General

  • Target

    blackmatter4.zip

  • Size

    703KB

  • Sample

    211123-mkec7shgfl

  • MD5

    e5416e33cbe4b3b63ff0f741bf468622

  • SHA1

    e82597ae9f87b1568d7cbd966a0185a24f1a108c

  • SHA256

    8561226f674aeb4abc1b9910ddc4855ac8ac2fcd4f5face1f84e34878ac98afc

  • SHA512

    95acf78b3a4092e06f08d12a05a7fbe209ddda7beff0be6fb071b11f272ab84c18ed9e22adb5b046636f1d895dad17c29650868093aa11c6f7733cfbdee4141b

Malware Config

Extracted

Family

blackmatter

Version

2.0

Botnet

5791ae39aeab40b5e8e33d8dce465877

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials
  • Username:
    aheisler@hhcp.com
  • Password:
    120Heisler
  • Username:
    dsmith@hhcp.com
  • Password:
    Tesla2019
  • Username:
    administrator@hhcp.com
  • Password:
    iteam8**
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

e4aaffc36f5d5b7d597455eb6d497df5

Credentials
  • Username:
    pklages@spectrumfurniture.com
  • Password:
    BBis#1ec
  • Username:
    BackupExec@spectrumfurniture.com
  • Password:
    k8DbBSZYWWnr0QqrILoo
  • Username:
    admin@Northwoods.com
  • Password:
    Smokie@CF
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b0e039b42ef6c19c2189651c9f6c390e

Credentials
  • Username:
    r.cabello@mflgroup.com
  • Password:
    Rubcabher96
  • Username:
    j.berenguel@mflgroup.com
  • Password:
    Alsa2003
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d58b3b69acc48f82eaa82076f97763d4

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6

Botnet

32bd08ad5e5e881aa2634621d611a1a5

Credentials
  • Username:
    TSMBKP@aiep.corp
  • Password:
    @iep.2013
C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

90a881ffa127b004cec6802588fce307

Credentials
  • Username:
    Administrator@adroot.newcoop.com
  • Password:
    Q7Q&quot
  • Username:
    bbanneker@soilmap.com
  • Password:
    !$(AYw94+PJ,rX
  • Username:
    jmiklo@@adroot.newcoop.com
  • Password:
    sanfran85
  • Username:
    da.rob@adroot.newcoop.com
  • Password:
    sanfran85
  • Username:
    da.jeff@adroot.newcoop.com
  • Password:
    sanfran85
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d73c69209fbe768d5fa7ffbcad509c66

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

879194e26a0ed7cf50f13c681e711c82

Credentials
  • Username:
    _vpn@xnet.oe.olympus
  • Password:
    vpnvpn08
  • Username:
    adm_sprinx@xnet.oe.olympus
  • Password:
    Apr@123456
  • Username:
    dom_ecopysupport@xnet.oe.olympus
  • Password:
    Olympus$12345
  • Username:
    DOM_Jannick.Berghaeu@xnet.oe.olympus
  • Password:
    Olympus@12345
  • Username:
    ofr-tina@xnet.oe.olympus
  • Password:
    ofrt!n@
  • Username:
    svc_ciscoise@xnet.oe.olympus
  • Password:
    Is3@dmin
  • Username:
    adm_ArunachaNa@xnet.oe.olympus
  • Password:
    Sinchan@12345
  • Username:
    ascuser@xnet.oe.olympus
  • Password:
    HappyDays.12
  • Username:
    dom_admanager@xnet.oe.olympus
  • Password:
    Qwerasdzx123!@#
  • Username:
    dom_hasansy@xnet.oe.olympus
  • Password:
    Coro@12345
  • Username:
    Dom_HMarme@xnet.oe.olympus
  • Password:
    Ultimate06!
  • Username:
    dom_obuehring@xnet.oe.olympus
  • Password:
    Olympus@12345
  • Username:
    Dom_SadasivaPa@xnet.oe.olympus
  • Password:
    Zxcasd@123
  • Username:
    dom_Supportat@xnet.oe.olympus
  • Password:
    Qweasdzxc@12345
  • Username:
    ofi-backup@xnet.oe.olympus
  • Password:
    Helmi-2005
  • Username:
    SVC_AcrossEvent@xnet.oe.olympus
  • Password:
    Acr0$$@123
  • Username:
    svc_vCenterILMT@xnet.oe.olympus
  • Password:
    V1rtu@1c3!
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

10d51524bc007aa845e77556cdcab174

Credentials
  • Username:
    itjmorrow@pbigordon.com
  • Password:
    tGv7R79N9rC@Y$RfLCkwb*byl*mxLv
  • Username:
    inetadmin@pbigordon.com
  • Password:
    V3D174taC8Zb0EIz^cysiARR&amp
  • Username:
    itmungerman@pbigordon.com
  • Password:
    YmedEwW&amp
  • Username:
    ithrutledge@pbigordon.com
  • Password:
    exiAClEU!wcrEi0R7szO087oH0h13B
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Targets

    • Target

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • Size

      34KB

    • MD5

      b06e2455a9c7c9485b85e9bdcceb8078

    • SHA1

      a63304592f422656d7abcb086915f9e799ad4641

    • SHA256

      072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

    • SHA512

      adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • Size

      78KB

    • MD5

      7b125a148ce0e0c126b95395dbf02b0e

    • SHA1

      778f954480ca76029109fd6bf34904bfb1109e84

    • SHA256

      20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

    • SHA512

      daaeb7e228a3d5c7717c58287539902e79215d9795dcb1459213f7d515392f53f16ac2f0d455e635e89addd321f4f68ccdad9f5af60f8f4d1759b7ddf5409cf9

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • Size

      67KB

    • MD5

      598c53bfef81e489375f09792e487f1a

    • SHA1

      80a29bd2c349a8588edf42653ed739054f9a10f5

    • SHA256

      22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

    • SHA512

      6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • Size

      66KB

    • MD5

      a55bc3368a10ca5a92c1c9ecae97ced9

    • SHA1

      72ed32b0e8692c7caa25d61e1828cdb48c4fe361

    • SHA256

      2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

    • SHA512

      da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • Size

      79KB

    • MD5

      18c7c940bc6a4e778fbdf4a3e28151a8

    • SHA1

      f3589918d71b87c7e764479b79c4a7b485cb746a

    • SHA256

      2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

    • SHA512

      6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • Size

      78KB

    • MD5

      62a70f74d6ac64829a8a31e306e9d41d

    • SHA1

      ec26b38a29549272cc5f0cf548e208030ff114b0

    • SHA256

      4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

    • SHA512

      0bd94273735921ca43b2c12e1e9c1aba158c2f825621d1a3daa8bafecf652ea35f68bc12a748fe583429b698dc51ce4f39194129daf5521996d2d9faceb3a372

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa

    • Size

      78KB

    • MD5

      38035325b785329e3f618b2a0b90eb75

    • SHA1

      33294a6c609b6ced2acef3964d7ec34dc0101a9a

    • SHA256

      5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa

    • SHA512

      675a0defdfa3de5f54ece0297d955372480f25e8b9f27fa700d5cdc2c6ecedadc7b68cac2f8e2e452bdbab6a958593f45d3eab14d6e7bbfee472383879bd7b17

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

    • Size

      34KB

    • MD5

      6f5c77478795ff7fb9700ed50b334429

    • SHA1

      6803d62254edf3bdd3bc523422ff98e6120b6e5b

    • SHA256

      668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

    • SHA512

      40e4ffd227443003e0506f8d1fbfbacde54f9bfb5fa6908f05e134ee25217d3c3907d7c981107d642c071063b57253b4727fb6a211d7698a7a9bae2d8beede5f

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

    • Size

      71KB

    • MD5

      10aa058a3ac49e016cad7987b8e09886

    • SHA1

      cca6682330a819592c3b1ea0448ceb4e141593dc

    • SHA256

      6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

    • SHA512

      f115fb62b1ca5e18f6340d42ff4393e2b175917312ae1cc14e7a6a9322cf8adaf22457bc8213e2baafdc2cb19d5db1e5a9c003155cbf142d5a08604495e22f6e

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

    • Size

      79KB

    • MD5

      62a1b4d4b461f4eaae91c70727f71604

    • SHA1

      1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2

    • SHA256

      706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

    • SHA512

      d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984

    • Size

      67KB

    • MD5

      d0512f2063cbd79fb0f770817cc81ab3

    • SHA1

      e324a2c8fae0d26b12f00ac859340f8d9945a9c1

    • SHA256

      7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984

    • SHA512

      a62cecdf8887e426332d56914dfe03780402a34896ffe7a3a932986832db7080e599db32bb2113238443750227a50de84ae36c6811993c43b7eee8b1a018d641

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a

    • Size

      78KB

    • MD5

      d298d54961823dd20b7a4d14b9326964

    • SHA1

      5b70fd4f2ef2000cf2af1d2eb8a5158cc8802c90

    • SHA256

      9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a

    • SHA512

      64be2de822607f8d85066a972468528706133cc3133f90f0fb51cd5874e83d0bce5d240d9aabc021730dbd654a26069933850db5de895011fc4d4045564ba6ca

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a

    • Size

      80KB

    • MD5

      cdece7491402c7cb06964ffc680d791a

    • SHA1

      8c5427baa48d840bc7508eeaa7c091d368a68e0a

    • SHA256

      b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a

    • SHA512

      5ff6eb1f81bb309aede35a9aef26ea587b6c2e49bea66f6e91bf1dbc02cc978869a1bfd376b524522cc8bf99f48ee7f62db9322212342bc4d7af40984290e501

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99

    • Size

      66KB

    • MD5

      ba375d0625001102fc1f2ccb6f582d91

    • SHA1

      379ebd1eff6f8685f4ff72657626bf6df5383d87

    • SHA256

      c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99

    • SHA512

      795b10a638e289729192de6a6d9964b5ad3b8084f84d58da077ca8ec08c8b8cb1acadb5240962d4ccacf66242bab1430923fc77bdbbfacd0badd64df2ba1487f

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

    • Size

      79KB

    • MD5

      5de71f0e1ad0e2c2968153809ffaff05

    • SHA1

      f023f314327acd96cd8a0f8e32451b2d2dee61d0

    • SHA256

      e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

    • SHA512

      2fce4fbdf3bc7e0dfa9cc90581c08ea6578522c65891e12359bd464b1ea007006979491b9049e4a20fabd196bf321275cc003d537236c2bd5bf8826f85543c05

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b

    • Size

      79KB

    • MD5

      c958e5710adefbc68f3e0719f48bcf87

    • SHA1

      f50429c2e706f65fd3fb62968a74b391e5417e66

    • SHA256

      eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b

    • SHA512

      f5dbe5cc944d6dccbc085c5344e3a61f8945c838dcbfee0a0fbf69429946fed5db363da621835ffb54ee76eba938f7fd31c73b9a727ab2cf5c554b58bc09258d

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

16
T1112

Discovery

Query Registry

16
T1012

Peripheral Device Discovery

16
T1120

System Information Discovery

22
T1082

Impact

Defacement

16
T1491

Tasks

static1

upx5791ae39aeab40b5e8e33d8dce465877512478c08dada2af19e49808fbda5b0bbab21ee475b52c0c9eb47d23ec9ba1d1e4aaffc36f5d5b7d597455eb6d497df5b0e039b42ef6c19c2189651c9f6c390ed58b3b69acc48f82eaa82076f97763d432bd08ad5e5e881aa2634621d611a1a590a881ffa127b004cec6802588fce307d73c69209fbe768d5fa7ffbcad509c66879194e26a0ed7cf50f13c681e711c8210d51524bc007aa845e77556cdcab174blackmatter
Score
10/10

behavioral1

blackmatterransomwaresuricata
Score
10/10

behavioral2

blackmatterransomwaresuricata
Score
10/10

behavioral3

blackmatterransomwaresuricata
Score
10/10

behavioral4

blackmatterransomwaresuricata
Score
10/10

behavioral5

blackmatterransomwaresuricata
Score
10/10

behavioral6

blackmatterransomwaresuricata
Score
10/10

behavioral7

blackmatterransomwaresuricata
Score
10/10

behavioral8

blackmatterransomwaresuricata
Score
10/10

behavioral9

blackmatterransomwaresuricata
Score
10/10

behavioral10

blackmatterransomwaresuricata
Score
10/10

behavioral11

blackmatterransomwaresuricata
Score
10/10

behavioral12

blackmatterransomwaresuricata
Score
10/10

behavioral13

blackmatterransomwaresuricata
Score
10/10

behavioral14

blackmatterransomwaresuricata
Score
10/10

behavioral15

blackmatterransomwaresuricata
Score
10/10

behavioral16

blackmatterransomwaresuricata
Score
10/10

behavioral17

Score
5/10

behavioral18

blackmatterransomwaresuricata
Score
10/10

behavioral19

blackmatterransomwaresuricata
Score
10/10

behavioral20

blackmatterransomwaresuricata
Score
10/10

behavioral21

blackmatterransomwaresuricata
Score
10/10

behavioral22

blackmatterransomwaresuricata
Score
10/10

behavioral23

blackmatterransomwaresuricata
Score
10/10

behavioral24

blackmatterransomwaresuricata
Score
10/10

behavioral25

blackmatterransomwaresuricata
Score
10/10

behavioral26

blackmatterransomwaresuricata
Score
10/10

behavioral27

blackmatterransomwaresuricata
Score
10/10

behavioral28

blackmatterransomwaresuricata
Score
10/10

behavioral29

blackmatterransomwaresuricata
Score
10/10

behavioral30

blackmatterransomwaresuricata
Score
10/10

behavioral31

blackmatterransomwaresuricata
Score
10/10

behavioral32

blackmatterransomwaresuricata
Score
10/10