blackmatter | 83d0666835eb65319727a2a9e5e6bf7d7b5c0ec25a543c4b8c44d408ad16dcde

General

Target

2024-03-23_18d5dd2db533f028e8e860ae9a15b8e0_blackmatter_darkside
Size

128KB
Sample

240323-hg5nrsed64
MD5

18d5dd2db533f028e8e860ae9a15b8e0
SHA1

a61635917ab01a43d4fc2a94aa6fb7fc136b21e0
SHA256

83d0666835eb65319727a2a9e5e6bf7d7b5c0ec25a543c4b8c44d408ad16dcde
SHA512

f7e1640b32eacf9be9a4a5ad6540d5442b9da1ade36b630baf4c9fad69bffc851a024fc8da54b944e2f24a8ab746779bdf2a0ba9d2bb503ccd2350c61317c7df
SSDEEP

1536:9zICS4AT6GxdEe+TOdincJXvKvsZgYM2HT02F4mHI5PsOqy:uR7auJXSEZgD2HT025Hs

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\FLNjIiJjs.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Targets

- Target
  
  2024-03-23_18d5dd2db533f028e8e860ae9a15b8e0_blackmatter_darkside
- Size
  
  128KB
- MD5
  
  18d5dd2db533f028e8e860ae9a15b8e0
- SHA1
  
  a61635917ab01a43d4fc2a94aa6fb7fc136b21e0
- SHA256
  
  83d0666835eb65319727a2a9e5e6bf7d7b5c0ec25a543c4b8c44d408ad16dcde
- SHA512
  
  f7e1640b32eacf9be9a4a5ad6540d5442b9da1ade36b630baf4c9fad69bffc851a024fc8da54b944e2f24a8ab746779bdf2a0ba9d2bb503ccd2350c61317c7df
- SSDEEP
  
  1536:9zICS4AT6GxdEe+TOdincJXvKvsZgYM2HT02F4mHI5PsOqy:uR7auJXSEZgD2HT025Hs
Score

10^/10

blackmatter ransomware
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- Renames multiple (182) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Tasks

Sharing

General

Malware Config

Extracted

Targets

BlackMatter Ransomware

Renames multiple (182) files with added filename extension

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2