Overview

overview

10

Static

static

10

9bae897c19...58.exe

windows7-x64

10

Resubmissions

12-04-2023 18:24

230412-w13v6sfe7t 10

12-04-2023 17:51

230412-wfdesafd4y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.zip

  • Size

    55KB

  • Sample

    230412-wfdesafd4y

  • MD5

    e816eab637b66ad7f4e85876434a9cc5

  • SHA1

    b649040a311cfff0fe8d021845fc6376ae6b5040

  • SHA256

    0bdce4d960e8b9537fbdcb4a70838be86163f355ba9f4344fd4982536924f27e

  • SHA512

    1dab157df998aa82628c1a92594c7c9bd4f6ec5da7dd20b927844626cf9ad69019625165b00a6db68de0a6096ae0e52b2d75fb113375819063b690f5172ab75b

  • SSDEEP

    1536:rS36U/nQk+TgIDNgCN3og3LzcX0wUDcInxw:SPQ3Tgfg3LAkwQcInxw

Score
10/10
blackmatter4e591a315c54e8800dae714320555fa5ransomware

Malware Config

Extracted

Family

blackmatter

Version

3.0

Botnet

4e591a315c54e8800dae714320555fa5

Credentials
  • Username:
    OFMO220@R5-CORE.R5.AIG.NET
  • Password:
    yhU6VJ$&amp
  • Username:
    OSYST93@R5-CORE.R5.AIG.NET
  • Password:
    RPo@ndf9
  • Username:
    OFMO225@R5-CORE.R5.AIG.NET
  • Password:
    DH5U87@rA0ELa2
C2

https://fluentzip.org

http://fluentzip.org
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Path

C:\Users\seGgKiqg4.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen large amount of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/U6H6RKDF6W3B8XOWL >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/U6H6RKDF6W3B8XOWL

Targets

    • Target

      9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58.exe

    • Size

      95KB

    • MD5

      757139e76fae876ae50dd2c3ac11d5d8

    • SHA1

      1c150493014d29c1f8a51e397e527f7d7c1476c7

    • SHA256

      9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58

    • SHA512

      852febe5dc991fa6dc5ff994b2de18548e98a2f53de903a480ed871d9d25413159b167a3c0ff39175bbf7c339604bb1eccc2f9425415ab16089bc56e3e998974

    • SSDEEP

      1536:5UICS4ADkFAztzRyxoWtBErqylVxn1fkGzyKJtM5w1w0:NBkwtdyxoUH4Blkij1

    Score
    10/10
    blackmatterransomware

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix

Tasks