Overview

overview

10

Static

static

10

706f3eec32...9d.exe

windows7-x64

10

706f3eec32...9d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    201ad4b503f9b0bf629c8acbb9d9f9722cfecd0f0b889d95d4a25d3c8beff3b8

  • Size

    44KB

  • Sample

    240419-wzgasabh36

  • MD5

    2fce17c40025f1cc9167a77339face9b

  • SHA1

    bfb018973bd62dedd53ea1e26e442c214ed88dca

  • SHA256

    201ad4b503f9b0bf629c8acbb9d9f9722cfecd0f0b889d95d4a25d3c8beff3b8

  • SHA512

    087201fe4909e2a98fa808db8e9a13c981b6bd7de226bc0682e1e7983a7079a9c8ebd852ead235bc0410cb4d28c9ce5265d128bc8f35177dfa84990aa9a5c608

  • SSDEEP

    768:oZ/Ws8jZIJplJrBbFBNN3ibZzMI93NTwvJGdbMFM50IMruRiQ2CvFIly:oZes81IJjZBbCz93NTwMFA40IM6gQwM

Score
10/10
blackmatter90a881ffa127b004cec6802588fce307ransomware

Malware Config

Extracted

Family

blackmatter

Version

2.0

Botnet

90a881ffa127b004cec6802588fce307

Credentials
  • Username:
    jmiklo@@adroot.newcoop.com
  • Password:
    sanfran85
C2

https://mojobiden.com

http://mojobiden.com

https://nowautomation.com

http://nowautomation.com
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Path

C:\4hmGaGiGG.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX

Targets

    • Target

      706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

    • Size

      79KB

    • MD5

      62a1b4d4b461f4eaae91c70727f71604

    • SHA1

      1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2

    • SHA256

      706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

    • SHA512

      d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

    • SSDEEP

      1536:DnICS4ArFnRoHhcVyid9EZZoi+zQ95f8IwdON:QZnmqVyq9EN+M95bwE

    Score
    10/10
    blackmatterransomware

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • Renames multiple (182) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks