General

  • Target

    1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e.exe

  • Size

    34KB

  • Sample

    221228-sf6vjsdg3z

  • MD5

    51b4be24023ebefe831c4ce0b19b31c9

  • SHA1

    b219ad9d3cf559b07ef7fd1ffa6e1dd0fc3f9deb

  • SHA256

    1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e

  • SHA512

    2e6accb1d4316857aef2f6346a668e472286065bc6325aeb8d6ce6ce591d85456ac336e74d6e38fe7e6089767d4d78a9effeea5735f8d643cb0db0614183291a

  • SSDEEP

    768:0TgeEbf2rriFVI1kggGVtSMC2F7QGIFFBMterI6ywBuO1Yp:LE+VYVYMC2F7AoterI6yR2O

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

bab21ee475b52c0c9eb47d23ec9ba1d1

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Path

C:\bTx10NB1P.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Extracted

Family

blackmatter

Version

1.2

Targets

    • Target

      1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e.exe

    • Size

      34KB

    • MD5

      51b4be24023ebefe831c4ce0b19b31c9

    • SHA1

      b219ad9d3cf559b07ef7fd1ffa6e1dd0fc3f9deb

    • SHA256

      1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e

    • SHA512

      2e6accb1d4316857aef2f6346a668e472286065bc6325aeb8d6ce6ce591d85456ac336e74d6e38fe7e6089767d4d78a9effeea5735f8d643cb0db0614183291a

    • SSDEEP

      768:0TgeEbf2rriFVI1kggGVtSMC2F7QGIFFBMterI6ywBuO1Yp:LE+VYVYMC2F7AoterI6yR2O

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks