Overview
overview
10Static
static
10072158f558...86.exe
windows7_x64
10072158f558...86.exe
windows10_x64
100751c42296...a4.exe
windows7_x64
100751c42296...a4.exe
windows10_x64
1014a3e308c9...5c.exe
windows7_x64
314a3e308c9...5c.exe
windows10_x64
31c63a4fdee...49.exe
windows7_x64
101c63a4fdee...49.exe
windows10_x64
101eea3cbd72...c2.exe
windows7_x64
101eea3cbd72...c2.exe
windows10_x64
1020742987e6...41.exe
windows7_x64
1020742987e6...41.exe
windows10_x64
1022d7d67c3a...d6.exe
windows7_x64
1022d7d67c3a...d6.exe
windows10_x64
102466fca0e2...4c.exe
windows7_x64
102466fca0e2...4c.exe
windows10_x64
102aad85dbd4...7c.exe
windows7_x64
102aad85dbd4...7c.exe
windows10_x64
102c323453e9...09.exe
windows7_x64
102c323453e9...09.exe
windows10_x64
102cdb5edf30...fd.exe
windows7_x64
102cdb5edf30...fd.exe
windows10_x64
102e50eb85f6...b2.exe
windows7_x64
102e50eb85f6...b2.exe
windows10_x64
103a03530c73...17.exe
windows7_x64
103a03530c73...17.exe
windows10_x64
103a4bd5288b...40.exe
windows7_x64
103a4bd5288b...40.exe
windows10_x64
104ad9432cc8...91.dll
windows7_x64
104ad9432cc8...91.dll
windows10_x64
104be85e2083...2b.exe
windows7_x64
104be85e2083...2b.exe
windows10_x64
10General
-
Target
blackmatter.zip
-
Size
10.8MB
-
Sample
211122-qgyt8afeem
-
MD5
e1f207575fc9231e6ab7dbe2a7f55d5b
-
SHA1
3f701a77482c54c811c661dc21520e166769c511
-
SHA256
bf9511517f610387d714553bed6ff59d55c21cd0aa18ae00714585e699a332a3
-
SHA512
5a8717cfe195056d89f40d4be7b2c9a4bb85df763667a342545855366f58b7f5d627f6ed44ed380fdcf7440f569ff4f4f8a129ee41da0673bcba2b5570fe8c56
Static task
static1
Behavioral task
behavioral1
Sample
072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486.exe
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Resource
win10-en-20211104
Behavioral task
behavioral5
Sample
14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c.exe
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c.exe
Resource
win10-en-20211104
Behavioral task
behavioral7
Sample
1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849.exe
Resource
win7-en-20211014
Behavioral task
behavioral8
Sample
1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849.exe
Resource
win10-en-20211104
Behavioral task
behavioral9
Sample
1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.exe
Resource
win7-en-20211104
Behavioral task
behavioral10
Sample
1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41.exe
Resource
win7-en-20211104
Behavioral task
behavioral12
Sample
20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41.exe
Resource
win10-en-20211014
Behavioral task
behavioral13
Sample
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
Resource
win7-en-20211104
Behavioral task
behavioral14
Sample
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe
Resource
win10-en-20211104
Behavioral task
behavioral15
Sample
2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe
Resource
win7-en-20211014
Behavioral task
behavioral16
Sample
2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe
Resource
win10-en-20211104
Behavioral task
behavioral17
Sample
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Resource
win7-en-20211014
Behavioral task
behavioral18
Sample
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Resource
win10-en-20211104
Behavioral task
behavioral19
Sample
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009.exe
Resource
win7-en-20211014
Behavioral task
behavioral20
Sample
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009.exe
Resource
win10-en-20211104
Behavioral task
behavioral21
Sample
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd.exe
Resource
win7-en-20211104
Behavioral task
behavioral22
Sample
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.exe
Resource
win7-en-20211104
Behavioral task
behavioral24
Sample
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.exe
Resource
win10-en-20211014
Behavioral task
behavioral25
Sample
3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117.exe
Resource
win7-en-20211104
Behavioral task
behavioral26
Sample
3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117.exe
Resource
win10-en-20211014
Behavioral task
behavioral27
Sample
3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40.exe
Resource
win7-en-20211104
Behavioral task
behavioral28
Sample
3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40.exe
Resource
win10-en-20211014
Behavioral task
behavioral29
Sample
4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91.dll
Resource
win7-en-20211104
Behavioral task
behavioral30
Sample
4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91.dll
Resource
win10-en-20211104
Behavioral task
behavioral31
Sample
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b.exe
Resource
win7-en-20211014
Behavioral task
behavioral32
Sample
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b.exe
Resource
win10-en-20211104
Malware Config
Extracted
blackmatter
1.2
512478c08dada2af19e49808fbda5b0b
- Username:
[email protected] - Password:
120Heisler
- Username:
[email protected] - Password:
Tesla2019
- Username:
[email protected] - Password:
iteam8**
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
14a875a2bd63041b2b3e5c323e8d5eee
- Username:
[email protected] - Password:
Voyager1701!!!
- Username:
[email protected] - Password:
HereGoes321
- Username:
[email protected] - Password:
QApassw0rd
- Username:
[email protected] - Password:
Aug21!!!
- Username:
[email protected] - Password:
Glasgow0315
- Username:
[email protected] - Password:
Eleanor22
- Username:
[email protected] - Password:
Glasgow0315
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
1.2
bab21ee475b52c0c9eb47d23ec9ba1d1
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
b368c1ee6bca2086d8169628466c0d3b
-
attempt_auth
false
-
create_mutex
false
-
encrypt_network_shares
true
-
exfiltrate
false
-
mount_volumes
true
Extracted
blackmatter
2.0
04bdf8557fa74ea0e3adbd2975efd274
mepocs
memtas
veeam
svc$
backup
sql
vss
msexchange
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
5791ae39aeab40b5e8e33d8dce465877
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
false
-
mount_volumes
true
Extracted
blackmatter
1.9
28cc82fd466e0d0976a6359f264775a8
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
207aab0afc614ac68359fc63f9665961
https://fluentzip.org
http://fluentzip.org
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
6bed8cf959f0a07170c24bb972efd726
- Username:
Administrator@rpi - Password:
P0w3rPl4g
- Username:
2fatest@rpi - Password:
poiu-0987
- Username:
2fauser@rpi - Password:
1strongpassword!
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
e4aaffc36f5d5b7d597455eb6d497df5
- Username:
[email protected] - Password:
BBis#1ec
- Username:
[email protected] - Password:
k8DbBSZYWWnr0QqrILoo
- Username:
[email protected] - Password:
Smokie@CF
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
b0e039b42ef6c19c2189651c9f6c390e
- Username:
[email protected] - Password:
Rubcabher96
- Username:
[email protected] - Password:
Alsa2003
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
false
-
mount_volumes
true
Extracted
blackmatter
2.0
24483508bccfe72e63b26a1233058170
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
d58b3b69acc48f82eaa82076f97763d4
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
64139b5d8a3f06921a9364c262989e1f
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
1.6.0.2
bab21ee475b52c0c9eb47d23ec9ba1d1
http://paymenthacks.com
http://mojobiden.com
Extracted
blackmatter
1.6
32bd08ad5e5e881aa2634621d611a1a5
- Username:
[email protected] - Password:
@iep.2013
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
true
-
create_mutex
false
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
90a881ffa127b004cec6802588fce307
- Username:
[email protected] - Password:
Q7Q"
- Username:
[email protected] - Password:
!$(AYw94+PJ,rX
- Username:
jmiklo@@adroot.newcoop.com - Password:
sanfran85
- Username:
[email protected] - Password:
sanfran85
- Username:
[email protected] - Password:
sanfran85
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
3e8e2ab5fbb392508535983b7446ba17
https://fluentzip.org
http://fluentzip.org
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
1.6
0c6ca0532355a106258791f50b66c153
-
attempt_auth
false
-
create_mutex
false
-
encrypt_network_shares
false
-
exfiltrate
false
-
mount_volumes
true
Extracted
blackmatter
2.0
09c87c28bed23dbe6ff5aa561d38766b
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
false
-
mount_volumes
true
Extracted
blackmatter
2.0
506d1d0f4ed51ecc3e9cf1839a4b21a7
-
attempt_auth
false
-
create_mutex
false
-
encrypt_network_shares
true
-
exfiltrate
false
-
mount_volumes
true
Extracted
blackmatter
3.0
4e591a315c54e8800dae714320555fa5
- Username:
[email protected] - Password:
yhU6VJ$&
- Username:
[email protected] - Password:
RPo@ndf9
- Username:
[email protected] - Password:
DH5U87@rA0ELa2
https://fluentzip.org
http://fluentzip.org
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
d73c69209fbe768d5fa7ffbcad509c66
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
879194e26a0ed7cf50f13c681e711c82
- Username:
[email protected] - Password:
vpnvpn08
- Username:
[email protected] - Password:
Apr@123456
- Username:
[email protected] - Password:
Olympus$12345
- Username:
[email protected] - Password:
Olympus@12345
- Username:
[email protected] - Password:
ofrt!n@
- Username:
[email protected] - Password:
Is3@dmin
- Username:
[email protected] - Password:
Sinchan@12345
- Username:
[email protected] - Password:
HappyDays.12
- Username:
[email protected] - Password:
Qwerasdzx123!@#
- Username:
[email protected] - Password:
Coro@12345
- Username:
[email protected] - Password:
Ultimate06!
- Username:
[email protected] - Password:
Olympus@12345
- Username:
[email protected] - Password:
Zxcasd@123
- Username:
[email protected] - Password:
Qweasdzxc@12345
- Username:
[email protected] - Password:
Helmi-2005
- Username:
[email protected] - Password:
Acr0$$@123
- Username:
[email protected] - Password:
V1rtu@1c3!
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
false
-
mount_volumes
true
Extracted
blackmatter
1.6.0.4
b0e039b42ef6c19c2189651c9f6c390e
http://mojobiden.com
http://nowautomation.com
Extracted
blackmatter
2.0
10d51524bc007aa845e77556cdcab174
- Username:
[email protected] - Password:
tGv7R79N9rC@Y$RfLCkwb*byl*mxLv
- Username:
[email protected] - Password:
V3D174taC8Zb0EIz^cysiARR&
- Username:
[email protected] - Password:
YmedEwW&
- Username:
[email protected] - Password:
exiAClEU!wcrEi0R7szO087oH0h13B
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
6e46d36711d8be390c2b8121017ab146
mepocs
memtas
veeam
svc$
backup
sql
vss
msexchange
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
1.2
Extracted
blackmatter
2.0
5ecf7b9cde33f85a3eec9350275b5c4f
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
2.0
d0e84579a05c8e92e95eee8f5d0000e5
- Username:
[email protected] - Password:
Mouseman02
https://fluentzip.org
http://fluentzip.org
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Targets
-
-
Target
072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486
-
Size
34KB
-
MD5
b06e2455a9c7c9485b85e9bdcceb8078
-
SHA1
a63304592f422656d7abcb086915f9e799ad4641
-
SHA256
072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486
-
SHA512
adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4
-
Size
79KB
-
MD5
900b7b852674521b306bb03eb991b94a
-
SHA1
ed5b159b94ed5977efc1f3e05490545d7cb6a93e
-
SHA256
0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4
-
SHA512
04db23845665c6152a965d8401502588d09f6a4d30f83797cd772c179db8e445463ec5988e381d3a83789d4f20cd0378631e90560040f44a4b0b6634f373a093
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c
-
Size
66KB
-
MD5
e1f8b95beb02cd39e55cd8b31419b10f
-
SHA1
c544440a305f429926cd3cad2fac4a4cf0fb31ba
-
SHA256
14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c
-
SHA512
fb1f7838140de46c05ee4715aa206fc1dff0812658a843138daa7dd370bd5aa2f004ca603d768a1ac9f4c3895a937d3b700c6d302f9f0cbd0704dc4c6e723a08
Score3/10 -
-
-
Target
1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849
-
Size
79KB
-
MD5
f019a40b28dd58603fa3c5194dae6cba
-
SHA1
08e09a6ef7650f5e7d4bf3fa8850ac4ca762da7d
-
