General

  • Target

    930b9c1792a539acdb051af34de91060.bin

  • Size

    54KB

  • Sample

    230312-b5vp5scc64

  • MD5

    6620f12b53aebe795b100ca639cbba37

  • SHA1

    a8fcda4c6214c3c06d60771d8f7530b308e33d78

  • SHA256

    d9eba524d87f742cebb5cb5788f7ab38726184321f1998dcb28488d15fa3b348

  • SHA512

    a5d6a92faca7dafd49192f4362657bacd30a8c596e1bbe19e8f8e06dffeff4afc2302a65e663eaf63e1c4b444e9b235b2d9512d67dbdc9715d448b2f8a481eda

  • SSDEEP

    768:05TfI5m+fJc4YkGw9ivQU3Yred017otDvgpn3I0A3SF3Xh3gwEoGBA:8TgVB64iareW1xW6gFBA

Malware Config

Extracted

Family

blackmatter

Version

3.0

Botnet

0361b6a1f37016ed147e7617a3c08300

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Path

C:\Users\sfgL6ekLx.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your computers and servers are encrypted, private data was downloaded. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> Data leak First of all we have downloaded more then 200GB of data. Your personal leak page (TOR LINK): On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published in our blog if you do not contact us. After publication, your data can be downloaded by anyone, it stored on our tor CDN and will be available for at least 6 months. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> HOW TO CONTACT US? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/QLA44XK2K4K1RZL9 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/QLA44XK2K4K1RZL9

Targets

    • Target

      7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296.exe

    • Size

      95KB

    • MD5

      930b9c1792a539acdb051af34de91060

    • SHA1

      2cda394db71fc67905e31d9e8f4b88ef85a248dc

    • SHA256

      7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296

    • SHA512

      9bd26a83d30f69ab7d9dfbe9c3b81c8fd2381f331ce139140646932cf09b461f177c4eb236cd2194d190c50598ac3de0023cfe38e843b08bbe2f120e790ee3f1

    • SSDEEP

      1536:SUICS4ADkFAztzRyxoWtBErqylVxn1GZnKoEcXb/50Qtef0:sBkwtdyxoUH4BYnKobfw

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks