blackmatter | 3a53dc20e029de2cfc000807ec3514304b2d63b99ca20445ff34e601a22f6e8f

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00461.7z
Size

60.9MB
Sample

241008-yklcaszcqm
MD5

8c86d207106187b7b5ad016e52d56aa7
SHA1

8f2a7841251a70c593971abcb07fc86b499cb450
SHA256

3a53dc20e029de2cfc000807ec3514304b2d63b99ca20445ff34e601a22f6e8f
SHA512

96a6cd81e09daa570a691c03f3235453db2ab73055e7f60783a654398072a78376e965c31cea033a1c5bc5be16f645a8448246f53ce886d957947ba55ab9b2e4
SSDEEP

1572864:b8i7e7JhdMjviNbM9b81ht1OjO6ZJ57Iz:YNaTiNbObEOKCJ58z

Malware Config

Extracted

Family

crimsonrat

173.249.22.30

Extracted

Family

danabot

Botnet

23.229.29.48:443

152.89.247.31:443

192.210.222.81:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

djvu

http://astdg.top/fhsgtsspen6/get.php

Attributes

extension
.reqg
offline_id
ioYmb0jtMMtue7xjmkS3WQWGWLR8FTQhb2giQtt1
payload_url
http://securebiz.org/dl/build2.exe

http://astdg.top/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jTbSQT8ApY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0324gDrgo

rsa_pubkey.plain

Extracted

Family

redline

Botnet

@pidoras213124

135.181.171.9:23469

Extracted

Family

nullmixer

http://razino.xyz/

Extracted

Family

redline

Botnet

Cana01

176.111.174.254:56328

Extracted

Family

redline

Botnet

AniOLD

akedauiver.xyz:80

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Extracted

Path

C:\i9Cj8fGj0.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/0JOA98TDMXLHJ77VDOO >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/0JOA98TDMXLHJ77VDOO

Targets

- Target
  
  RNSM00461.7z
- Size
  
  60.9MB
- MD5
  
  8c86d207106187b7b5ad016e52d56aa7
- SHA1
  
  8f2a7841251a70c593971abcb07fc86b499cb450
- SHA256
  
  3a53dc20e029de2cfc000807ec3514304b2d63b99ca20445ff34e601a22f6e8f
- SHA512
  
  96a6cd81e09daa570a691c03f3235453db2ab73055e7f60783a654398072a78376e965c31cea033a1c5bc5be16f645a8448246f53ce886d957947ba55ab9b2e4
- SSDEEP
  
  1572864:b8i7e7JhdMjviNbM9b81ht1OjO6ZJ57Iz:YNaTiNbObEOKCJ58z
Score

10^/10

blackmatter crimsonrat danabot djvu nullmixer raccoon redline sectoprat urelas 4 @pidoras213124 aniold cana01 aspackv2 banker discovery dropper evasion execution infostealer persistence pyinstaller ransomware rat spyware stealer trojan upx
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot Loader Component
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- UAC bypass
  evasion trojan
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Renames multiple (194) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1