Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials

Protocol:

Host:

Port:

Username: aheisler@hhcp.com

Password: 120Heisler

Protocol:

Host:

Port:

Username: dsmith@hhcp.com

Password: Tesla2019

Protocol:

Host:

Port:

Username: administrator@hhcp.com

Password: iteam8**

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

14a875a2bd63041b2b3e5c323e8d5eee

Credentials

Protocol:

Host:

Port:

Username: it_lw@corp.group.local

Password: Voyager1701!!!

Protocol:

Host:

Port:

Username: it_ci@corp.group.local

Password: HereGoes321

Protocol:

Host:

Port:

Username: svc_netwrix@corp.group.local

Password: QApassw0rd

Protocol:

Host:

Port:

Username: it_pl@corp.group.local

Password: Aug21!!!

Protocol:

Host:

Port:

Username: IT_JJ2@corp.group.local

Password: Glasgow0315

Protocol:

Host:

Port:

Username: it_ng@corp.group.local

Password: Eleanor22

Protocol:

Host:

Port:

Username: it_jj@corp.group.local

Password: Glasgow0315

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b368c1ee6bca2086d8169628466c0d3b

Attributes
attempt_auth
false
create_mutex
false
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

04bdf8557fa74ea0e3adbd2975efd274

C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

5791ae39aeab40b5e8e33d8dce465877

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.9

Botnet

28cc82fd466e0d0976a6359f264775a8

C2

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

207aab0afc614ac68359fc63f9665961

C2

https://fluentzip.org

http://fluentzip.org

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

6bed8cf959f0a07170c24bb972efd726

Credentials

Protocol:

Host:

Port:

Username: Administrator@rpi

Password: P0w3rPl4g

Protocol:

Host:

Port:

Username: 2fatest@rpi

Password: poiu-0987

Protocol:

Host:

Port:

Username: 2fauser@rpi

Password: 1strongpassword!

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

e4aaffc36f5d5b7d597455eb6d497df5

Credentials

Protocol:

Host:

Port:

Username: pklages@spectrumfurniture.com

Password: BBis#1ec

Protocol:

Host:

Port:

Username: BackupExec@spectrumfurniture.com

Password: k8DbBSZYWWnr0QqrILoo

Protocol:

Host:

Port:

Username: admin@Northwoods.com

Password: Smokie@CF

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b0e039b42ef6c19c2189651c9f6c390e

Credentials

Protocol:

Host:

Port:

Username: r.cabello@mflgroup.com

Password: Rubcabher96

Protocol:

Host:

Port:

Username: j.berenguel@mflgroup.com

Password: Alsa2003

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

24483508bccfe72e63b26a1233058170

C2

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d58b3b69acc48f82eaa82076f97763d4

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

64139b5d8a3f06921a9364c262989e1f

C2

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6.0.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

http://paymenthacks.com

http://mojobiden.com

rsa_pubkey.plain
aes.plain

Extracted

Family

blackmatter

Version

1.6

Botnet

32bd08ad5e5e881aa2634621d611a1a5

Credentials

Protocol:

Host:

Port:

Username: TSMBKP@aiep.corp

Password: @iep.2013

C2

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
true
create_mutex
false
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

90a881ffa127b004cec6802588fce307

Credentials

Protocol:

Host:

Port:

Username: Administrator@adroot.newcoop.com

Password: Q7Q&quot

Protocol:

Host:

Port:

Username: bbanneker@soilmap.com

Password: !$(AYw94+PJ,rX

Protocol:

Host:

Port:

Username: jmiklo@@adroot.newcoop.com

Password: sanfran85

Protocol:

Host:

Port:

Username: da.rob@adroot.newcoop.com

Password: sanfran85

Protocol:

Host:

Port:

Username: da.jeff@adroot.newcoop.com

Password: sanfran85

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

3e8e2ab5fbb392508535983b7446ba17

C2

https://fluentzip.org

http://fluentzip.org

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6

Botnet

0c6ca0532355a106258791f50b66c153

Attributes
attempt_auth
false
create_mutex
false
encrypt_network_shares
false
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

09c87c28bed23dbe6ff5aa561d38766b

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

506d1d0f4ed51ecc3e9cf1839a4b21a7

Attributes
attempt_auth
false
create_mutex
false
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

3.0

Botnet

4e591a315c54e8800dae714320555fa5

Credentials

Protocol:

Host:

Port:

Username: OFMO220@R5-CORE.R5.AIG.NET

Password: yhU6VJ$&amp

Protocol:

Host:

Port:

Username: OSYST93@R5-CORE.R5.AIG.NET

Password: RPo@ndf9

Protocol:

Host:

Port:

Username: OFMO225@R5-CORE.R5.AIG.NET

Password: DH5U87@rA0ELa2

C2

https://fluentzip.org

http://fluentzip.org

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d73c69209fbe768d5fa7ffbcad509c66

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

879194e26a0ed7cf50f13c681e711c82

Credentials

Protocol:

Host:

Port:

Username: _vpn@xnet.oe.olympus

Password: vpnvpn08

Protocol:

Host:

Port:

Username: adm_sprinx@xnet.oe.olympus

Password: Apr@123456

Protocol:

Host:

Port:

Username: dom_ecopysupport@xnet.oe.olympus

Password: Olympus$12345

Protocol:

Host:

Port:

Username: DOM_Jannick.Berghaeu@xnet.oe.olympus

Password: Olympus@12345

Protocol:

Host:

Port:

Username: ofr-tina@xnet.oe.olympus

Password: ofrt!n@

Protocol:

Host:

Port:

Username: svc_ciscoise@xnet.oe.olympus

Password: Is3@dmin

Protocol:

Host:

Port:

Username: adm_ArunachaNa@xnet.oe.olympus

Password: Sinchan@12345

Protocol:

Host:

Port:

Username: ascuser@xnet.oe.olympus

Password: HappyDays.12

Protocol:

Host:

Port:

Username: dom_admanager@xnet.oe.olympus

Password: Qwerasdzx123!@#

Protocol:

Host:

Port:

Username: dom_hasansy@xnet.oe.olympus

Password: Coro@12345

Protocol:

Host:

Port:

Username: Dom_HMarme@xnet.oe.olympus

Password: Ultimate06!

Protocol:

Host:

Port:

Username: dom_obuehring@xnet.oe.olympus

Password: Olympus@12345

Protocol:

Host:

Port:

Username: Dom_SadasivaPa@xnet.oe.olympus

Password: Zxcasd@123

Protocol:

Host:

Port:

Username: dom_Supportat@xnet.oe.olympus

Password: Qweasdzxc@12345

Protocol:

Host:

Port:

Username: ofi-backup@xnet.oe.olympus

Password: Helmi-2005

Protocol:

Host:

Port:

Username: SVC_AcrossEvent@xnet.oe.olympus

Password: Acr0$$@123

Protocol:

Host:

Port:

Username: svc_vCenterILMT@xnet.oe.olympus

Password: V1rtu@1c3!

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6.0.4

Botnet

b0e039b42ef6c19c2189651c9f6c390e

C2

http://mojobiden.com

http://nowautomation.com

rsa_pubkey.plain
aes.plain

Extracted

Family

blackmatter

Version

2.0

Botnet

10d51524bc007aa845e77556cdcab174

Credentials

Protocol:

Host:

Port:

Username: itjmorrow@pbigordon.com

Password: tGv7R79N9rC@Y$RfLCkwb*byl*mxLv

Protocol:

Host:

Port:

Username: inetadmin@pbigordon.com

Password: V3D174taC8Zb0EIz^cysiARR&amp

Protocol:

Host:

Port:

Username: itmungerman@pbigordon.com

Password: YmedEwW&amp

Protocol:

Host:

Port:

Username: ithrutledge@pbigordon.com

Password: exiAClEU!wcrEi0R7szO087oH0h13B

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

6e46d36711d8be390c2b8121017ab146

C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Extracted

Family

blackmatter

Version

2.0

Botnet

5ecf7b9cde33f85a3eec9350275b5c4f

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d0e84579a05c8e92e95eee8f5d0000e5

Credentials

Protocol:

Host:

Port:

Username: Administrator@cat5.local

Password: Mouseman02

C2

https://fluentzip.org

http://fluentzip.org

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Targets

    • Target

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • Size

      34KB

    • MD5

      b06e2455a9c7c9485b85e9bdcceb8078

    • SHA1

      a63304592f422656d7abcb086915f9e799ad4641

    • SHA256

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • SHA512

      adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

    • Size

      79KB

    • MD5

      900b7b852674521b306bb03eb991b94a

    • SHA1

      ed5b159b94ed5977efc1f3e05490545d7cb6a93e

    • SHA256

      0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

    • SHA512

      04db23845665c6152a965d8401502588d09f6a4d30f83797cd772c179db8e445463ec5988e381d3a83789d4f20cd0378631e90560040f44a4b0b6634f373a093

