Overview

overview

10

Static

static

10

072158f558...86.exe

windows7_x64

10

072158f558...86.exe

windows10_x64

10

0751c42296...a4.exe

windows7_x64

10

0751c42296...a4.exe

windows10_x64

10

14a3e308c9...5c.exe

windows7_x64

3

14a3e308c9...5c.exe

windows10_x64

3

1c63a4fdee...49.exe

windows7_x64

10

1c63a4fdee...49.exe

windows10_x64

10

1eea3cbd72...c2.exe

windows7_x64

10

1eea3cbd72...c2.exe

windows10_x64

10

20742987e6...41.exe

windows7_x64

10

20742987e6...41.exe

windows10_x64

10

22d7d67c3a...d6.exe

windows7_x64

10

22d7d67c3a...d6.exe

windows10_x64

10

2466fca0e2...4c.exe

windows7_x64

10

2466fca0e2...4c.exe

windows10_x64

10

2aad85dbd4...7c.exe

windows7_x64

10

2aad85dbd4...7c.exe

windows10_x64

10

2c323453e9...09.exe

windows7_x64

10

2c323453e9...09.exe

windows10_x64

10

2cdb5edf30...fd.exe

windows7_x64

10

2cdb5edf30...fd.exe

windows10_x64

10

2e50eb85f6...b2.exe

windows7_x64

10

2e50eb85f6...b2.exe

windows10_x64

10

3a03530c73...17.exe

windows7_x64

10

3a03530c73...17.exe

windows10_x64

10

3a4bd5288b...40.exe

windows7_x64

10

3a4bd5288b...40.exe

windows10_x64

10

4ad9432cc8...91.dll

windows7_x64

10

4ad9432cc8...91.dll

windows10_x64

10

4be85e2083...2b.exe

windows7_x64

10

4be85e2083...2b.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    blackmatter.zip

  • Size

    10MB

  • Sample

    211122-qgyt8afeem

  • MD5

    e1f207575fc9231e6ab7dbe2a7f55d5b

  • SHA1

    3f701a77482c54c811c661dc21520e166769c511

  • SHA256

    bf9511517f610387d714553bed6ff59d55c21cd0aa18ae00714585e699a332a3

  • SHA512

    5a8717cfe195056d89f40d4be7b2c9a4bb85df763667a342545855366f58b7f5d627f6ed44ed380fdcf7440f569ff4f4f8a129ee41da0673bcba2b5570fe8c56

Score
10/10
blackmatter04bdf8557fa74ea0e3adbd2975efd27409c87c28bed23dbe6ff5aa561d38766b0c6ca0532355a106258791f50b66c15310d51524bc007aa845e77556cdcab17414a875a2bd63041b2b3e5c323e8d5eee207aab0afc614ac68359fc63f966596124483508bccfe72e63b26a123305817028cc82fd466e0d0976a6359f264775a832bd08ad5e5e881aa2634621d611a1a53e8e2ab5fbb392508535983b7446ba174e591a315c54e8800dae714320555fa5506d1d0f4ed51ecc3e9cf1839a4b21a7512478c08dada2af19e49808fbda5b0b5791ae39aeab40b5e8e33d8dce4658775ecf7b9cde33f85a3eec9350275b5c4f64139b5d8a3f06921a9364c262989e1f6bed8cf959f0a07170c24bb972efd7266e46d36711d8be390c2b8121017ab146879194e26a0ed7cf50f13c681e711c8290a881ffa127b004cec6802588fce307b0e039b42ef6c19c2189651c9f6c390eb368c1ee6bca2086d8169628466c0d3bbab21ee475b52c0c9eb47d23ec9ba1d1d0e84579a05c8e92e95eee8f5d0000e5d58b3b69acc48f82eaa82076f97763d4d73c69209fbe768d5fa7ffbcad509c66e4aaffc36f5d5b7d597455eb6d497df5ransomwaresuricataupxvmprotect

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials
  • Username:
    aheisler@hhcp.com
  • Password:
    120Heisler
  • Username:
    dsmith@hhcp.com
  • Password:
    Tesla2019
  • Username:
    administrator@hhcp.com
  • Password:
    iteam8**
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

14a875a2bd63041b2b3e5c323e8d5eee

Credentials
  • Username:
    it_lw@corp.group.local
  • Password:
    Voyager1701!!!
  • Username:
    it_ci@corp.group.local
  • Password:
    HereGoes321
  • Username:
    svc_netwrix@corp.group.local
  • Password:
    QApassw0rd
  • Username:
    it_pl@corp.group.local
  • Password:
    Aug21!!!
  • Username:
    IT_JJ2@corp.group.local
  • Password:
    Glasgow0315
  • Username:
    it_ng@corp.group.local
  • Password:
    Eleanor22
  • Username:
    it_jj@corp.group.local
  • Password:
    Glasgow0315
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b368c1ee6bca2086d8169628466c0d3b

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

04bdf8557fa74ea0e3adbd2975efd274

C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

5791ae39aeab40b5e8e33d8dce465877

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.9

Botnet

28cc82fd466e0d0976a6359f264775a8

C2

https://mojobiden.com

http://mojobiden.com
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

207aab0afc614ac68359fc63f9665961

C2

https://fluentzip.org

http://fluentzip.org
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

6bed8cf959f0a07170c24bb972efd726

Credentials
  • Username:
    Administrator@rpi
  • Password:
    P0w3rPl4g
  • Username:
    2fatest@rpi
  • Password:
    poiu-0987
  • Username:
    2fauser@rpi
  • Password:
    1strongpassword!
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

e4aaffc36f5d5b7d597455eb6d497df5

Credentials
  • Username:
    pklages@spectrumfurniture.com
  • Password:
    BBis#1ec
  • Username:
    BackupExec@spectrumfurniture.com
  • Password:
    k8DbBSZYWWnr0QqrILoo
  • Username:
    admin@Northwoods.com
  • Password:
    Smokie@CF
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b0e039b42ef6c19c2189651c9f6c390e

Credentials
  • Username:
    r.cabello@mflgroup.com
  • Password:
    Rubcabher96
  • Username:
    j.berenguel@mflgroup.com
  • Password:
    Alsa2003
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

24483508bccfe72e63b26a1233058170

C2

https://mojobiden.com

http://mojobiden.com
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d58b3b69acc48f82eaa82076f97763d4

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

64139b5d8a3f06921a9364c262989e1f

C2

https://mojobiden.com

http://mojobiden.com
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6.0.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

http://paymenthacks.com

http://mojobiden.com
rsa_pubkey.plain
aes.plain

Extracted

Family

blackmatter

Version

1.6

Botnet

32bd08ad5e5e881aa2634621d611a1a5

Credentials
  • Username:
    TSMBKP@aiep.corp
  • Password:
    @iep.2013
C2

https://mojobiden.com

http://mojobiden.com
Attributes
  • attempt_auth

    true

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

90a881ffa127b004cec6802588fce307

Credentials
  • Username:
    Administrator@adroot.newcoop.com
  • Password:
    Q7Q&quot
  • Username:
    bbanneker@soilmap.com
  • Password:
    !$(AYw94+PJ,rX
  • Username:
    jmiklo@@adroot.newcoop.com
  • Password:
    sanfran85
  • Username:
    da.rob@adroot.newcoop.com
  • Password:
    sanfran85
  • Username:
    da.jeff@adroot.newcoop.com
  • Password:
    sanfran85
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

3e8e2ab5fbb392508535983b7446ba17

C2

https://fluentzip.org

http://fluentzip.org
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6

Botnet

0c6ca0532355a106258791f50b66c153

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    false

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

09c87c28bed23dbe6ff5aa561d38766b

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

506d1d0f4ed51ecc3e9cf1839a4b21a7

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

3.0

Botnet

4e591a315c54e8800dae714320555fa5

Credentials
  • Username:
    OFMO220@R5-CORE.R5.AIG.NET
  • Password:
    yhU6VJ$&amp
  • Username:
    OSYST93@R5-CORE.R5.AIG.NET
  • Password:
    RPo@ndf9
  • Username:
    OFMO225@R5-CORE.R5.AIG.NET
  • Password:
    DH5U87@rA0ELa2
C2

https://fluentzip.org

http://fluentzip.org
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d73c69209fbe768d5fa7ffbcad509c66

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

879194e26a0ed7cf50f13c681e711c82

Credentials
  • Username:
    _vpn@xnet.oe.olympus
  • Password:
    vpnvpn08
  • Username:
    adm_sprinx@xnet.oe.olympus
  • Password:
    Apr@123456
  • Username:
    dom_ecopysupport@xnet.oe.olympus
  • Password:
    Olympus$12345
  • Username:
    DOM_Jannick.Berghaeu@xnet.oe.olympus
  • Password:
    Olympus@12345
  • Username:
    ofr-tina@xnet.oe.olympus
  • Password:
    ofrt!n@
  • Username:
    svc_ciscoise@xnet.oe.olympus
  • Password:
    Is3@dmin
  • Username:
    adm_ArunachaNa@xnet.oe.olympus
  • Password:
    Sinchan@12345
  • Username:
    ascuser@xnet.oe.olympus
  • Password:
    HappyDays.12
  • Username:
    dom_admanager@xnet.oe.olympus
  • Password:
    Qwerasdzx123!@#
  • Username:
    dom_hasansy@xnet.oe.olympus
  • Password:
    Coro@12345
  • Username:
    Dom_HMarme@xnet.oe.olympus
  • Password:
    Ultimate06!
  • Username:
    dom_obuehring@xnet.oe.olympus
  • Password:
    Olympus@12345
  • Username:
    Dom_SadasivaPa@xnet.oe.olympus
  • Password:
    Zxcasd@123
  • Username:
    dom_Supportat@xnet.oe.olympus
  • Password:
    Qweasdzxc@12345
  • Username:
    ofi-backup@xnet.oe.olympus
  • Password:
    Helmi-2005
  • Username:
    SVC_AcrossEvent@xnet.oe.olympus
  • Password:
    Acr0$$@123
  • Username:
    svc_vCenterILMT@xnet.oe.olympus
  • Password:
    V1rtu@1c3!
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6.0.4

Botnet

b0e039b42ef6c19c2189651c9f6c390e

C2

http://mojobiden.com

http://nowautomation.com
rsa_pubkey.plain
aes.plain

Extracted

Family

blackmatter

Version

2.0

Botnet

10d51524bc007aa845e77556cdcab174

Credentials
  • Username:
    itjmorrow@pbigordon.com
  • Password:
    tGv7R79N9rC@Y$RfLCkwb*byl*mxLv
  • Username:
    inetadmin@pbigordon.com
  • Password:
    V3D174taC8Zb0EIz^cysiARR&amp
  • Username:
    itmungerman@pbigordon.com
  • Password:
    YmedEwW&amp
  • Username:
    ithrutledge@pbigordon.com
  • Password:
    exiAClEU!wcrEi0R7szO087oH0h13B
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

6e46d36711d8be390c2b8121017ab146

C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Extracted

Family

blackmatter

Version

2.0

Botnet

5ecf7b9cde33f85a3eec9350275b5c4f

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d0e84579a05c8e92e95eee8f5d0000e5

Credentials
  • Username:
    Administrator@cat5.local
  • Password:
    Mouseman02
C2

https://fluentzip.org

http://fluentzip.org
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Targets

    • Target

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • Size

      34KB

    • MD5

      b06e2455a9c7c9485b85e9bdcceb8078

    • SHA1

      a63304592f422656d7abcb086915f9e799ad4641

    • SHA256

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • SHA512

      adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

    • Size

      79KB

    • MD5

      900b7b852674521b306bb03eb991b94a

    • SHA1

      ed5b159b94ed5977efc1f3e05490545d7cb6a93e

    • SHA256

      0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

    • SHA512

      04db23845665c6152a965d8401502588d09f6a4d30f83797cd772c179db8e445463ec5988e381d3a83789d4f20cd0378631e90560040f44a4b0b6634f373a093

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

    • Size

      66KB

    • MD5

      e1f8b95beb02cd39e55cd8b31419b10f

    • SHA1

      c544440a305f429926cd3cad2fac4a4cf0fb31ba

    • SHA256

      14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

    • SHA512

      fb1f7838140de46c05ee4715aa206fc1dff0812658a843138daa7dd370bd5aa2f004ca603d768a1ac9f4c3895a937d3b700c6d302f9f0cbd0704dc4c6e723a08

    Score
    3/10
    behavioral5behavioral6

    • Target

      1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

    • Size

      79KB

    • MD5

      f019a40b28dd58603fa3c5194dae6cba

    • SHA1

      08e09a6ef7650f5e7d4bf3fa8850ac4ca762da7d

    • SHA256

      1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

    • SHA512

      22fba76bbeb356ba97412938ab882768f831273251e25b1078c8a31d720dd14c73e8977054bf24cf40952f143635b205917cc905f371499cbbc639388c3df487

    Score
    10/10
    blackmatterransomware

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

    • Size

      81KB

    • MD5

      5a8491587ab0f96ba141ae59365bc911

    • SHA1

      1ab2fac4f2dc92893a9f89fc6621f66bd47cb783

    • SHA256

      1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

    • SHA512

      97e760f60e4db99983d05db69776058cf2f2c5ab98adea76000001a94a24f3b23feee4464baa23cf49dfa017e331c3b8b19c9da5b696f961f63cd65fc864c5c7

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral9behavioral10

    • Target

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • Size

      78KB

    • MD5

      7b125a148ce0e0c126b95395dbf02b0e

    • SHA1

      778f954480ca76029109fd6bf34904bfb1109e84

    • SHA256

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • SHA512

      daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • Size

      67KB

    • MD5

      598c53bfef81e489375f09792e487f1a

    • SHA1

      80a29bd2c349a8588edf42653ed739054f9a10f5

    • SHA256

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • SHA512

      6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13behavioral14

    • Target

      2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

    • Size

      79KB

    • MD5

      f1c260c31b9d3f9ff54a142d508ec602

    • SHA1

      6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3

    • SHA256

      2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

    • SHA512

      9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral15behavioral16

    • Target

      2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

    • Size

      80KB

    • MD5

      5c66cd4f21254f83663819138e634dd9

    • SHA1

      6626cae85970e6490b8b0bf9da9aa4b57a79bb62

    • SHA256

      2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

    • SHA512

      093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • Size

      66KB

    • MD5

      a55bc3368a10ca5a92c1c9ecae97ced9

    • SHA1

      72ed32b0e8692c7caa25d61e1828cdb48c4fe361

    • SHA256

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • SHA512

      da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

    • Size

      78KB

    • MD5

      6e5986761cea340dce2efd4cf4f3790c

    • SHA1

      4a8ca4b5c04112a753e9ff5989b80f0b12e13654

    • SHA256

      2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

    • SHA512

      8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21behavioral22

    • Target

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • Size

      79KB

    • MD5

      18c7c940bc6a4e778fbdf4a3e28151a8

    • SHA1

      f3589918d71b87c7e764479b79c4a7b485cb746a

    • SHA256

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • SHA512

      6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

    • Size

      31KB

    • MD5

      b07ff2183904731e4905b1bc1e23d24e

    • SHA1

      3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687

    • SHA256

      3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

    • SHA512

      e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

    • Target

      3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

    • Size

      79KB

    • MD5

      35aaa2a2208956d1b8752954722ff76d

    • SHA1

      fccda267f03d8dcd815f662f0fdc1e18e9fd4be3

    • SHA256

      3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

    • SHA512

      25cca12fd228932402aa4ee3f88f1d1db45ff8167aa4a260ecc1d1911f500c239a9d0465547974abfa3ed6f330a4654932df0fa820b8bcd9c9acfb99ccbcb1e3

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral27behavioral28

    • Target

      4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

    • Size

      64KB

    • MD5

      ad260da314d2f8f3f1531cc5779cbba9

    • SHA1

      30e15cf49a97e4560c96eed7e0c68ed9a8502023

    • SHA256

      4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

    • SHA512

      3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723

    Score
    10/10
    suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata

    • Blocklisted process makes network request

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral29behavioral30

    • Target

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • Size

      78KB

    • MD5

      62a70f74d6ac64829a8a31e306e9d41d

    • SHA1

      ec26b38a29549272cc5f0cf548e208030ff114b0

    • SHA256

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • SHA512

      0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372

    Score
    10/10
    blackmatterransomwaresuricata

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

14
T1112

Credential Access

Discovery

Query Registry

14
T1012

Peripheral Device Discovery

14
T1120

System Information Discovery

20
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

14
T1491

Tasks

static1

512478c08dada2af19e49808fbda5b0bupx14a875a2bd63041b2b3e5c323e8d5eeebab21ee475b52c0c9eb47d23ec9ba1d1b368c1ee6bca2086d8169628466c0d3b04bdf8557fa74ea0e3adbd2975efd2745791ae39aeab40b5e8e33d8dce46587728cc82fd466e0d0976a6359f264775a8207aab0afc614ac68359fc63f96659616bed8cf959f0a07170c24bb972efd726e4aaffc36f5d5b7d597455eb6d497df5b0e039b42ef6c19c2189651c9f6c390e24483508bccfe72e63b26a1233058170d58b3b69acc48f82eaa82076f97763d464139b5d8a3f06921a9364c262989e1f32bd08ad5e5e881aa2634621d611a1a590a881ffa127b004cec6802588fce3073e8e2ab5fbb392508535983b7446ba17vmprotect0c6ca0532355a106258791f50b66c15309c87c28bed23dbe6ff5aa561d38766b506d1d0f4ed51ecc3e9cf1839a4b21a74e591a315c54e8800dae714320555fa5d73c69209fbe768d5fa7ffbcad509c66879194e26a0ed7cf50f13c681e711c8210d51524bc007aa845e77556cdcab1746e46d36711d8be390c2b8121017ab1465ecf7b9cde33f85a3eec9350275b5c4fd0e84579a05c8e92e95eee8f5d0000e5blackmatter
Score
10/10

behavioral1

blackmatterransomwaresuricata
Score
10/10

behavioral2

blackmatterransomwaresuricata
Score
10/10

behavioral3

blackmatterransomwaresuricata
Score
10/10

behavioral4

blackmatterransomwaresuricata
Score
10/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

blackmatterransomware
Score
10/10

behavioral8

blackmatterransomware
Score
10/10

behavioral9

blackmatterransomwaresuricata
Score
10/10

behavioral10

blackmatterransomwaresuricata
Score
10/10

behavioral11

blackmatterransomwaresuricata
Score
10/10

behavioral12

blackmatterransomwaresuricata
Score
10/10

behavioral13

blackmatterransomwaresuricata
Score
10/10

behavioral14

blackmatterransomwaresuricata
Score
10/10

behavioral15

blackmatterransomwaresuricata
Score
10/10

behavioral16

blackmatterransomwaresuricata
Score
10/10

behavioral17

blackmatterransomwaresuricata
Score
10/10

behavioral18

blackmatterransomwaresuricata
Score
10/10

behavioral19

blackmatterransomwaresuricata
Score
10/10

behavioral20

blackmatterransomwaresuricata
Score
10/10

behavioral21

blackmatterransomwaresuricata
Score
10/10

behavioral22

blackmatterransomwaresuricata
Score
10/10

behavioral23

blackmatterransomwaresuricata
Score
10/10

behavioral24

blackmatterransomwaresuricata
Score
10/10

behavioral25

blackmatterransomwaresuricata
Score
10/10

behavioral26

blackmatterransomwaresuricata
Score
10/10

behavioral27

blackmatterransomwaresuricata
Score
10/10

behavioral28

blackmatterransomwaresuricata
Score
10/10

behavioral29

suricata
Score
10/10

behavioral30

suricata
Score
10/10

behavioral31

blackmatterransomwaresuricata
Score
10/10

behavioral32

blackmatterransomwaresuricata
Score
10/10