blackmatter | 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859

General

Target

amostra.bin
Size

80KB
Sample

230309-fckfxsaf58
MD5

e3269531cf93d040b08074bfb31b72a0
SHA1

45b6d89dcea02cc90ae054d72ec80a2eb1036a7e
SHA256

3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859
SHA512

e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0
SSDEEP

1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs

Score

10^/10

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials

Username:
[email protected]
Password:
120Heisler

Username:
[email protected]
Password:
Tesla2019

Username:
[email protected]
Password:
iteam8**

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes

attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true

rsa_pubkey.base64

aes.base64

Extracted

Family

blackmatter

Version

1.2

Extracted

Path

C:\M9BTOztT0.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Targets

- Target
  
  amostra.bin
- Size
  
  80KB
- MD5
  
  e3269531cf93d040b08074bfb31b72a0
- SHA1
  
  45b6d89dcea02cc90ae054d72ec80a2eb1036a7e
- SHA256
  
  3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859
- SHA512
  
  e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0
- SSDEEP
  
  1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs
Score

10^/10

blackmatter ransomware upx
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

BlackMatter Ransomware

Modifies extensions of user files

UPX packed file

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2