blackmatter.zip

Target

blackmatter.zip

Size

10MB

Sample

211122-qgyt8afeem

Score

10 ^/10

MD5

e1f207575fc9231e6ab7dbe2a7f55d5b

SHA1

3f701a77482c54c811c661dc21520e166769c511

SHA256

bf9511517f610387d714553bed6ff59d55c21cd0aa18ae00714585e699a332a3

SHA512

5a8717cfe195056d89f40d4be7b2c9a4bb85df763667a342545855366f58b7f5d627f6ed44ed380fdcf7440f569ff4f4f8a129ee41da0673bcba2b5570fe8c56

blackmatter 04bdf8557fa74ea0e3adbd2975efd274 09c87c28bed23dbe6ff5aa561d38766b 0c6ca0532355a106258791f50b66c153 10d51524bc007aa845e77556cdcab174 14a875a2bd63041b2b3e5c323e8d5eee 207aab0afc614ac68359fc63f9665961 24483508bccfe72e63b26a1233058170 28cc82fd466e0d0976a6359f264775a8 32bd08ad5e5e881aa2634621d611a1a5 3e8e2ab5fbb392508535983b7446ba17 4e591a315c54e8800dae714320555fa5 506d1d0f4ed51ecc3e9cf1839a4b21a7 512478c08dada2af19e49808fbda5b0b 5791ae39aeab40b5e8e33d8dce465877 5ecf7b9cde33f85a3eec9350275b5c4f 64139b5d8a3f06921a9364c262989e1f 6bed8cf959f0a07170c24bb972efd726 6e46d36711d8be390c2b8121017ab146 879194e26a0ed7cf50f13c681e711c82 90a881ffa127b004cec6802588fce307 b0e039b42ef6c19c2189651c9f6c390e b368c1ee6bca2086d8169628466c0d3b bab21ee475b52c0c9eb47d23ec9ba1d1 d0e84579a05c8e92e95eee8f5d0000e5 d58b3b69acc48f82eaa82076f97763d4 d73c69209fbe768d5fa7ffbcad509c66 e4aaffc36f5d5b7d597455eb6d497df5 ransomware suricata upx vmprotect

Extracted

Family	blackmatter
Version	1.2
Botnet	512478c08dada2af19e49808fbda5b0b
Credentials	Protocol: Host: Port: Username: aheisler@hhcp.com Password: 120Heisler Protocol: Host: Port: Username: dsmith@hhcp.com Password: Tesla2019 Protocol: Host: Port: Username: administrator@hhcp.com Password: iteam8**
C2	https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	14a875a2bd63041b2b3e5c323e8d5eee
Credentials	Protocol: Host: Port: Username: it_lw@corp.group.local Password: Voyager1701!!! Protocol: Host: Port: Username: it_ci@corp.group.local Password: HereGoes321 Protocol: Host: Port: Username: svc_netwrix@corp.group.local Password: QApassw0rd Protocol: Host: Port: Username: it_pl@corp.group.local Password: Aug21!!! Protocol: Host: Port: Username: IT_JJ2@corp.group.local Password: Glasgow0315 Protocol: Host: Port: Username: it_ng@corp.group.local Password: Eleanor22 Protocol: Host: Port: Username: it_jj@corp.group.local Password: Glasgow0315
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.2
Botnet	bab21ee475b52c0c9eb47d23ec9ba1d1
C2	https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	b368c1ee6bca2086d8169628466c0d3b
Attributes	attempt_auth false create_mutex false encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	04bdf8557fa74ea0e3adbd2975efd274
C2	mepocs memtas veeam svc$ backup sql vss msexchange mepocs memtas veeam svc$ backup sql vss msexchange
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	5791ae39aeab40b5e8e33d8dce465877
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.9
Botnet	28cc82fd466e0d0976a6359f264775a8
C2	https://mojobiden.com http://mojobiden.com https://mojobiden.com http://mojobiden.com
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	207aab0afc614ac68359fc63f9665961
C2	https://fluentzip.org http://fluentzip.org https://fluentzip.org http://fluentzip.org
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	6bed8cf959f0a07170c24bb972efd726
Credentials	Protocol: Host: Port: Username: Administrator@rpi Password: P0w3rPl4g Protocol: Host: Port: Username: 2fatest@rpi Password: poiu-0987 Protocol: Host: Port: Username: 2fauser@rpi Password: 1strongpassword!
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	e4aaffc36f5d5b7d597455eb6d497df5
Credentials	Protocol: Host: Port: Username: pklages@spectrumfurniture.com Password: BBis#1ec Protocol: Host: Port: Username: BackupExec@spectrumfurniture.com Password: k8DbBSZYWWnr0QqrILoo Protocol: Host: Port: Username: admin@Northwoods.com Password: Smokie@CF
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	b0e039b42ef6c19c2189651c9f6c390e
Credentials	Protocol: Host: Port: Username: r.cabello@mflgroup.com Password: Rubcabher96 Protocol: Host: Port: Username: j.berenguel@mflgroup.com Password: Alsa2003
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	24483508bccfe72e63b26a1233058170
C2	https://mojobiden.com http://mojobiden.com https://mojobiden.com http://mojobiden.com
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	d58b3b69acc48f82eaa82076f97763d4
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	64139b5d8a3f06921a9364c262989e1f
C2	https://mojobiden.com http://mojobiden.com https://mojobiden.com http://mojobiden.com
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.6.0.2
Botnet	bab21ee475b52c0c9eb47d23ec9ba1d1
C2	http://paymenthacks.com http://mojobiden.com http://paymenthacks.com http://mojobiden.com
rsa_pubkey.plain
aes.plain

Extracted

Family	blackmatter
Version	1.6
Botnet	32bd08ad5e5e881aa2634621d611a1a5
Credentials	Protocol: Host: Port: Username: TSMBKP@aiep.corp Password: @iep.2013
C2	https://mojobiden.com http://mojobiden.com https://mojobiden.com http://mojobiden.com
Attributes	attempt_auth true create_mutex false encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	90a881ffa127b004cec6802588fce307
Credentials	Protocol: Host: Port: Username: Administrator@adroot.newcoop.com Password: Q7Q&quot Protocol: Host: Port: Username: bbanneker@soilmap.com Password: !$(AYw94+PJ,rX Protocol: Host: Port: Username: jmiklo@@adroot.newcoop.com Password: sanfran85 Protocol: Host: Port: Username: da.rob@adroot.newcoop.com Password: sanfran85 Protocol: Host: Port: Username: da.jeff@adroot.newcoop.com Password: sanfran85
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	3e8e2ab5fbb392508535983b7446ba17
C2	https://fluentzip.org http://fluentzip.org https://fluentzip.org http://fluentzip.org
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.6
Botnet	0c6ca0532355a106258791f50b66c153
Attributes	attempt_auth false create_mutex false encrypt_network_shares false exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	09c87c28bed23dbe6ff5aa561d38766b
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	506d1d0f4ed51ecc3e9cf1839a4b21a7
Attributes	attempt_auth false create_mutex false encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	3.0
Botnet	4e591a315c54e8800dae714320555fa5
Credentials	Protocol: Host: Port: Username: OFMO220@R5-CORE.R5.AIG.NET Password: yhU6VJ$&amp Protocol: Host: Port: Username: OSYST93@R5-CORE.R5.AIG.NET Password: RPo@ndf9 Protocol: Host: Port: Username: OFMO225@R5-CORE.R5.AIG.NET Password: DH5U87@rA0ELa2
C2	https://fluentzip.org http://fluentzip.org https://fluentzip.org http://fluentzip.org
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	d73c69209fbe768d5fa7ffbcad509c66
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	879194e26a0ed7cf50f13c681e711c82
Credentials	Protocol: Host: Port: Username: _vpn@xnet.oe.olympus Password: vpnvpn08 Protocol: Host: Port: Username: adm_sprinx@xnet.oe.olympus Password: Apr@123456 Protocol: Host: Port: Username: dom_ecopysupport@xnet.oe.olympus Password: Olympus$12345 Protocol: Host: Port: Username: DOM_Jannick.Berghaeu@xnet.oe.olympus Password: Olympus@12345 Protocol: Host: Port: Username: ofr-tina@xnet.oe.olympus Password: ofrt!n@ Protocol: Host: Port: Username: svc_ciscoise@xnet.oe.olympus Password: Is3@dmin Protocol: Host: Port: Username: adm_ArunachaNa@xnet.oe.olympus Password: Sinchan@12345 Protocol: Host: Port: Username: ascuser@xnet.oe.olympus Password: HappyDays.12 Protocol: Host: Port: Username: dom_admanager@xnet.oe.olympus Password: Qwerasdzx123!@# Protocol: Host: Port: Username: dom_hasansy@xnet.oe.olympus Password: Coro@12345 Protocol: Host: Port: Username: Dom_HMarme@xnet.oe.olympus Password: Ultimate06! Protocol: Host: Port: Username: dom_obuehring@xnet.oe.olympus Password: Olympus@12345 Protocol: Host: Port: Username: Dom_SadasivaPa@xnet.oe.olympus Password: Zxcasd@123 Protocol: Host: Port: Username: dom_Supportat@xnet.oe.olympus Password: Qweasdzxc@12345 Protocol: Host: Port: Username: ofi-backup@xnet.oe.olympus Password: Helmi-2005 Protocol: Host: Port: Username: SVC_AcrossEvent@xnet.oe.olympus Password: Acr0$$@123 Protocol: Host: Port: Username: svc_vCenterILMT@xnet.oe.olympus Password: V1rtu@1c3!
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate false mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.6.0.4
Botnet	b0e039b42ef6c19c2189651c9f6c390e
C2	http://mojobiden.com http://nowautomation.com http://mojobiden.com http://nowautomation.com
rsa_pubkey.plain
aes.plain

Extracted

Family	blackmatter
Version	2.0
Botnet	10d51524bc007aa845e77556cdcab174
Credentials	Protocol: Host: Port: Username: itjmorrow@pbigordon.com Password: tGv7R79N9rC@Y$RfLCkwbbylmxLv Protocol: Host: Port: Username: inetadmin@pbigordon.com Password: V3D174taC8Zb0EIz^cysiARR&amp Protocol: Host: Port: Username: itmungerman@pbigordon.com Password: YmedEwW&amp Protocol: Host: Port: Username: ithrutledge@pbigordon.com Password: exiAClEU!wcrEi0R7szO087oH0h13B
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	6e46d36711d8be390c2b8121017ab146
C2	mepocs memtas veeam svc$ backup sql vss msexchange mepocs memtas veeam svc$ backup sql vss msexchange
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	1.2

Extracted

Family	blackmatter
Version	2.0
Botnet	5ecf7b9cde33f85a3eec9350275b5c4f
C2	https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com https://mojobiden.com http://mojobiden.com https://nowautomation.com http://nowautomation.com
Attributes	attempt_auth false create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Extracted

Family	blackmatter
Version	2.0
Botnet	d0e84579a05c8e92e95eee8f5d0000e5
Credentials	Protocol: Host: Port: Username: Administrator@cat5.local Password: Mouseman02
C2	https://fluentzip.org http://fluentzip.org https://fluentzip.org http://fluentzip.org
Attributes	attempt_auth true create_mutex true encrypt_network_shares true exfiltrate true mount_volumes true
rsa_pubkey.base64
aes.base64

Target

072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

MD5

b06e2455a9c7c9485b85e9bdcceb8078

Filesize

34KB

Score

10^/10

SHA1

a63304592f422656d7abcb086915f9e799ad4641

SHA256

072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

SHA512

adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral1 behavioral2

Target

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

MD5

900b7b852674521b306bb03eb991b94a

Filesize

79KB

Score

10^/10

SHA1

ed5b159b94ed5977efc1f3e05490545d7cb6a93e

SHA256

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

SHA512

04db23845665c6152a965d8401502588d09f6a4d30f83797cd772c179db8e445463ec5988e381d3a83789d4f20cd0378631e90560040f44a4b0b6634f373a093

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral3 behavioral4

Target

14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

MD5

e1f8b95beb02cd39e55cd8b31419b10f

Filesize

66KB

Score

3^/10

SHA1

c544440a305f429926cd3cad2fac4a4cf0fb31ba

SHA256

14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

SHA512

fb1f7838140de46c05ee4715aa206fc1dff0812658a843138daa7dd370bd5aa2f004ca603d768a1ac9f4c3895a937d3b700c6d302f9f0cbd0704dc4c6e723a08

Related Tasks

behavioral5 behavioral6

Target

1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

MD5

f019a40b28dd58603fa3c5194dae6cba

Filesize

79KB

Score

10^/10

SHA1

08e09a6ef7650f5e7d4bf3fa8850ac4ca762da7d

SHA256

1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

SHA512

22fba76bbeb356ba97412938ab882768f831273251e25b1078c8a31d720dd14c73e8977054bf24cf40952f143635b205917cc905f371499cbbc639388c3df487

Tags

blackmatter ransomware

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral7 behavioral8

Target

1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

MD5

5a8491587ab0f96ba141ae59365bc911

Filesize

81KB

Score

10^/10

SHA1

1ab2fac4f2dc92893a9f89fc6621f66bd47cb783

SHA256

1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

SHA512

97e760f60e4db99983d05db69776058cf2f2c5ab98adea76000001a94a24f3b23feee4464baa23cf49dfa017e331c3b8b19c9da5b696f961f63cd65fc864c5c7

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral9 behavioral10

Target

20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

MD5

7b125a148ce0e0c126b95395dbf02b0e

Filesize

78KB

Score

10^/10

SHA1

778f954480ca76029109fd6bf34904bfb1109e84

SHA256

20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

SHA512

daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral11 behavioral12

Target

22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

MD5

598c53bfef81e489375f09792e487f1a

Filesize

67KB

Score

10^/10

SHA1

80a29bd2c349a8588edf42653ed739054f9a10f5

SHA256

22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

SHA512

6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral13 behavioral14

Target

2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

MD5

f1c260c31b9d3f9ff54a142d508ec602

Filesize

79KB

Score

10^/10

SHA1

6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3

SHA256

2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

SHA512

9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral15 behavioral16

Target

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

MD5

5c66cd4f21254f83663819138e634dd9

Filesize

80KB

Score

10^/10

SHA1

6626cae85970e6490b8b0bf9da9aa4b57a79bb62

SHA256

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

SHA512

093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral17 behavioral18

Target

2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

MD5

a55bc3368a10ca5a92c1c9ecae97ced9

Filesize

66KB

Score

10^/10

SHA1

72ed32b0e8692c7caa25d61e1828cdb48c4fe361

SHA256

2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

SHA512

da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral19 behavioral20

Target

2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

MD5

6e5986761cea340dce2efd4cf4f3790c

Filesize

78KB

Score

10^/10

SHA1

4a8ca4b5c04112a753e9ff5989b80f0b12e13654

SHA256

2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

SHA512

8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Loads dropped DLL
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral21 behavioral22

Target

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

MD5

18c7c940bc6a4e778fbdf4a3e28151a8

Filesize

79KB

Score

10^/10

SHA1

f3589918d71b87c7e764479b79c4a7b485cb746a

SHA256

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

SHA512

6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral23 behavioral24

Target

3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

MD5

b07ff2183904731e4905b1bc1e23d24e

Filesize

31KB

Score

10^/10

SHA1

3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687

SHA256

3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

SHA512

e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral25 behavioral26

Target

3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

MD5

35aaa2a2208956d1b8752954722ff76d

Filesize

79KB

Score

10^/10

SHA1

fccda267f03d8dcd815f662f0fdc1e18e9fd4be3

SHA256

3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

SHA512

25cca12fd228932402aa4ee3f88f1d1db45ff8167aa4a260ecc1d1911f500c239a9d0465547974abfa3ed6f330a4654932df0fa820b8bcd9c9acfb99ccbcb1e3

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral27 behavioral28

Target

4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

MD5

ad260da314d2f8f3f1531cc5779cbba9

Filesize

64KB

Score

10^/10

SHA1

30e15cf49a97e4560c96eed7e0c68ed9a8502023

SHA256

4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

SHA512

3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723

Tags

suricata

Signatures

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Tags

suricata
Blocklisted process makes network request
Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

behavioral29 behavioral30

Target

4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

MD5

62a70f74d6ac64829a8a31e306e9d41d

Filesize

78KB

Score

10^/10

SHA1

ec26b38a29549272cc5f0cf548e208030ff114b0

SHA256

4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

SHA512

0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372

Tags

blackmatter ransomware suricata

Signatures

BlackMatter Ransomware
Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags

ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
Description

suricata: ET MALWARE BlackMatter CnC Activity
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags

suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Description

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Tags

suricata
Modifies extensions of user files
Description

Ransomware generally changes the extension on encrypted files.
Tags

ransomware
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Sets desktop wallpaper using registry
Tags

ransomware

TTPs

DefacementModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger