Extracted

Family	blackmatter
Version	1.2
Botnet	512478c08dada2af19e49808fbda5b0b
Credentials	Protocol: Host: Port: Username: aheisler@hhcp.com Password: 120Heisler Protocol: Host: Port: Username: dsmith@hhcp.com Password: Tesla2019 Protocol: Host: Port: Username: administrator@hhcp.com Password: iteam8**
C2	https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com Copy all
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	14a875a2bd63041b2b3e5c323e8d5eee
Credentials	Protocol: Host: Port: Username: it_lw@corp.group.local Password: Voyager1701!!! Protocol: Host: Port: Username: it_ci@corp.group.local Password: HereGoes321 Protocol: Host: Port: Username: svc_netwrix@corp.group.local Password: QApassw0rd Protocol: Host: Port: Username: it_pl@corp.group.local Password: Aug21!!! Protocol: Host: Port: Username: IT_JJ2@corp.group.local Password: Glasgow0315 Protocol: Host: Port: Username: it_ng@corp.group.local Password: Eleanor22 Protocol: Host: Port: Username: it_jj@corp.group.local Password: Glasgow0315
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com Copy all
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.2
Botnet	bab21ee475b52c0c9eb47d23ec9ba1d1
C2	https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	b368c1ee6bca2086d8169628466c0d3b
Attributes	attempt_auth false create_mutex false encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	04bdf8557fa74ea0e3adbd2975efd274
C2	mepocs memtas veeam svc$ backup sql vss msexchange mepocs memtas veeam svc$ backup sql vss msexchange Copy all
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	5791ae39aeab40b5e8e33d8dce465877
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.9
Botnet	28cc82fd466e0d0976a6359f264775a8
C2	https://mojobiden.com http://mojobiden.com https://mojobiden.com http://mojobiden.com Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	207aab0afc614ac68359fc63f9665961
C2	https://fluentzip.org http://fluentzip.org https://fluentzip.org http://fluentzip.org Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	6bed8cf959f0a07170c24bb972efd726
Credentials	Protocol: Host: Port: Username: Administrator@rpi Password: P0w3rPl4g Protocol: Host: Port: Username: 2fatest@rpi Password: poiu-0987 Protocol: Host: Port: Username: 2fauser@rpi Password: 1strongpassword!
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com Copy all
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	e4aaffc36f5d5b7d597455eb6d497df5
Credentials	Protocol: Host: Port: Username: pklages@spectrumfurniture.com Password: BBis#1ec Protocol: Host: Port: Username: BackupExec@spectrumfurniture.com Password: k8DbBSZYWWnr0QqrILoo Protocol: Host: Port: Username: admin@Northwoods.com Password: Smokie@CF
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com Copy all
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	b0e039b42ef6c19c2189651c9f6c390e
Credentials	Protocol: Host: Port: Username: r.cabello@mflgroup.com Password: Rubcabher96 Protocol: Host: Port: Username: j.berenguel@mflgroup.com Password: Alsa2003
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	24483508bccfe72e63b26a1233058170
C2	https://mojobiden.com http://mojobiden.com https://mojobiden.com http://mojobiden.com Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	d58b3b69acc48f82eaa82076f97763d4
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	64139b5d8a3f06921a9364c262989e1f
C2	https://mojobiden.com http://mojobiden.com https://mojobiden.com http://mojobiden.com Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.6.0.2
Botnet	bab21ee475b52c0c9eb47d23ec9ba1d1
C2	http://paymenthacks.com http://mojobiden.com http://paymenthacks.com http://mojobiden.com Copy all
rsa_pubkey.plain
aes.plain

Extracted

Family	blackmatter
Version	1.6
Botnet	32bd08ad5e5e881aa2634621d611a1a5
Credentials	Protocol: Host: Port: Username: TSMBKP@aiep.corp Password: @iep.2013
C2	https://mojobiden.com http://mojobiden.com https://mojobiden.com http://mojobiden.com Copy all
Attributes	attempt_auth true create_mutex false encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	90a881ffa127b004cec6802588fce307
Credentials	Protocol: Host: Port: Username: Administrator@adroot.newcoop.com Password: Q7Q&quot Protocol: Host: Port: Username: bbanneker@soilmap.com Password: !$(AYw94+PJ,rX Protocol: Host: Port: Username: jmiklo@@adroot.newcoop.com Password: sanfran85 Protocol: Host: Port: Username: da.rob@adroot.newcoop.com Password: sanfran85 Protocol: Host: Port: Username: da.jeff@adroot.newcoop.com Password: sanfran85
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com Copy all
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	3e8e2ab5fbb392508535983b7446ba17
C2	https://fluentzip.org http://fluentzip.org https://fluentzip.org http://fluentzip.org Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.6
Botnet	0c6ca0532355a106258791f50b66c153
Attributes	attempt_auth false create_mutex false encrypt_network_shares false exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	09c87c28bed23dbe6ff5aa561d38766b
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	506d1d0f4ed51ecc3e9cf1839a4b21a7
Attributes	attempt_auth false create_mutex false encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	3.0
Botnet	4e591a315c54e8800dae714320555fa5
Credentials	Protocol: Host: Port: Username: OFMO220@R5-CORE.R5.AIG.NET Password: yhU6VJ$&amp Protocol: Host: Port: Username: OSYST93@R5-CORE.R5.AIG.NET Password: RPo@ndf9 Protocol: Host: Port: Username: OFMO225@R5-CORE.R5.AIG.NET Password: DH5U87@rA0ELa2
C2	https://fluentzip.org http://fluentzip.org https://fluentzip.org http://fluentzip.org Copy all
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	d73c69209fbe768d5fa7ffbcad509c66
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	879194e26a0ed7cf50f13c681e711c82
Credentials	Protocol: Host: Port: Username: _vpn@xnet.oe.olympus Password: vpnvpn08 Protocol: Host: Port: Username: adm_sprinx@xnet.oe.olympus Password: Apr@123456 Protocol: Host: Port: Username: dom_ecopysupport@xnet.oe.olympus Password: Olympus$12345 Protocol: Host: Port: Username: DOM_Jannick.Berghaeu@xnet.oe.olympus Password: Olympus@12345 Protocol: Host: Port: Username: ofr-tina@xnet.oe.olympus Password: ofrt!n@ Protocol: Host: Port: Username: svc_ciscoise@xnet.oe.olympus Password: Is3@dmin Protocol: Host: Port: Username: adm_ArunachaNa@xnet.oe.olympus Password: Sinchan@12345 Protocol: Host: Port: Username: ascuser@xnet.oe.olympus Password: HappyDays.12 Protocol: Host: Port: Username: dom_admanager@xnet.oe.olympus Password: Qwerasdzx123!@# Protocol: Host: Port: Username: dom_hasansy@xnet.oe.olympus Password: Coro@12345 Protocol: Host: Port: Username: Dom_HMarme@xnet.oe.olympus Password: Ultimate06! Protocol: Host: Port: Username: dom_obuehring@xnet.oe.olympus Password: Olympus@12345 Protocol: Host: Port: Username: Dom_SadasivaPa@xnet.oe.olympus Password: Zxcasd@123 Protocol: Host: Port: Username: dom_Supportat@xnet.oe.olympus Password: Qweasdzxc@12345 Protocol: Host: Port: Username: ofi-backup@xnet.oe.olympus Password: Helmi-2005 Protocol: Host: Port: Username: SVC_AcrossEvent@xnet.oe.olympus Password: Acr0$$@123 Protocol: Host: Port: Username: svc_vCenterILMT@xnet.oe.olympus Password: V1rtu@1c3!
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.6.0.4
Botnet	b0e039b42ef6c19c2189651c9f6c390e
C2	http://mojobiden.com http://nowautomation.com http://mojobiden.com http://nowautomation.com Copy all
rsa_pubkey.plain
aes.plain

Extracted

Family	blackmatter
Version	2.0
Botnet	10d51524bc007aa845e77556cdcab174
Credentials	Protocol: Host: Port: Username: itjmorrow@pbigordon.com Password: tGv7R79N9rC@Y$RfLCkwb*byl*mxLv Protocol: Host: Port: Username: inetadmin@pbigordon.com Password: V3D174taC8Zb0EIz^cysiARR&amp Protocol: Host: Port: Username: itmungerman@pbigordon.com Password: YmedEwW&amp Protocol: Host: Port: Username: ithrutledge@pbigordon.com Password: exiAClEU!wcrEi0R7szO087oH0h13B
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com Copy all
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	6e46d36711d8be390c2b8121017ab146
C2	mepocs memtas veeam svc$ backup sql vss msexchange mepocs memtas veeam svc$ backup sql vss msexchange Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.2

Extracted

Family	blackmatter
Version	2.0
Botnet	5ecf7b9cde33f85a3eec9350275b5c4f
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com Copy all
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	d0e84579a05c8e92e95eee8f5d0000e5
Credentials	Protocol: Host: Port: Username: Administrator@cat5.local Password: Mouseman02
C2	https://fluentzip.org http://fluentzip.org https://fluentzip.org http://fluentzip.org Copy all
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

• • Target

    072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

  • Size

    34KB

  • MD5

    b06e2455a9c7c9485b85e9bdcceb8078

  • SHA1

    a63304592f422656d7abcb086915f9e799ad4641

  • SHA256

    072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

  • SHA512

    adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

  • Size

    79KB

  • MD5

    900b7b852674521b306bb03eb991b94a

  • SHA1

    ed5b159b94ed5977efc1f3e05490545d7cb6a93e

  • SHA256

    0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

  • SHA512

    04db23845665c6152a965d8401502588d09f6a4d30f83797cd772c179db8e445463ec5988e381d3a83789d4f20cd0378631e90560040f44a4b0b6634f373a093

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral3behavioral4

• • Target

    14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

  • Size

    66KB

  • MD5

    e1f8b95beb02cd39e55cd8b31419b10f

  • SHA1

    c544440a305f429926cd3cad2fac4a4cf0fb31ba

  • SHA256

    14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

  • SHA512

    fb1f7838140de46c05ee4715aa206fc1dff0812658a843138daa7dd370bd5aa2f004ca603d768a1ac9f4c3895a937d3b700c6d302f9f0cbd0704dc4c6e723a08

  Score

  3^/10
  behavioral5behavioral6

• • Target

    1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

  • Size

    79KB

  • MD5

    f019a40b28dd58603fa3c5194dae6cba

  • SHA1

    08e09a6ef7650f5e7d4bf3fa8850ac4ca762da7d

  • SHA256

    1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

  • SHA512

    22fba76bbeb356ba97412938ab882768f831273251e25b1078c8a31d720dd14c73e8977054bf24cf40952f143635b205917cc905f371499cbbc639388c3df487

  Score

  10^/10

  blackmatterransomware

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral7behavioral8

• • Target

    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

  • Size

    81KB

  • MD5

    5a8491587ab0f96ba141ae59365bc911

  • SHA1

    1ab2fac4f2dc92893a9f89fc6621f66bd47cb783

  • SHA256

    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

  • SHA512

    97e760f60e4db99983d05db69776058cf2f2c5ab98adea76000001a94a24f3b23feee4464baa23cf49dfa017e331c3b8b19c9da5b696f961f63cd65fc864c5c7

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral9behavioral10

• • Target

    20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

  • Size

    78KB

  • MD5

    7b125a148ce0e0c126b95395dbf02b0e

  • SHA1

    778f954480ca76029109fd6bf34904bfb1109e84

  • SHA256

    20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

  • SHA512

    daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral11behavioral12

• • Target

    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

  • Size

    67KB

  • MD5

    598c53bfef81e489375f09792e487f1a

  • SHA1

    80a29bd2c349a8588edf42653ed739054f9a10f5

  • SHA256

    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

  • SHA512

    6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral13behavioral14

• • Target

    2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

  • Size

    79KB

  • MD5

    f1c260c31b9d3f9ff54a142d508ec602

  • SHA1

    6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3

  • SHA256

    2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

  • SHA512

    9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral15behavioral16

• • Target

    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

  • Size

    80KB

  • MD5

    5c66cd4f21254f83663819138e634dd9

  • SHA1

    6626cae85970e6490b8b0bf9da9aa4b57a79bb62

  • SHA256

    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

  • SHA512

    093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral17behavioral18

• • Target

    2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

  • Size

    66KB

  • MD5

    a55bc3368a10ca5a92c1c9ecae97ced9

  • SHA1

    72ed32b0e8692c7caa25d61e1828cdb48c4fe361

  • SHA256

    2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

  • SHA512

    da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral19behavioral20

• • Target

    2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

  • Size

    78KB

  • MD5

    6e5986761cea340dce2efd4cf4f3790c

  • SHA1

    4a8ca4b5c04112a753e9ff5989b80f0b12e13654

  • SHA256

    2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

  • SHA512

    8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Loads dropped DLL

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral21behavioral22

• • Target

    2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

  • Size

    79KB

  • MD5

    18c7c940bc6a4e778fbdf4a3e28151a8

  • SHA1

    f3589918d71b87c7e764479b79c4a7b485cb746a

  • SHA256

    2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

  • SHA512

    6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral23behavioral24

• • Target

    3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

  • Size

    31KB

  • MD5

    b07ff2183904731e4905b1bc1e23d24e

  • SHA1

    3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687

  • SHA256

    3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

  • SHA512

    e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral25behavioral26

• • Target

    3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

  • Size

    79KB

  • MD5

    35aaa2a2208956d1b8752954722ff76d

  • SHA1

    fccda267f03d8dcd815f662f0fdc1e18e9fd4be3

  • SHA256

    3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

  • SHA512

    25cca12fd228932402aa4ee3f88f1d1db45ff8167aa4a260ecc1d1911f500c239a9d0465547974abfa3ed6f330a4654932df0fa820b8bcd9c9acfb99ccbcb1e3

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral27behavioral28

• • Target

    4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

  • Size

    64KB

  • MD5

    ad260da314d2f8f3f1531cc5779cbba9

  • SHA1

    30e15cf49a97e4560c96eed7e0c68ed9a8502023

  • SHA256

    4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

  • SHA512

    3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723

  Score

  10^/10

  suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    suricata

  • Blocklisted process makes network request

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral29behavioral30

• • Target

    4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

  • Size

    78KB

  • MD5

    62a70f74d6ac64829a8a31e306e9d41d

  • SHA1

    ec26b38a29549272cc5f0cf548e208030ff114b0

  • SHA256

    4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

  • SHA512

    0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372

  Score

  10^/10

  blackmatterransomwaresuricata

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral31behavioral32