General

  • Target

    blackmatter4.zip

  • Size

    703KB

  • MD5

    e5416e33cbe4b3b63ff0f741bf468622

  • SHA1

    e82597ae9f87b1568d7cbd966a0185a24f1a108c

  • SHA256

    8561226f674aeb4abc1b9910ddc4855ac8ac2fcd4f5face1f84e34878ac98afc

  • SHA512

    95acf78b3a4092e06f08d12a05a7fbe209ddda7beff0be6fb071b11f272ab84c18ed9e22adb5b046636f1d895dad17c29650868093aa11c6f7733cfbdee4141b

Malware Config

Extracted

Family

blackmatter

Version

2.0

Botnet

5791ae39aeab40b5e8e33d8dce465877

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

e4aaffc36f5d5b7d597455eb6d497df5

Credentials
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

b0e039b42ef6c19c2189651c9f6c390e

Credentials
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d58b3b69acc48f82eaa82076f97763d4

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.6

Botnet

32bd08ad5e5e881aa2634621d611a1a5

Credentials
C2

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    true

  • create_mutex

    false

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

90a881ffa127b004cec6802588fce307

Credentials
  • Username:
    jmiklo@@adroot.newcoop.com
  • Password:
    sanfran85
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

d73c69209fbe768d5fa7ffbcad509c66

C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

879194e26a0ed7cf50f13c681e711c82

Credentials
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

2.0

Botnet

10d51524bc007aa845e77556cdcab174

Credentials
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com

Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

blackmatter

Version

1.2

Signatures

  • Blackmatter family
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

Files

  • blackmatter4.zip
    .zip
  • 072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486
    .exe windows x86


  • 20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41
    .exe windows x86


  • 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
    .exe windows x86


  • 2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
    .exe windows x86


  • 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
    .exe windows x86


  • 4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b
    .exe windows x86


  • 5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa
    .exe windows x86


  • 668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6
    .exe windows x86


  • 6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db
    .exe windows x86


  • 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
    .exe windows x86


  • 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984
    .exe windows x86


  • 9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a
    .exe windows x86


  • b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a
    .exe windows x86


  • c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99
    .exe windows x86


  • e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d
    .exe windows x86


  • eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b
    .exe windows x86


  • eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1
    .exe windows x86


  • f32604fba766c946b429cf7e152273794ebba9935999986b7e137ca46cd165fc
    .exe windows x86