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

    • Size

      66KB

    • MD5

      e1f8b95beb02cd39e55cd8b31419b10f

    • SHA1

      c544440a305f429926cd3cad2fac4a4cf0fb31ba

    • SHA256

      14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

    • SHA512

      fb1f7838140de46c05ee4715aa206fc1dff0812658a843138daa7dd370bd5aa2f004ca603d768a1ac9f4c3895a937d3b700c6d302f9f0cbd0704dc4c6e723a08

    Score
    3/10
    • Target

      1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

    • Size

      79KB

    • MD5

      f019a40b28dd58603fa3c5194dae6cba

    • SHA1

      08e09a6ef7650f5e7d4bf3fa8850ac4ca762da7d

    • SHA256

      1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

    • SHA512

      22fba76bbeb356ba97412938ab882768f831273251e25b1078c8a31d720dd14c73e8977054bf24cf40952f143635b205917cc905f371499cbbc639388c3df487

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

    • Size

      81KB

    • MD5

      5a8491587ab0f96ba141ae59365bc911

    • SHA1

      1ab2fac4f2dc92893a9f89fc6621f66bd47cb783

    • SHA256

      1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

    • SHA512

      97e760f60e4db99983d05db69776058cf2f2c5ab98adea76000001a94a24f3b23feee4464baa23cf49dfa017e331c3b8b19c9da5b696f961f63cd65fc864c5c7

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • Size

      78KB

    • MD5

      7b125a148ce0e0c126b95395dbf02b0e

    • SHA1

      778f954480ca76029109fd6bf34904bfb1109e84

    • SHA256

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • SHA512

      daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • Size

      67KB

    • MD5

      598c53bfef81e489375f09792e487f1a

    • SHA1

      80a29bd2c349a8588edf42653ed739054f9a10f5

    • SHA256

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • SHA512

      6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

    • Size

      79KB

    • MD5

      f1c260c31b9d3f9ff54a142d508ec602

    • SHA1

      6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3

    • SHA256

      2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

    • SHA512

      9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

    • Size

      80KB

    • MD5

      5c66cd4f21254f83663819138e634dd9

    • SHA1

      6626cae85970e6490b8b0bf9da9aa4b57a79bb62

    • SHA256

      2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

    • SHA512

      093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • Size

      66KB

    • MD5

      a55bc3368a10ca5a92c1c9ecae97ced9

    • SHA1

      72ed32b0e8692c7caa25d61e1828cdb48c4fe361

    • SHA256

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • SHA512

      da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

    • Size

      78KB

    • MD5

      6e5986761cea340dce2efd4cf4f3790c

    • SHA1

      4a8ca4b5c04112a753e9ff5989b80f0b12e13654

    • SHA256

      2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

    • SHA512

      8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • Size

      79KB

    • MD5

      18c7c940bc6a4e778fbdf4a3e28151a8

    • SHA1

      f3589918d71b87c7e764479b79c4a7b485cb746a

    • SHA256

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • SHA512

      6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

    • Size

      31KB

    • MD5

      b07ff2183904731e4905b1bc1e23d24e

    • SHA1

      3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687

    • SHA256

      3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

    • SHA512

      e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

    • Size

      79KB

    • MD5

      35aaa2a2208956d1b8752954722ff76d

    • SHA1

      fccda267f03d8dcd815f662f0fdc1e18e9fd4be3

    • SHA256

      3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

    • SHA512

      25cca12fd228932402aa4ee3f88f1d1db45ff8167aa4a260ecc1d1911f500c239a9d0465547974abfa3ed6f330a4654932df0fa820b8bcd9c9acfb99ccbcb1e3

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

    • Size

      64KB

    • MD5

      ad260da314d2f8f3f1531cc5779cbba9

    • SHA1

      30e15cf49a97e4560c96eed7e0c68ed9a8502023

    • SHA256

      4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

    • SHA512

      3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723

    Score
    10/10
    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Blocklisted process makes network request

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • Size

      78KB

    • MD5

      62a70f74d6ac64829a8a31e306e9d41d

    • SHA1

      ec26b38a29549272cc5f0cf548e208030ff114b0

    • SHA256

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • SHA512

      0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Tasks