SHA256
1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849
-
SHA512
22fba76bbeb356ba97412938ab882768f831273251e25b1078c8a31d720dd14c73e8977054bf24cf40952f143635b205917cc905f371499cbbc639388c3df487
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2
-
Size
81KB
-
MD5
5a8491587ab0f96ba141ae59365bc911
-
SHA1
1ab2fac4f2dc92893a9f89fc6621f66bd47cb783
-
SHA256
1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2
-
SHA512
97e760f60e4db99983d05db69776058cf2f2c5ab98adea76000001a94a24f3b23feee4464baa23cf49dfa017e331c3b8b19c9da5b696f961f63cd65fc864c5c7
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41
-
Size
78KB
-
MD5
7b125a148ce0e0c126b95395dbf02b0e
-
SHA1
778f954480ca76029109fd6bf34904bfb1109e84
-
SHA256
20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41
-
SHA512
daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
-
Size
67KB
-
MD5
598c53bfef81e489375f09792e487f1a
-
SHA1
80a29bd2c349a8588edf42653ed739054f9a10f5
-
SHA256
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
-
SHA512
6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
-
Size
79KB
-
MD5
f1c260c31b9d3f9ff54a142d508ec602
-
SHA1
6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3
-
SHA256
2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
-
SHA512
9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
-
Size
80KB
-
MD5
5c66cd4f21254f83663819138e634dd9
-
SHA1
6626cae85970e6490b8b0bf9da9aa4b57a79bb62
-
SHA256
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
-
SHA512
093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
-
Size
66KB
-
MD5
a55bc3368a10ca5a92c1c9ecae97ced9
-
SHA1
72ed32b0e8692c7caa25d61e1828cdb48c4fe361
-
SHA256
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
-
SHA512
da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd
-
Size
78KB
-
MD5
6e5986761cea340dce2efd4cf4f3790c
-
SHA1
4a8ca4b5c04112a753e9ff5989b80f0b12e13654
-
SHA256
2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd
-
SHA512
8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
-
Size
79KB
-
MD5
18c7c940bc6a4e778fbdf4a3e28151a8
-
SHA1
f3589918d71b87c7e764479b79c4a7b485cb746a
-
SHA256
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
-
SHA512
6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117
-
Size
31KB
-
MD5
b07ff2183904731e4905b1bc1e23d24e
-
SHA1
3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687
-
SHA256
3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117
-
SHA512
e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40
-
Size
79KB
-
MD5
35aaa2a2208956d1b8752954722ff76d
-
SHA1
fccda267f03d8dcd815f662f0fdc1e18e9fd4be3
-
SHA256
3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40
-
SHA512
25cca12fd228932402aa4ee3f88f1d1db45ff8167aa4a260ecc1d1911f500c239a9d0465547974abfa3ed6f330a4654932df0fa820b8bcd9c9acfb99ccbcb1e3
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91
-
Size
64KB
-
MD5
ad260da314d2f8f3f1531cc5779cbba9
-
SHA1
30e15cf49a97e4560c96eed7e0c68ed9a8502023
-
SHA256
4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91
-
SHA512
3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723
Score10/10-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
-
Blocklisted process makes network request
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b
-
Size
78KB
-
MD5
62a70f74d6ac64829a8a31e306e9d41d
-
SHA1
ec26b38a29549272cc5f0cf548e208030ff114b0
-
SHA256
4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b
-
SHA512
0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-