blackmatter | f631bd53baa45c78b784cca95d86db9322b41f340f0e714be7f01ad27c52ffda

General

Target

2024-02-29_89824ce20db03293c17952b532b74dee_blackmatter_darkside
Size

82KB
Sample

240229-klv18sbf7x
MD5

89824ce20db03293c17952b532b74dee
SHA1

4ecb0617e2f0b79dc570dff69ae8ed9d1253d6c5
SHA256

f631bd53baa45c78b784cca95d86db9322b41f340f0e714be7f01ad27c52ffda
SHA512

1e43667954022a645d615ef260988ed1214b7003652f64dd80e318d2aa06982c0f93da1f3b51ce962fb3e7f6e5c2be6c7af63d836931ae5f90099f2f0f5719bc
SSDEEP

768:4DjahoICS4AIiaVRShxdEe+T0iN2QwdincJ9JGEKvrXSLA6zbjon8:azICS4AT6GxdEe+TOdincJXvKvGLBf

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\iusZFBQZ6.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Targets

- Target
  
  2024-02-29_89824ce20db03293c17952b532b74dee_blackmatter_darkside
- Size
  
  82KB
- MD5
  
  89824ce20db03293c17952b532b74dee
- SHA1
  
  4ecb0617e2f0b79dc570dff69ae8ed9d1253d6c5
- SHA256
  
  f631bd53baa45c78b784cca95d86db9322b41f340f0e714be7f01ad27c52ffda
- SHA512
  
  1e43667954022a645d615ef260988ed1214b7003652f64dd80e318d2aa06982c0f93da1f3b51ce962fb3e7f6e5c2be6c7af63d836931ae5f90099f2f0f5719bc
- SSDEEP
  
  768:4DjahoICS4AIiaVRShxdEe+T0iN2QwdincJ9JGEKvrXSLA6zbjon8:azICS4AT6GxdEe+TOdincJXvKvGLBf
Score

10^/10

blackmatter ransomware
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- Renames multiple (137) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Tasks

Sharing

General

Malware Config

Extracted

Targets

BlackMatter Ransomware

Renames multiple (137) files with added filename extension

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2