blackmatter | 45ecce9dfec886e2b092a996f6affb9e7417d6121e58b0ec643be7e36a03106d

General

Target

45ecce9dfec886e2b092a996f6affb9e7417d6121e58b0ec643be7e36a03106d
Size

66KB
Sample

220124-ax2ytaggh3
MD5

f04d97ffa32eec5aac8f84d86a1f51a0
SHA1

bd75fd070c4962aa59653f934e4af68b609a021d
SHA256

45ecce9dfec886e2b092a996f6affb9e7417d6121e58b0ec643be7e36a03106d
SHA512

77bdb50d7b300e6acd2ef273751673e7dc6c52610ce2c007f7d98805535c10dc96975b74a7ee8ed41f3097a485e57803053c52f0b1f27e524f7f04b0aee7d284

Score

10^/10

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes

attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true

rsa_pubkey.base64

aes.base64

Extracted

Path

C:\TEVwl5dwR.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Targets

- Target
  
  45ecce9dfec886e2b092a996f6affb9e7417d6121e58b0ec643be7e36a03106d
- Size
  
  66KB
- MD5
  
  f04d97ffa32eec5aac8f84d86a1f51a0
- SHA1
  
  bd75fd070c4962aa59653f934e4af68b609a021d
- SHA256
  
  45ecce9dfec886e2b092a996f6affb9e7417d6121e58b0ec643be7e36a03106d
- SHA512
  
  77bdb50d7b300e6acd2ef273751673e7dc6c52610ce2c007f7d98805535c10dc96975b74a7ee8ed41f3097a485e57803053c52f0b1f27e524f7f04b0aee7d284
Score

10^/10

blackmatter ransomware
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

BlackMatter Ransomware

Modifies extensions of user files

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2