General
-
Target
BlackMatter-win_PS1-reflective.zip
-
Size
585KB
-
Sample
211205-ak8wlabghj
-
MD5
451e17fd4720b996b6b7515b90f12c79
-
SHA1
88dd181ba9133b094fdbcaadb1154ff4ce5df8f0
-
SHA256
d9a0283f6e1e1bf2690fbe4c60b8bafbe971ca96f5bb754917427b1f709759ce
-
SHA512
0f61d97337b8a5d13f5dac270cf755f9fa7a75ac926712457dbb3ff915f5b53c921c1e2b5a82aaa782deb7d125ede8fd48b5c7912ffe2e5b20e596983b428383
Static task
static1
Behavioral task
behavioral1
Sample
OTSLG.ps1
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
OTSLG.ps1
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
dump_stage1.ps1
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
dump_stage1.ps1
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
dump_stage2.ps1
Resource
win7-en-20211104
Behavioral task
behavioral6
Sample
dump_stage2.ps1
Resource
win10-en-20211104
Malware Config
Extracted
C:\WRLMMTHME.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8
Targets
-
-
Target
OTSLG.ps1
-
Size
915KB
-
MD5
001bfe6f72fe64660ba498107c658bdc
-
SHA1
0946baf23e867f2564302b60f777db72a1244a30
-
SHA256
c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da
-
SHA512
32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
dump_stage1.ps1
-
Size
740KB
-
MD5
5cffb281fe8937f26e4994f8133f7456
-
SHA1
5479ddb635bf9c9a5632955c7d2cd2a6047256df
-
SHA256
3609272795c8f8ba1275959d1457b03f6143efaaf8cd037547cd561e68763237
-
SHA512
12418b348819ae9b9aa1115c19723cd77964273c3b0d07225971756a3ccd1061f0db891911390847d244db3acbf1b268739275a0e3fe2a41407781443a26600e
Score5/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
dump_stage2.ps1
-
Size
328KB
-
MD5
94982d1b3f651eefb0dfe0cae15c99de
-
SHA1
7d32816f90fd7a459b00fdaa329488e019cf8cdb
-
SHA256
20ba4529c17660f96be2882dbbf520c0388917dd49de1ded22b063af32e35ffe
-
SHA512
103f2e9b96394592897417352a75e05aa411ed39b88a7e24c768c9acc20e60f5572b427ee40152e55fc9c205d8a2626901524d2b2768fd439fdae8765b25ad3e
Score3/10 -