General
-
Target
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f
-
Size
67KB
-
Sample
220124-aw5y3sggcq
-
MD5
1019e0151d6c55eeecf06443fa6197c7
-
SHA1
369445caaca7ba44bc684f9d9fd7651467ed5167
-
SHA256
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f
-
SHA512
7328cac56bce5a181bdaca079cd16c04dedb0f0201a40b0fcb6b0d7483440f99dc480b5d08bb295bc4c257bb16d88160e709ce8b76e2d2514080d05a82c7f6c8
Static task
static1
Behavioral task
behavioral1
Sample
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f.exe
Resource
win10-en-20211208
Malware Config
Extracted
blackmatter
1.2
512478c08dada2af19e49808fbda5b0b
- Username:
[email protected] - Password:
120Heisler
- Username:
[email protected] - Password:
Tesla2019
- Username:
[email protected] - Password:
iteam8**
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\y2VGe3tGZ.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV
Targets
-
-
Target
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f
-
Size
67KB
-
MD5
1019e0151d6c55eeecf06443fa6197c7
-
SHA1
369445caaca7ba44bc684f9d9fd7651467ed5167
-
SHA256
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f
-
SHA512
7328cac56bce5a181bdaca079cd16c04dedb0f0201a40b0fcb6b0d7483440f99dc480b5d08bb295bc4c257bb16d88160e709ce8b76e2d2514080d05a82c7f6c8
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-