blackmatter.zip

Malware Config

Extracted

Family blackmatter
Version 1.2
Botnet 512478c08dada2af19e49808fbda5b0b
Credentials

Protocol:

Host:

Port:

Username: aheisler@hhcp.com

Password: 120Heisler

Protocol:

Host:

Port:

Username: dsmith@hhcp.com

Password: Tesla2019

Protocol:

Host:

Port:

Username: administrator@hhcp.com

Password: iteam8**

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 14a875a2bd63041b2b3e5c323e8d5eee
Credentials

Protocol:

Host:

Port:

Username: it_lw@corp.group.local

Password: Voyager1701!!!

Protocol:

Host:

Port:

Username: it_ci@corp.group.local

Password: HereGoes321

Protocol:

Host:

Port:

Username: svc_netwrix@corp.group.local

Password: QApassw0rd

Protocol:

Host:

Port:

Username: it_pl@corp.group.local

Password: Aug21!!!

Protocol:

Host:

Port:

Username: IT_JJ2@corp.group.local

Password: Glasgow0315

Protocol:

Host:

Port:

Username: it_ng@corp.group.local

Password: Eleanor22

Protocol:

Host:

Port:

Username: it_jj@corp.group.local

Password: Glasgow0315

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 1.2
Botnet bab21ee475b52c0c9eb47d23ec9ba1d1
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet b368c1ee6bca2086d8169628466c0d3b
Attributes
attempt_auth
false
create_mutex
false
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 04bdf8557fa74ea0e3adbd2975efd274
C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 5791ae39aeab40b5e8e33d8dce465877
Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 1.9
Botnet 28cc82fd466e0d0976a6359f264775a8
C2

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 207aab0afc614ac68359fc63f9665961
C2

https://fluentzip.org

http://fluentzip.org

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 6bed8cf959f0a07170c24bb972efd726
Credentials

Protocol:

Host:

Port:

Username: Administrator@rpi

Password: P0w3rPl4g

Protocol:

Host:

Port:

Username: 2fatest@rpi

Password: poiu-0987

Protocol:

Host:

Port:

Username: 2fauser@rpi

Password: 1strongpassword!

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet e4aaffc36f5d5b7d597455eb6d497df5
Credentials

Protocol:

Host:

Port:

Username: pklages@spectrumfurniture.com

Password: BBis#1ec

Protocol:

Host:

Port:

Username: BackupExec@spectrumfurniture.com

Password: k8DbBSZYWWnr0QqrILoo

Protocol:

Host:

Port:

Username: admin@Northwoods.com

Password: Smokie@CF

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet b0e039b42ef6c19c2189651c9f6c390e
Credentials

Protocol:

Host:

Port:

Username: r.cabello@mflgroup.com

Password: Rubcabher96

Protocol:

Host:

Port:

Username: j.berenguel@mflgroup.com

Password: Alsa2003

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 24483508bccfe72e63b26a1233058170
C2

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet d58b3b69acc48f82eaa82076f97763d4
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 64139b5d8a3f06921a9364c262989e1f
C2

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 1.6.0.2
Botnet bab21ee475b52c0c9eb47d23ec9ba1d1
C2

http://paymenthacks.com

http://mojobiden.com

rsa_pubkey.plain
aes.plain

Extracted

Family blackmatter
Version 1.6
Botnet 32bd08ad5e5e881aa2634621d611a1a5
Credentials

Protocol:

Host:

Port:

Username: TSMBKP@aiep.corp

Password: @iep.2013

C2

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
true
create_mutex
false
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 90a881ffa127b004cec6802588fce307
Credentials

Protocol:

Host:

Port:

Username: Administrator@adroot.newcoop.com

Password: Q7Q&quot

Protocol:

Host:

Port:

Username: bbanneker@soilmap.com

Password: !$(AYw94+PJ,rX

Protocol:

Host:

Port:

Username: jmiklo@@adroot.newcoop.com

Password: sanfran85

Protocol:

Host:

Port:

Username: da.rob@adroot.newcoop.com

Password: sanfran85

Protocol:

Host:

Port:

Username: da.jeff@adroot.newcoop.com

Password: sanfran85

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 3e8e2ab5fbb392508535983b7446ba17
C2

https://fluentzip.org

http://fluentzip.org

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 1.6
Botnet 0c6ca0532355a106258791f50b66c153
Attributes
attempt_auth
false
create_mutex
false
encrypt_network_shares
false
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 09c87c28bed23dbe6ff5aa561d38766b
Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 506d1d0f4ed51ecc3e9cf1839a4b21a7
Attributes
attempt_auth
false
create_mutex
false
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 3.0
Botnet 4e591a315c54e8800dae714320555fa5
Credentials

Protocol:

Host:

Port:

Username: OFMO220@R5-CORE.R5.AIG.NET

Password: yhU6VJ$&amp

Protocol:

Host:

Port:

Username: OSYST93@R5-CORE.R5.AIG.NET

Password: RPo@ndf9

Protocol:

Host:

Port:

Username: OFMO225@R5-CORE.R5.AIG.NET

Password: DH5U87@rA0ELa2

C2

https://fluentzip.org

http://fluentzip.org

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet d73c69209fbe768d5fa7ffbcad509c66
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 879194e26a0ed7cf50f13c681e711c82
Credentials

Protocol:

Host:

Port:

Username: _vpn@xnet.oe.olympus

Password: vpnvpn08

Protocol:

Host:

Port:

Username: adm_sprinx@xnet.oe.olympus

Password: Apr@123456

Protocol:

Host:

Port:

Username: dom_ecopysupport@xnet.oe.olympus

Password: Olympus$12345

Protocol:

Host:

Port:

Username: DOM_Jannick.Berghaeu@xnet.oe.olympus

Password: Olympus@12345

Protocol:

Host:

Port:

Username: ofr-tina@xnet.oe.olympus

Password: ofrt!n@

Protocol:

Host:

Port:

Username: svc_ciscoise@xnet.oe.olympus

Password: Is3@dmin

Protocol:

Host:

Port:

Username: adm_ArunachaNa@xnet.oe.olympus

Password: Sinchan@12345

Protocol:

Host:

Port:

Username: ascuser@xnet.oe.olympus

Password: HappyDays.12

Protocol:

Host:

Port:

Username: dom_admanager@xnet.oe.olympus

Password: Qwerasdzx123!@#

Protocol:

Host:

Port:

Username: dom_hasansy@xnet.oe.olympus

Password: Coro@12345

Protocol:

Host:

Port:

Username: Dom_HMarme@xnet.oe.olympus

Password: Ultimate06!

Protocol:

Host:

Port:

Username: dom_obuehring@xnet.oe.olympus

Password: Olympus@12345

Protocol:

Host:

Port:

Username: Dom_SadasivaPa@xnet.oe.olympus

Password: Zxcasd@123

Protocol:

Host:

Port:

Username: dom_Supportat@xnet.oe.olympus

Password: Qweasdzxc@12345

Protocol:

Host:

Port:

Username: ofi-backup@xnet.oe.olympus

Password: Helmi-2005

Protocol:

Host:

Port:

Username: SVC_AcrossEvent@xnet.oe.olympus

Password: Acr0$$@123

Protocol:

Host:

Port:

Username: svc_vCenterILMT@xnet.oe.olympus

Password: V1rtu@1c3!

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 1.6.0.4
Botnet b0e039b42ef6c19c2189651c9f6c390e
C2

http://mojobiden.com

http://nowautomation.com

rsa_pubkey.plain
aes.plain

Extracted

Family blackmatter
Version 2.0
Botnet 10d51524bc007aa845e77556cdcab174
Credentials

Protocol:

Host:

Port:

Username: itjmorrow@pbigordon.com

Password: tGv7R79N9rC@Y$RfLCkwb*byl*mxLv

Protocol:

Host:

Port:

Username: inetadmin@pbigordon.com

Password: V3D174taC8Zb0EIz^cysiARR&amp

Protocol:

Host:

Port:

Username: itmungerman@pbigordon.com

Password: YmedEwW&amp

Protocol:

Host:

Port:

Username: ithrutledge@pbigordon.com

Password: exiAClEU!wcrEi0R7szO087oH0h13B

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet 6e46d36711d8be390c2b8121017ab146
C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 1.2

Extracted

Family blackmatter
Version 2.0
Botnet 5ecf7b9cde33f85a3eec9350275b5c4f
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family blackmatter
Version 2.0
Botnet d0e84579a05c8e92e95eee8f5d0000e5
Credentials

Protocol:

Host:

Port:

Username: Administrator@cat5.local

Password: Mouseman02

C2

https://fluentzip.org

http://fluentzip.org

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64
Targets
Target

072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

MD5

b06e2455a9c7c9485b85e9bdcceb8078

Filesize

34KB

Score
10/10
SHA1

a63304592f422656d7abcb086915f9e799ad4641

SHA256

072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

SHA512

adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

MD5

900b7b852674521b306bb03eb991b94a

Filesize

79KB

Score
10/10
SHA1

ed5b159b94ed5977efc1f3e05490545d7cb6a93e

SHA256

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

SHA512

04db23845665c6152a965d8401502588d09f6a4d30f83797cd772c179db8e445463ec5988e381d3a83789d4f20cd0378631e90560040f44a4b0b6634f373a093

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

MD5

e1f8b95beb02cd39e55cd8b31419b10f

Filesize

66KB

Score
3/10
SHA1

c544440a305f429926cd3cad2fac4a4cf0fb31ba

SHA256

14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

SHA512

fb1f7838140de46c05ee4715aa206fc1dff0812658a843138daa7dd370bd5aa2f004ca603d768a1ac9f4c3895a937d3b700c6d302f9f0cbd0704dc4c6e723a08

Related Tasks

Target

1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

MD5

f019a40b28dd58603fa3c5194dae6cba

Filesize

79KB

Score
10/10
SHA1

08e09a6ef7650f5e7d4bf3fa8850ac4ca762da7d

SHA256

1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

SHA512

22fba76bbeb356ba97412938ab882768f831273251e25b1078c8a31d720dd14c73e8977054bf24cf40952f143635b205917cc905f371499cbbc639388c3df487

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

MD5

5a8491587ab0f96ba141ae59365bc911

Filesize

81KB

Score
10/10
SHA1

1ab2fac4f2dc92893a9f89fc6621f66bd47cb783

SHA256

1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

SHA512

97e760f60e4db99983d05db69776058cf2f2c5ab98adea76000001a94a24f3b23feee4464baa23cf49dfa017e331c3b8b19c9da5b696f961f63cd65fc864c5c7

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

MD5

7b125a148ce0e0c126b95395dbf02b0e

Filesize

78KB

Score
10/10
SHA1

778f954480ca76029109fd6bf34904bfb1109e84

SHA256

20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

SHA512

daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

MD5

598c53bfef81e489375f09792e487f1a

Filesize

67KB

Score
10/10
SHA1

80a29bd2c349a8588edf42653ed739054f9a10f5

SHA256

22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

SHA512

6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

MD5

f1c260c31b9d3f9ff54a142d508ec602

Filesize

79KB

Score
10/10
SHA1

6b25c80e8b2dca94ea6b6a95745a496ec0bcabd3

SHA256

2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

SHA512

9412a185d008ded02e2061cd4e998222071923f6260ecdcc9a3f1969ea2aa89a9493866e13450d82b8ab390ec78b24d7ba82a6e2618d11cf27d67f43a7d39d6a

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

MD5

5c66cd4f21254f83663819138e634dd9

Filesize

80KB

Score
10/10
SHA1

6626cae85970e6490b8b0bf9da9aa4b57a79bb62

SHA256

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

SHA512

093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

MD5

a55bc3368a10ca5a92c1c9ecae97ced9

Filesize

66KB

Score
10/10
SHA1

72ed32b0e8692c7caa25d61e1828cdb48c4fe361

SHA256

2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

SHA512

da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

MD5

6e5986761cea340dce2efd4cf4f3790c

Filesize

78KB

Score
10/10
SHA1

4a8ca4b5c04112a753e9ff5989b80f0b12e13654

SHA256

2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

SHA512

8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Loads dropped DLL

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

MD5

18c7c940bc6a4e778fbdf4a3e28151a8

Filesize

79KB

Score
10/10
SHA1

f3589918d71b87c7e764479b79c4a7b485cb746a

SHA256

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

SHA512

6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

MD5

b07ff2183904731e4905b1bc1e23d24e

Filesize

31KB

Score
10/10
SHA1

3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687

SHA256

3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

SHA512

e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

MD5

35aaa2a2208956d1b8752954722ff76d

Filesize

79KB

Score
10/10
SHA1

fccda267f03d8dcd815f662f0fdc1e18e9fd4be3

SHA256

3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

SHA512

25cca12fd228932402aa4ee3f88f1d1db45ff8167aa4a260ecc1d1911f500c239a9d0465547974abfa3ed6f330a4654932df0fa820b8bcd9c9acfb99ccbcb1e3

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

MD5

ad260da314d2f8f3f1531cc5779cbba9

Filesize

64KB

Score
10/10
SHA1

30e15cf49a97e4560c96eed7e0c68ed9a8502023

SHA256

4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

SHA512

3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723

Tags

Signatures

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Tags

  • Blocklisted process makes network request

  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

Target

4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

MD5

62a70f74d6ac64829a8a31e306e9d41d

Filesize

78KB

Score
10/10
SHA1

ec26b38a29549272cc5f0cf548e208030ff114b0

SHA256

4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

SHA512

0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    behavioral1

                    10/10

                    behavioral2

                    10/10

                    behavioral3

                    10/10

                    behavioral4

                    10/10

                    behavioral5

                    3/10

                    behavioral6

                    3/10

                    behavioral7

                    10/10

                    behavioral8

                    10/10

                    behavioral9

                    10/10

                    behavioral10

                    10/10

                    behavioral11

                    10/10

                    behavioral12

                    10/10

                    behavioral13

                    10/10

                    behavioral14

                    10/10

                    behavioral15

                    10/10

                    behavioral16

                    10/10

                    behavioral17

                    10/10

                    behavioral18

                    10/10

                    behavioral19

                    10/10

                    behavioral20

                    10/10

                    behavioral21

                    10/10

                    behavioral22

                    10/10

                    behavioral23

                    10/10

                    behavioral24

                    10/10

                    behavioral25

                    10/10

                    behavioral26

                    10/10

                    behavioral27

                    10/10

                    behavioral28

                    10/10

                    behavioral29

                    10/10

                    behavioral30

                    10/10

                    behavioral31

                    10/10

                    behavioral32

                    10/10