blackmatter | 6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

General

Target

10aa058a3ac49e016cad7987b8e09886
Size

71KB
Sample

231230-gtzslscbh7
MD5

10aa058a3ac49e016cad7987b8e09886
SHA1

cca6682330a819592c3b1ea0448ceb4e141593dc
SHA256

6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db
SHA512

f115fb62b1ca5e18f6340d42ff4393e2b175917312ae1cc14e7a6a9322cf8adaf22457bc8213e2baafdc2cb19d5db1e5a9c003155cbf142d5a08604495e22f6e
SSDEEP

768:VjjjjjjjjjDahoICS4AIbxCJhjZeO3r825CiqxLbMnkHYnvizKktsLFYXg/ripMX:NICS4AgxwhjEO3r825exqkHYnKevTiO

Score

10^/10

Malware Config

Extracted

Family

blackmatter

Version

1.6

Botnet

32bd08ad5e5e881aa2634621d611a1a5

Credentials

Username:
[email protected]
Password:
@iep.2013

C2

https://mojobiden.com

http://mojobiden.com

Attributes

attempt_auth
true
create_mutex
false
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true

rsa_pubkey.base64

aes.base64

Extracted

Path

C:\BzOXaWmXM.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 500 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/OYPF561W4U8HVA0NLVCKJCZB >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/OYPF561W4U8HVA0NLVCKJCZB

Targets

- Target
  
  10aa058a3ac49e016cad7987b8e09886
- Size
  
  71KB
- MD5
  
  10aa058a3ac49e016cad7987b8e09886
- SHA1
  
  cca6682330a819592c3b1ea0448ceb4e141593dc
- SHA256
  
  6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db
- SHA512
  
  f115fb62b1ca5e18f6340d42ff4393e2b175917312ae1cc14e7a6a9322cf8adaf22457bc8213e2baafdc2cb19d5db1e5a9c003155cbf142d5a08604495e22f6e
- SSDEEP
  
  768:VjjjjjjjjjDahoICS4AIbxCJhjZeO3r825CiqxLbMnkHYnvizKktsLFYXg/ripMX:NICS4AgxwhjEO3r825exqkHYnKevTiO
Score

10^/10

blackmatter ransomware
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- Renames multiple (178) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

BlackMatter Ransomware

Renames multiple (178) files with added filename extension

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2