General

  • Size

    703KB

  • Sample

    211123-mkec7shgfl

  • MD5

    e5416e33cbe4b3b63ff0f741bf468622

  • SHA1

    e82597ae9f87b1568d7cbd966a0185a24f1a108c

  • SHA256

    8561226f674aeb4abc1b9910ddc4855ac8ac2fcd4f5face1f84e34878ac98afc

  • SHA512

    95acf78b3a4092e06f08d12a05a7fbe209ddda7beff0be6fb071b11f272ab84c18ed9e22adb5b046636f1d895dad17c29650868093aa11c6f7733cfbdee4141b

Malware Config

Extracted

Family

blackmatter

Version

2.0

Botnet

5791ae39aeab40b5e8e33d8dce465877

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials

Protocol:

Host:

Port:

Username: aheisler@hhcp.com

Password: 120Heisler

Protocol:

Host:

Port:

Username: dsmith@hhcp.com

Password: Tesla2019

Protocol:

Host:

Port:

Username: administrator@hhcp.com

Password: iteam8**

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

e4aaffc36f5d5b7d597455eb6d497df5

Credentials

Protocol:

Host:

Port:

Username: pklages@spectrumfurniture.com

Password: BBis#1ec

Protocol:

Host:

Port:

Username: BackupExec@spectrumfurniture.com

Password: k8DbBSZYWWnr0QqrILoo

Protocol:

Host:

Port:

Username: admin@Northwoods.com

Password: Smokie@CF

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b0e039b42ef6c19c2189651c9f6c390e

Credentials

Protocol:

Host:

Port:

Username: r.cabello@mflgroup.com

Password: Rubcabher96

Protocol:

Host:

Port:

Username: j.berenguel@mflgroup.com

Password: Alsa2003

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d58b3b69acc48f82eaa82076f97763d4

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6

Botnet

32bd08ad5e5e881aa2634621d611a1a5

Credentials

Protocol:

Host:

Port:

Username: TSMBKP@aiep.corp

Password: @iep.2013

C2

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
true
create_mutex
false
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

90a881ffa127b004cec6802588fce307

Credentials

Protocol:

Host:

Port:

Username: Administrator@adroot.newcoop.com

Password: Q7Q&quot

Protocol:

Host:

Port:

Username: bbanneker@soilmap.com

Password: !$(AYw94+PJ,rX

Protocol:

Host:

Port:

Username: jmiklo@@adroot.newcoop.com

Password: sanfran85

Protocol:

Host:

Port:

Username: da.rob@adroot.newcoop.com

Password: sanfran85

Protocol:

Host:

Port:

Username: da.jeff@adroot.newcoop.com

Password: sanfran85

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d73c69209fbe768d5fa7ffbcad509c66

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

879194e26a0ed7cf50f13c681e711c82

Credentials

Protocol:

Host:

Port:

Username: _vpn@xnet.oe.olympus

Password: vpnvpn08

Protocol:

Host:

Port:

Username: adm_sprinx@xnet.oe.olympus

Password: Apr@123456

Protocol:

Host:

Port:

Username: dom_ecopysupport@xnet.oe.olympus

Password: Olympus$12345

Protocol:

Host:

Port:

Username: DOM_Jannick.Berghaeu@xnet.oe.olympus

Password: Olympus@12345

Protocol:

Host:

Port:

Username: ofr-tina@xnet.oe.olympus

Password: ofrt!n@

Protocol:

Host:

Port:

Username: svc_ciscoise@xnet.oe.olympus

Password: Is3@dmin

Protocol:

Host:

Port:

Username: adm_ArunachaNa@xnet.oe.olympus

Password: Sinchan@12345

Protocol:

Host:

Port:

Username: ascuser@xnet.oe.olympus

Password: HappyDays.12

Protocol:

Host:

Port:

Username: dom_admanager@xnet.oe.olympus

Password: Qwerasdzx123!@#

Protocol:

Host:

Port:

Username: dom_hasansy@xnet.oe.olympus

Password: Coro@12345

Protocol:

Host:

Port:

Username: Dom_HMarme@xnet.oe.olympus

Password: Ultimate06!

Protocol:

Host:

Port:

Username: dom_obuehring@xnet.oe.olympus

Password: Olympus@12345

Protocol:

Host:

Port:

Username: Dom_SadasivaPa@xnet.oe.olympus

Password: Zxcasd@123

Protocol:

Host:

Port:

Username: dom_Supportat@xnet.oe.olympus

Password: Qweasdzxc@12345

Protocol:

Host:

Port:

Username: ofi-backup@xnet.oe.olympus

Password: Helmi-2005

Protocol:

Host:

Port:

Username: SVC_AcrossEvent@xnet.oe.olympus

Password: Acr0$$@123

Protocol:

Host:

Port:

Username: svc_vCenterILMT@xnet.oe.olympus

Password: V1rtu@1c3!

