General
-
Target
706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
-
Size
79KB
-
Sample
211123-wwg3xaahfr
-
MD5
62a1b4d4b461f4eaae91c70727f71604
-
SHA1
1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2
-
SHA256
706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
-
SHA512
d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542
Static task
static1
Behavioral task
behavioral1
Sample
706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Resource
win10-en-20211014
Malware Config
Extracted
blackmatter
2.0
90a881ffa127b004cec6802588fce307
- Username:
[email protected] - Password:
Q7Q"
- Username:
[email protected] - Password:
!$(AYw94+PJ,rX
- Username:
jmiklo@@adroot.newcoop.com - Password:
sanfran85
- Username:
[email protected] - Password:
sanfran85
- Username:
[email protected] - Password:
sanfran85
https://mojobiden.com
http://mojobiden.com
https://nowautomation.com
http://nowautomation.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\6amPnJyPq.README.txt
blackmatter
http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX
Targets
-
-
Target
706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
-
Size
79KB
-
MD5
62a1b4d4b461f4eaae91c70727f71604
-
SHA1
1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2
-
SHA256
706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
-
SHA512
d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-