General
-
Target
1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e.exe
-
Size
34KB
-
Sample
221228-sf6vjsdg3z
-
MD5
51b4be24023ebefe831c4ce0b19b31c9
-
SHA1
b219ad9d3cf559b07ef7fd1ffa6e1dd0fc3f9deb
-
SHA256
1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e
-
SHA512
2e6accb1d4316857aef2f6346a668e472286065bc6325aeb8d6ce6ce591d85456ac336e74d6e38fe7e6089767d4d78a9effeea5735f8d643cb0db0614183291a
-
SSDEEP
768:0TgeEbf2rriFVI1kggGVtSMC2F7QGIFFBMterI6ywBuO1Yp:LE+VYVYMC2F7AoterI6yR2O
Behavioral task
behavioral1
Sample
1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
blackmatter
1.2
bab21ee475b52c0c9eb47d23ec9ba1d1
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\bTx10NB1P.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R
Extracted
blackmatter
1.2
Targets
-
-
Target
1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e.exe
-
Size
34KB
-
MD5
51b4be24023ebefe831c4ce0b19b31c9
-
SHA1
b219ad9d3cf559b07ef7fd1ffa6e1dd0fc3f9deb
-
SHA256
1125542c8a973c1f614465f0a7c7c8ebeb2dc151c5d4876bfff7cdca7fd2b15e
-
SHA512
2e6accb1d4316857aef2f6346a668e472286065bc6325aeb8d6ce6ce591d85456ac336e74d6e38fe7e6089767d4d78a9effeea5735f8d643cb0db0614183291a
-
SSDEEP
768:0TgeEbf2rriFVI1kggGVtSMC2F7QGIFFBMterI6ywBuO1Yp:LE+VYVYMC2F7AoterI6yR2O
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-