General

  • Size

    1MB

  • Sample

    211201-sx6k4sddbp

  • MD5

    da3ab4d40944c077f92e52d2c1de8fca

  • SHA1

    6676ef8826b9e5419958761f3a71464105290288

  • SHA256

    cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7

  • SHA512

    1dcc1259105c730fff76e518d7d57bce8cacacfebc05cf7b3294ccdbf8286635bfe43532f7a19507d3fd42973429f2c9335d031cbd473b356cba1bab79ce318a

Malware Config

Extracted

Family

blackmatter

Version

1.4

Botnet

caa0d21adc7bdc4dc424497512a8f37d

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Path

C:\eeWDzMyD5.README.txt

Family

blackmatter

Ransom Note ~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 100 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/8ZHJ2G2FJDX9JSHTA6S >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/8ZHJ2G2FJDX9JSHTA6S

Targets

    • Target

      cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7

    • Size

      1MB

    • MD5

      da3ab4d40944c077f92e52d2c1de8fca

    • SHA1

      6676ef8826b9e5419958761f3a71464105290288

    • SHA256

      cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7

    • SHA512

      1dcc1259105c730fff76e518d7d57bce8cacacfebc05cf7b3294ccdbf8286635bfe43532f7a19507d3fd42973429f2c9335d031cbd473b356cba1bab79ce318a

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

      suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation