5942061881262080.zip

General
Target

5942061881262080.zip

Size

38KB

Sample

220211-s7f37schb9

Score
10 /10
MD5

021b0cce009d779a52e3cd5af87b0834

SHA1

d235ab9413d85d278e433607991967ba38cb180a

SHA256

8054703867c085df33ce855a96741cc540f67bed604a1eb04bb025ac45c0f9e4

SHA512

38d2253d624f9d508525601e78cac61864fcc9abde391203e875a54f2bb96a6b770f8809115686357230a662af163d10dcd403c74560cada03b2655d3b771f84

Malware Config

Extracted

Family blackmatter
Version 1.2
Botnet 512478c08dada2af19e49808fbda5b0b
Credentials

Protocol:

Host:

Port:

Username: aheisler@hhcp.com

Password: 120Heisler

Protocol:

Host:

Port:

Username: dsmith@hhcp.com

Password: Tesla2019

Protocol:

Host:

Port:

Username: administrator@hhcp.com

Password: iteam8**

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true
rsa_pubkey.base64
aes.base64

Extracted

Path C:\uR7ZOTnZH.README.txt
Family blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Targets
Target

entry_1_0/Malware_111113.exe

MD5

31bb101acf2dac98da60970b19724556

Filesize

67KB

Score
10/10
SHA1

2059a0e17ae68b6342f7fd60f9e27286cc4e5410

SHA256

bd0a7378cd96701edafc0a8ddd7b2a9904552be29804750bff47b3e08e23319f

SHA512

7266fa80ff54ad0a7a290f8e5a85b616dc0e4ad68049536907487cb4083ab2464761ea858bc99168816606e9d5407bb74dc2e73eb027228c3da3d23b2a86b012

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation