84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f

General
Target

84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f

Size

67KB

Sample

220124-aw5y3sggcq

Score
10 /10
MD5

1019e0151d6c55eeecf06443fa6197c7

SHA1

369445caaca7ba44bc684f9d9fd7651467ed5167

SHA256

84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f

SHA512

7328cac56bce5a181bdaca079cd16c04dedb0f0201a40b0fcb6b0d7483440f99dc480b5d08bb295bc4c257bb16d88160e709ce8b76e2d2514080d05a82c7f6c8

Malware Config

Extracted

Family blackmatter
Version 1.2
Botnet 512478c08dada2af19e49808fbda5b0b
Credentials

Protocol:

Host:

Port:

Username: aheisler@hhcp.com

Password: 120Heisler

Protocol:

Host:

Port:

Username: dsmith@hhcp.com

Password: Tesla2019

Protocol:

Host:

Port:

Username: administrator@hhcp.com

Password: iteam8**

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Path C:\y2VGe3tGZ.README.txt
Family blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Targets
Target

84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f

MD5

1019e0151d6c55eeecf06443fa6197c7

Filesize

67KB

Score
10/10
SHA1

369445caaca7ba44bc684f9d9fd7651467ed5167

SHA256

84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f

SHA512

7328cac56bce5a181bdaca079cd16c04dedb0f0201a40b0fcb6b0d7483440f99dc480b5d08bb295bc4c257bb16d88160e709ce8b76e2d2514080d05a82c7f6c8

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation