General
-
Target
amostra.bin.exe
-
Size
80KB
-
Sample
230309-fb83wsaf55
-
MD5
e3269531cf93d040b08074bfb31b72a0
-
SHA1
45b6d89dcea02cc90ae054d72ec80a2eb1036a7e
-
SHA256
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859
-
SHA512
e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0
-
SSDEEP
1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs
Behavioral task
behavioral1
Sample
amostra.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
amostra.bin.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
blackmatter
1.2
512478c08dada2af19e49808fbda5b0b
- Username:
[email protected] - Password:
120Heisler
- Username:
[email protected] - Password:
Tesla2019
- Username:
[email protected] - Password:
iteam8**
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
true
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
blackmatter
1.2
Extracted
C:\VLce3d0et.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV
Targets
-
-
Target
amostra.bin.exe
-
Size
80KB
-
MD5
e3269531cf93d040b08074bfb31b72a0
-
SHA1
45b6d89dcea02cc90ae054d72ec80a2eb1036a7e
-
SHA256
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859
-
SHA512
e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0
-
SSDEEP
1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-