    • SHA256

      1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

    • SHA512

      22fba76bbeb356ba97412938ab882768f831273251e25b1078c8a31d720dd14c73e8977054bf24cf40952f143635b205917cc905f371499cbbc639388c3df487

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

    • Size

      81KB

    • MD5

      5a8491587ab0f96ba141ae59365bc911

    • SHA1

      1ab2fac4f2dc92893a9f89fc6621f66bd47cb783

    • SHA256

      1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

    • SHA512

      97e760f60e4db99983d05db69776058cf2f2c5ab98adea76000001a94a24f3b23feee4464baa23cf49dfa017e331c3b8b19c9da5b696f961f63cd65fc864c5c7

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • Size

      78KB

    • MD5

      7b125a148ce0e0c126b95395dbf02b0e

    • SHA1

      778f954480ca76029109fd6bf34904bfb1109e84

    • SHA256

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • SHA512

      daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • Size

      67KB

    • MD5

      598c53bfef81e489375f09792e487f1a

    • SHA1

      80a29bd2c349a8588edf42653ed739054f9a10f5

    • SHA256

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • SHA512

      6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

    • Size

      79KB

    • MD5

      f1c260c31b9d3f9ff54a142d508ec602

    • SHA1

      6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3

    • SHA256

      2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

    • SHA512

      9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

    • Size

      80KB

    • MD5

      5c66cd4f21254f83663819138e634dd9

    • SHA1

      6626cae85970e6490b8b0bf9da9aa4b57a79bb62

    • SHA256

      2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

    • SHA512

      093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • Size

      66KB

    • MD5

      a55bc3368a10ca5a92c1c9ecae97ced9

    • SHA1

      72ed32b0e8692c7caa25d61e1828cdb48c4fe361

    • SHA256

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • SHA512

      da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

    • Size

      78KB

    • MD5

      6e5986761cea340dce2efd4cf4f3790c

    • SHA1

      4a8ca4b5c04112a753e9ff5989b80f0b12e13654

    • SHA256

      2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

    • SHA512

      8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • Size

      79KB

    • MD5

      18c7c940bc6a4e778fbdf4a3e28151a8

    • SHA1

      f3589918d71b87c7e764479b79c4a7b485cb746a

    • SHA256

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • SHA512

      6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

    • Size

      31KB

    • MD5

      b07ff2183904731e4905b1bc1e23d24e

    • SHA1

      3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687

    • SHA256

      3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

    • SHA512

      e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

    • Size

      79KB

    • MD5

      35aaa2a2208956d1b8752954722ff76d

    • SHA1

      fccda267f03d8dcd815f662f0fdc1e18e9fd4be3

    • SHA256

      3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

    • SHA512

      25cca12fd228932402aa4ee3f88f1d1db45ff8167aa4a260ecc1d1911f500c239a9d0465547974abfa3ed6f330a4654932df0fa820b8bcd9c9acfb99ccbcb1e3

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

    • Size

      64KB

    • MD5

      ad260da314d2f8f3f1531cc5779cbba9

    • SHA1

      30e15cf49a97e4560c96eed7e0c68ed9a8502023

    • SHA256

      4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

    • SHA512

      3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723

    Score
    10/10
    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Blocklisted process makes network request

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • Size

      78KB

    • MD5

      62a70f74d6ac64829a8a31e306e9d41d

    • SHA1

      ec26b38a29549272cc5f0cf548e208030ff114b0

    • SHA256

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • SHA512

      0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

14
T1112

Discovery

Query Registry

14
T1012

Peripheral Device Discovery

14
T1120

System Information Discovery

20
T1082

Impact

Defacement

14
T1491

Tasks

static1

512478c08dada2af19e49808fbda5b0bupx14a875a2bd63041b2b3e5c323e8d5eeebab21ee475b52c0c9eb47d23ec9ba1d1b368c1ee6bca2086d8169628466c0d3b04bdf8557fa74ea0e3adbd2975efd2745791ae39aeab40b5e8e33d8dce46587728cc82fd466e0d0976a6359f264775a8207aab0afc614ac68359fc63f96659616bed8cf959f0a07170c24bb972efd726e4aaffc36f5d5b7d597455eb6d497df5b0e039b42ef6c19c2189651c9f6c390e24483508bccfe72e63b26a1233058170d58b3b69acc48f82eaa82076f97763d464139b5d8a3f06921a9364c262989e1f32bd08ad5e5e881aa2634621d611a1a590a881ffa127b004cec6802588fce3073e8e2ab5fbb392508535983b7446ba17vmprotect0c6ca0532355a106258791f50b66c15309c87c28bed23dbe6ff5aa561d38766b506d1d0f4ed51ecc3e9cf1839a4b21a74e591a315c54e8800dae714320555fa5d73c69209fbe768d5fa7ffbcad509c66879194e26a0ed7cf50f13c681e711c8210d51524bc007aa845e77556cdcab1746e46d36711d8be390c2b8121017ab1465ecf7b9cde33f85a3eec9350275b5c4fd0e84579a05c8e92e95eee8f5d0000e5blackmatter
Score
10/10

behavioral1

blackmatterransomwaresuricata
Score
10/10

behavioral2

blackmatterransomwaresuricata
Score
10/10

behavioral3

blackmatterransomwaresuricata
Score
10/10

behavioral4

blackmatterransomwaresuricata
Score
10/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

blackmatterransomware
Score
10/10

behavioral8

blackmatterransomware
Score
10/10

behavioral9

blackmatterransomwaresuricata
Score
10/10

behavioral10

blackmatterransomwaresuricata
Score
10/10

behavioral11

blackmatterransomwaresuricata
Score
10/10

behavioral12

blackmatterransomwaresuricata
Score
10/10

behavioral13

blackmatterransomwaresuricata
Score
10/10

behavioral14

blackmatterransomwaresuricata
Score
10/10

behavioral15

blackmatterransomwaresuricata
Score
10/10

behavioral16

blackmatterransomwaresuricata
Score
10/10

behavioral17

blackmatterransomwaresuricata
Score
10/10

behavioral18

blackmatterransomwaresuricata
Score
10/10

behavioral19

blackmatterransomwaresuricata
Score
10/10

behavioral20

blackmatterransomwaresuricata
Score
10/10

behavioral21

blackmatterransomwaresuricata
Score
10/10

behavioral22

blackmatterransomwaresuricata
Score
10/10

behavioral23

blackmatterransomwaresuricata
Score
10/10

behavioral24

blackmatterransomwaresuricata
Score
10/10

behavioral25

blackmatterransomwaresuricata
Score
10/10

behavioral26

blackmatterransomwaresuricata
Score
10/10

behavioral27

blackmatterransomwaresuricata
Score
10/10

behavioral28

blackmatterransomwaresuricata
Score
10/10

behavioral29

suricata
Score
10/10

behavioral30

suricata
Score
10/10

behavioral31

blackmatterransomwaresuricata
Score
10/10

behavioral32

blackmatterransomwaresuricata
Score
10/10