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

10d51524bc007aa845e77556cdcab174

Credentials

Protocol:

Host:

Port:

Username: itjmorrow@pbigordon.com

Password: tGv7R79N9rC@Y$RfLCkwb*byl*mxLv

Protocol:

Host:

Port:

Username: inetadmin@pbigordon.com

Password: V3D174taC8Zb0EIz^cysiARR&amp

Protocol:

Host:

Port:

Username: itmungerman@pbigordon.com

Password: YmedEwW&amp

Protocol:

Host:

Port:

Username: ithrutledge@pbigordon.com

Password: exiAClEU!wcrEi0R7szO087oH0h13B

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Targets

    • Target

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • Size

      34KB

    • MD5

      b06e2455a9c7c9485b85e9bdcceb8078

    • SHA1

      a63304592f422656d7abcb086915f9e799ad4641

    • SHA256

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • SHA512

      adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • Size

      78KB

    • MD5

      7b125a148ce0e0c126b95395dbf02b0e

    • SHA1

      778f954480ca76029109fd6bf34904bfb1109e84

    • SHA256

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • SHA512

      daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • Size

      67KB

    • MD5

      598c53bfef81e489375f09792e487f1a

    • SHA1

      80a29bd2c349a8588edf42653ed739054f9a10f5

    • SHA256

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • SHA512

      6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • Size

      66KB

    • MD5

      a55bc3368a10ca5a92c1c9ecae97ced9

    • SHA1

      72ed32b0e8692c7caa25d61e1828cdb48c4fe361

    • SHA256

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • SHA512

      da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • Size

      79KB

    • MD5

      18c7c940bc6a4e778fbdf4a3e28151a8

    • SHA1

      f3589918d71b87c7e764479b79c4a7b485cb746a

    • SHA256

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • SHA512

      6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • Size

      78KB

    • MD5

      62a70f74d6ac64829a8a31e306e9d41d

    • SHA1

      ec26b38a29549272cc5f0cf548e208030ff114b0

    • SHA256

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • SHA512

      0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa

    • Size

      78KB

    • MD5

      38035325b785329e3f618b2a0b90eb75

    • SHA1

      33294a6c609b6ced2acef3964d7ec34dc0101a9a

    • SHA256

      5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa

    • SHA512

      675a0defdfa3de5f54ece0297d955372480f25e8b9f27fa700d5cdc2c6ecedadc7b68cac2f8e2e452bdbab6a958593f45d3eab14d6e7bbfee472383879bd7b17

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

    • Size

      34KB

    • MD5

      6f5c77478795ff7fb9700ed50b334429

    • SHA1

      6803d62254edf3bdd3bc523422ff98e6120b6e5b

    • SHA256

      668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

    • SHA512

      40e4ffd227443003e0506f8d1fbfbacde54f9bfb5fa6908f05e134ee25217d3c3907d7c981107d642c071063b57253b4727fb6a211d7698a7a9bae2d8beede5f

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

    • Size

      71KB

    • MD5

      10aa058a3ac49e016cad7987b8e09886

    • SHA1

      cca6682330a819592c3b1ea0448ceb4e141593dc

    • SHA256

      6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

    • SHA512

      f115fb62b1ca5e18f6340d42ff4393e2b175917312ae1cc14e7a6a9322cf8adaf22457bc8213e2baafdc2cb19d5db1e5a9c003155cbf142d5a08604495e22f6e

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

    • Size

      79KB

    • MD5

      62a1b4d4b461f4eaae91c70727f71604

    • SHA1

      1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2

    • SHA256

      706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

    • SHA512

      d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984

    • Size

      67KB

    • MD5

      d0512f2063cbd79fb0f770817cc81ab3

    • SHA1

      e324a2c8fae0d26b12f00ac859340f8d9945a9c1

    • SHA256

      7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984

    • SHA512

      a62cecdf8887e426332d56914dfe03780402a34896ffe7a3a932986832db7080e599db32bb2113238443750227a50de84ae36c6811993c43b7eee8b1a018d641

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a

    • Size

      78KB

    • MD5

      d298d54961823dd20b7a4d14b9326964

    • SHA1

      5b70fd4f2ef2000cf2af1d2eb8a5158cc8802c90

    • SHA256

      9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a

    • SHA512

      64be2de822607f8d85066a972468528706133cc3133f90f0fb51cd5874e83d0bce5d240d9aabc021730dbd654a26069933850db5de895011fc4d4045564ba6ca

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a

    • Size

      80KB

    • MD5

      cdece7491402c7cb06964ffc680d791a

    • SHA1

      8c5427baa48d840bc7508eeaa7c091d368a68e0a

    • SHA256

      b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a

    • SHA512

      5ff6eb1f81bb309aede35a9aef26ea587b6c2e49bea66f6e91bf1dbc02cc978869a1bfd376b524522cc8bf99f48ee7f62db9322212342bc4d7af40984290e501

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99

    • Size

      66KB

    • MD5

      ba375d0625001102fc1f2ccb6f582d91

    • SHA1

      379ebd1eff6f8685f4ff72657626bf6df5383d87

    • SHA256

      c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99

    • SHA512

      795b10a638e289729192de6a6d9964b5ad3b8084f84d58da077ca8ec08c8b8cb1acadb5240962d4ccacf66242bab1430923fc77bdbbfacd0badd64df2ba1487f

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

    • Size

      79KB

    • MD5

      5de71f0e1ad0e2c2968153809ffaff05

    • SHA1

      f023f314327acd96cd8a0f8e32451b2d2dee61d0

    • SHA256

      e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

    • SHA512

      2fce4fbdf3bc7e0dfa9cc90581c08ea6578522c65891e12359bd464b1ea007006979491b9049e4a20fabd196bf321275cc003d537236c2bd5bf8826f85543c05

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b

    • Size

      79KB

    • MD5

      c958e5710adefbc68f3e0719f48bcf87

    • SHA1

      f50429c2e706f65fd3fb62968a74b391e5417e66

    • SHA256

      eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b

    • SHA512

      f5dbe5cc944d6dccbc085c5344e3a61f8945c838dcbfee0a0fbf69429946fed5db363da621835ffb54ee76eba938f7fd31c73b9a727ab2cf5c554b58bc09258d

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Tasks