Overview

overview

10

Static

static

1

c22a6401a4...da.ps1

windows7-x64

10

c22a6401a4...da.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da.zip

  • Size

    364KB

  • Sample

    240217-tgqqdsha64

  • MD5

    7e9fa90b78f12293435bf53d62d523e0

  • SHA1

    dfe4cc77676070f171e0aacbce9a8823f6740c89

  • SHA256

    0d5d488ef072ca1c59920e5641758559deac8361ce3231e51f363aa8785a0b80

  • SHA512

    e1043f336143217d6fc4202afbcd7b438008138f0724211fb1d327914cb4d8aeb604b3596bccc5c4e933c96f7a5aecb0bef8e6f9aba240cde503d93e911f1994

  • SSDEEP

    6144:Fq/78zEbN1urWgFENBfSagYqYFkn7Q/3bVyJggllB:Fw5ursNBfSbYqYewrqg4

Score
10/10
blackmattera89e0e2e31db3e31a1e7a9630375f437ransomware

Malware Config

Extracted

Family

blackmatter

Version

2.0

Botnet

a89e0e2e31db3e31a1e7a9630375f437

C2

https://fluentzip.org

http://fluentzip.org
Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Path

F:\PUOTcnKTQ.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8

Targets

    • Target

      c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da.ps1

    • Size

      915KB

    • MD5

      001bfe6f72fe64660ba498107c658bdc

    • SHA1

      0946baf23e867f2564302b60f777db72a1244a30

    • SHA256

      c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da

    • SHA512

      32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3

    • SSDEEP

      6144:jOi6qCQJ8O7sgPToY2z/VfuK5mUYfqssJkTZICCMg9ss2T4+FlS3NLbjADcx8xf:6i6qNmQ2ztfl5r/kFIHx9n7X3JjADcw

    Score
    10/10
    blackmattera89e0e2e31db3e31a1e7a9630375f437ransomware

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • Renames multiple (125) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks