General
-
Target
5942061881262080.zip
-
Size
38KB
-
Sample
220211-s7f37schb9
-
MD5
021b0cce009d779a52e3cd5af87b0834
-
SHA1
d235ab9413d85d278e433607991967ba38cb180a
-
SHA256
8054703867c085df33ce855a96741cc540f67bed604a1eb04bb025ac45c0f9e4
-
SHA512
38d2253d624f9d508525601e78cac61864fcc9abde391203e875a54f2bb96a6b770f8809115686357230a662af163d10dcd403c74560cada03b2655d3b771f84
Static task
static1
Behavioral task
behavioral1
Sample
entry_1_0/Malware_111113.exe
Resource
win10-en-20211208
Malware Config
Extracted
blackmatter
1.2
512478c08dada2af19e49808fbda5b0b
- Username:
[email protected] - Password:
120Heisler
- Username:
[email protected] - Password:
Tesla2019
- Username:
[email protected] - Password:
iteam8**
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\uR7ZOTnZH.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV
Targets
-
-
Target
entry_1_0/Malware_111113.exe
-
Size
67KB
-
MD5
31bb101acf2dac98da60970b19724556
-
SHA1
2059a0e17ae68b6342f7fd60f9e27286cc4e5410
-
SHA256
bd0a7378cd96701edafc0a8ddd7b2a9904552be29804750bff47b3e08e23319f
-
SHA512
7266fa80ff54ad0a7a290f8e5a85b616dc0e4ad68049536907487cb4083ab2464761ea858bc99168816606e9d5407bb74dc2e73eb027228c3da3d23b2a86b012
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-