Overview

overview

10

Static

static

1

jetbrains-...22.exe

windows10-2004-x64

10

jetbrains-...22.exe

windows11-21h2-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    jetbrains-toolbox-2.4.2.32922.exe

  • Size

    73.3MB

  • Sample

    240824-x9ck1sxcpl

  • MD5

    8834be9ccff17cb4dd02af3707697d68

  • SHA1

    90f4b192ca0f7271b9793d89f14ac5267030f2ce

  • SHA256

    281f575872c5519b4d831f63783513d21e868e83a16711d72cc2f1c68776063e

  • SHA512

    7ee533368c5e1cd8b58bafe0377d2779395c381121b6e99b01b25add563fe741d1066c9443caaec1071b9c95bbffea39de545f47ceeae51e9c07c8b6928b0ea2

  • SSDEEP

    1572864:LyrK60PRtvL0C5nyMorvqt8WKfcKkVAdFfhnk2U2etkPH/s/m0hnzd1pf1Nbr:LZ9HL08nyhr5W2cKk2DOtkf/s/m0Zzdz

Score
10/10
blackmatterdiscoverypersistenceransomware

Malware Config

Extracted

Path

F:\v8HLzs7Lw.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. From your network was stolen more than 100 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN

Targets

    • Target

      jetbrains-toolbox-2.4.2.32922.exe

    • Size

      73.3MB

    • MD5

      8834be9ccff17cb4dd02af3707697d68

    • SHA1

      90f4b192ca0f7271b9793d89f14ac5267030f2ce

    • SHA256

      281f575872c5519b4d831f63783513d21e868e83a16711d72cc2f1c68776063e

    • SHA512

      7ee533368c5e1cd8b58bafe0377d2779395c381121b6e99b01b25add563fe741d1066c9443caaec1071b9c95bbffea39de545f47ceeae51e9c07c8b6928b0ea2

    • SSDEEP

      1572864:LyrK60PRtvL0C5nyMorvqt8WKfcKkVAdFfhnk2U2etkPH/s/m0hnzd1pf1Nbr:LZ9HL08nyhr5W2cKk2DOtkf/s/m0Zzdz

    Score
    10/10
    blackmatterdiscoverypersistenceransomware

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

      ransomwareblackmatter

    • Renames multiple (140) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks