blackmatter | d9a0283f6e1e1bf2690fbe4c60b8bafbe971ca96f5bb754917427b1f709759ce

General

Target

BlackMatter-win_PS1-reflective.zip
Size

585KB
Sample

211205-ak8wlabghj
MD5

451e17fd4720b996b6b7515b90f12c79
SHA1

88dd181ba9133b094fdbcaadb1154ff4ce5df8f0
SHA256

d9a0283f6e1e1bf2690fbe4c60b8bafbe971ca96f5bb754917427b1f709759ce
SHA512

0f61d97337b8a5d13f5dac270cf755f9fa7a75ac926712457dbb3ff915f5b53c921c1e2b5a82aaa782deb7d125ede8fd48b5c7912ffe2e5b20e596983b428383

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\WRLMMTHME.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8

Targets

- Target
  
  OTSLG.ps1
- Size
  
  915KB
- MD5
  
  001bfe6f72fe64660ba498107c658bdc
- SHA1
  
  0946baf23e867f2564302b60f777db72a1244a30
- SHA256
  
  c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da
- SHA512
  
  32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3
Score

10^/10

blackmatter ransomware
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  dump_stage1.ps1
- Size
  
  740KB
- MD5
  
  5cffb281fe8937f26e4994f8133f7456
- SHA1
  
  5479ddb635bf9c9a5632955c7d2cd2a6047256df
- SHA256
  
  3609272795c8f8ba1275959d1457b03f6143efaaf8cd037547cd561e68763237
- SHA512
  
  12418b348819ae9b9aa1115c19723cd77964273c3b0d07225971756a3ccd1061f0db891911390847d244db3acbf1b268739275a0e3fe2a41407781443a26600e
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  dump_stage2.ps1
- Size
  
  328KB
- MD5
  
  94982d1b3f651eefb0dfe0cae15c99de
- SHA1
  
  7d32816f90fd7a459b00fdaa329488e019cf8cdb
- SHA256
  
  20ba4529c17660f96be2882dbbf520c0388917dd49de1ded22b063af32e35ffe
- SHA512
  
  103f2e9b96394592897417352a75e05aa411ed39b88a7e24c768c9acc20e60f5572b427ee40152e55fc9c205d8a2626901524d2b2768fd439fdae8765b25ad3e
Score

3^/10
behavioral5 behavioral6