General

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

14a875a2bd63041b2b3e5c323e8d5eee

Credentials
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b368c1ee6bca2086d8169628466c0d3b

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

04bdf8557fa74ea0e3adbd2975efd274

C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

5791ae39aeab40b5e8e33d8dce465877

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.9

Botnet

28cc82fd466e0d0976a6359f264775a8

C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

207aab0afc614ac68359fc63f9665961

C2

https://fluentzip.org

http://fluentzip.org

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

6bed8cf959f0a07170c24bb972efd726

Credentials
  • Username:
    Administrator@rpi
  • Password:
    P0w3rPl4g
  • Username:
    2fatest@rpi
  • Password:
    poiu-0987
  • Username:
    2fauser@rpi
  • Password:
    1strongpassword!
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

e4aaffc36f5d5b7d597455eb6d497df5

Credentials
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b0e039b42ef6c19c2189651c9f6c390e

Credentials
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

24483508bccfe72e63b26a1233058170

C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d58b3b69acc48f82eaa82076f97763d4

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

64139b5d8a3f06921a9364c262989e1f

C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6.0.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

http://paymenthacks.com

http://mojobiden.com

rsa_pubkey.plain
aes.plain

Extracted

Family

blackmatter

Version

1.6

Botnet

32bd08ad5e5e881aa2634621d611a1a5

Credentials
C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

90a881ffa127b004cec6802588fce307

Credentials
  • Username:
    jmiklo@@adroot.newcoop.com
  • Password:
    sanfran85
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

3e8e2ab5fbb392508535983b7446ba17

C2

https://fluentzip.org

http://fluentzip.org

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6

Botnet

0c6ca0532355a106258791f50b66c153

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    false

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

09c87c28bed23dbe6ff5aa561d38766b

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

506d1d0f4ed51ecc3e9cf1839a4b21a7

Attributes
  • attempt_auth

    false

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

3.0

Botnet

4e591a315c54e8800dae714320555fa5

Credentials
C2

https://fluentzip.org

http://fluentzip.org

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d73c69209fbe768d5fa7ffbcad509c66

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

879194e26a0ed7cf50f13c681e711c82

Credentials
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6.0.4

Botnet

b0e039b42ef6c19c2189651c9f6c390e

C2

http://mojobiden.com

http://nowautomation.com

rsa_pubkey.plain
aes.plain

Extracted

Family

blackmatter

Version

2.0

Botnet

10d51524bc007aa845e77556cdcab174

Credentials
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

6e46d36711d8be390c2b8121017ab146

C2

mepocs

memtas

veeam

svc$

backup

sql

vss

msexchange

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Extracted

Family

blackmatter

Version

2.0

Botnet

5ecf7b9cde33f85a3eec9350275b5c4f

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d0e84579a05c8e92e95eee8f5d0000e5

Credentials
C2

https://fluentzip.org

http://fluentzip.org

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Signatures

  • Blackmatter family
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • NSIS installer 2 IoCs

Files

  • blackmatter.zip
    .zip
  • 02ec55a8f4f97a84370ca72b03912ae8625d344b7bd1af92a2de4b636183f2ab
    .zip

    Password: infected

  • 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
    .exe windows x86


  • 072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486
    .exe windows x86


  • 0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4
    .exe windows x86


  • 14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c
    .exe windows x86


  • 1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849
    .exe windows x86


  • 1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2
    .exe windows x86


  • 20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41
    .exe windows x86


  • 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
    .exe windows x86


  • 2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
    .exe windows x86


  • 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
    .exe windows x86


  • 2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
    .exe windows x86


  • 2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd
    .exe windows x86


  • 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
    .exe windows x86


  • 3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117
    .exe windows x86


  • 3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40
    .exe windows x86


  • 4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91
    .dll windows x86


  • 4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b
    .exe windows x86


  • 520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57
    .exe windows x86


  • 5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa
    .exe windows x86


  • 668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6
    .exe windows x86


  • 66e6563ecef8f33b1b283a63404a2029550af9a6574b84e0fb3f2c6a8f42e89f
    .exe windows x86


  • 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
    .elf linux x64
  • 6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db
    .exe windows x86


  • 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
    .exe windows x86


  • 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4
    .exe windows x86


  • 77340f01535db5c80c1f3e725a8f8de17bb227f567b8f568dd339be6ddacf60e
    .exe windows x86


    Exports

  • 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984
    .exe windows x86


  • 8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac
    .exe windows x86


  • 86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94
    .dll windows x86


  • 8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952
    .exe windows x86


  • 8f1b0affffb2f2f58b477515d1ce54f4daa40a761d828041603d5536c2d53539
    .exe windows x86


  • 9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58
    .exe windows x86


  • 9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a
    .exe windows x86


  • b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a
    .exe windows x86


  • b3e82b43750c7d0833f69abd3d31751c9e8face5063573946f61abbdda513eb8
    .exe windows x86


  • b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
    .exe windows x86


  • b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
    .exe windows x86


  • bmhashes.txt
  • c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99
    .exe windows x86


  • c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
    .dll windows x86


  • cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7
    .exe windows x86


  • d4645d2c29505cf10d1b201826c777b62cbf9d752cb1008bef1192e0dd545a82
    .elf linux x64
  • d4647619fa2dc8fef5560d1662cbee6eb7dc95298dd40edf12dd4c8ee902d767
    .exe windows x86


  • daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720
    .exe windows x86


  • e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d
    .exe windows x86


  • e9b24041847844a5d57b033bf0b41dc637eba7664acfb43da5db635ae920a1b4
    .exe windows x86


  • eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b
    .exe windows x86


  • eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1
    .exe windows x86


  • ed47e6ecca056bba20f2b299b9df1022caf2f3e7af1f526c1fe3b8bf2d6e7404
    .exe windows x86


  • f32604fba766c946b429cf7e152273794ebba9935999986b7e137ca46cd165fc
    .exe windows x86


  • f7b3da61cb6a37569270554776dbbd1406d7203718c0419c922aa393c07e9884
    .exe windows x86


  • fe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2
    .exe windows x86