blackmatter | 2882cbed0fb11c95d01b487a85338f4ec25fd44fc3f0936d68af4832d1be9a54

Sharing

Copy URL

Twitter E-mail

General

Target

ransom.zip
Size

831KB
Sample

241125-bjt7gswjcj
MD5

7cd61bf217379a23bf42b1f9d08affab
SHA1

ac4cca1c691780cb6f33b476495b2fa30e00214b
SHA256

2882cbed0fb11c95d01b487a85338f4ec25fd44fc3f0936d68af4832d1be9a54
SHA512

e408d2f8bcad00448cacbc38bc747a83c4b23f484e789d129f110a51ffae417e644ae1b48350942630cbb12b3616480f73875afd55668b1b380af4606e40e44f
SSDEEP

24576:RyS4x8Uhh9cBLMfwp0zhbWA/7rYQXYJpD7r1OGKoW4XH:Y5xTHhhhnZYPhPH

Score

10^/10

Malware Config

Extracted

Family

blackmatter

Version

25.239

Targets

- Target
  
  ransom/Build.bat
- Size
  
  741B
- MD5
  
  4e46e28b2e61643f6af70a8b19e5cb1f
- SHA1
  
  804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
- SHA256
  
  8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
- SHA512
  
  009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  ransom/Build/LB3.exe
- Size
  
  145KB
- MD5
  
  b2cb742a43762106fc03fa1e26fd4f68
- SHA1
  
  aef4e9199b06b835b6e677c0910d3ed6fdf96ef3
- SHA256
  
  f4dcf20fcdd95d241eadcd88ce30998189d0682132456e9254321a8d6d281611
- SHA512
  
  d0521e8a496e53a309acf7f9d388e684bfa068cc77d23ae6a7da75e6dea962b2a9e3dd5a27dc5e45c054aa025e3ff1a3c237a996aab2fbcfaa68483481ca4975
- SSDEEP
  
  3072:5qJogYkcSNm9V7D58PleQQuloQwssCnT:5q2kc4m9tDcQvuiQfD
Score

9^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (370) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  ransom/Build/LB3Decryptor.exe
- Size
  
  54KB
- MD5
  
  333ac98a465013153ef64a13fe03b474
- SHA1
  
  94e92e86759b9609542264e81f826f64efc5fcfd
- SHA256
  
  f786bc48b6aa6486e9b13b64475379b3a7699fcc877ad6c41f5de3cc7d7196d8
- SHA512
  
  427854c59772308c9f18d8f070607ca6bb691507647f348aeece1c6aae3d8beab60ef91623120242d3ae4bf477ee4add0076ee4a6465fb789a2ba67187501703
- SSDEEP
  
  768:vlD2N5KCJD5rkdDRib1Xf0854gC3E9zpKMMYj1MYgFMRx:VAkCJD5rKDRib1F54gLp2Yj1M7MD
Score

7^/10

discovery spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral5 behavioral6
- Target
  
  ransom/Build/LB3_ReflectiveDll_DllMain.dll
- Size
  
  98KB
- MD5
  
  31d3ab7a5a7a2d7b197c741fe0f374d5
- SHA1
  
  7e925b5a2b7283986128d45527fe1ac70d4a606d
- SHA256
  
  6efbd82980c404bcc767108da00e4239b9dc779c4a90c9961619dc1ef4bc527e
- SHA512
  
  82f186c91beb14ca135b70bc3e43dcbdf0387c862ed3d16f138bb573b244d1cb1a4930d87351dc3a4a36fc36db390b574b4fa7580cf2dd0af09dc1469453b61b
- SSDEEP
  
  1536:NzICS4A30TY1kUS/U2ztdS1I6DdL9Ta1HX1P9tWTSyF6ARsg89:eJ0TYyUS/U2RgGWL9+xh9cTSY6AR4
Score

9^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (278) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  ransom/Build/LB3_Rundll32.dll
- Size
  
  144KB
- MD5
  
  63ef3d9a683b94359bc923298cb205ea
- SHA1
  
  fb1286bff44a2a14a09e76c98361954e06b9d820
- SHA256
  
  80d797ee561b9373be40493478463b4f256a95138e1c7a4489341165b1821a4b
- SHA512
  
  9015fc02e9cdbcfeec3b47ae7904d3f290c80f3f0e5a700101270763e4b7b7acc8024dce3909f5bcd81947ed85b2935d9ff081523ad854a935c2003802d3f570
- SSDEEP
  
  3072:hrPn1hcH98P67PBH2G3gFoh3H6J1vVjgQp3RpM1dpbQrQymzUOMgInmwuzwEb5fx:hrP1hG98P67PNV3gih3H6J1VjgQp3Rp0
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  ransom/Build/LB3_Rundll32_pass.dll
- Size
  
  140KB
- MD5
  
  3c0c5293d4910194216662891d526e5a
- SHA1
  
  0eecd385148a15bd26b4310f6e033f2210e36366
- SHA256
  
  4c88ab29cac1be9a88d6c06f9544eed817685784e2c3fd46b4192cdc4d4e2834
- SHA512
  
  56c6cfbf22b21de3f06b0a9ed4197d6ff4e62c701b14c27aa5b4d91fabb1c97b63f8e4384efebea26d5ba0d9d9d1cdd8d1f4ae16137ead4c9398f0ceecc2978a
- SSDEEP
  
  3072:IyOP+K2O8hstIRx8iaXnnf70ZS1cMSNUNPtMNmG+kXYX:IyOzP4f8ia3wZacMSMPtMu
Score

10^/10

lockbit discovery ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- Rule to detect Lockbit 3.0 ransomware Windows payload
behavioral11 behavioral12
- Target
  
  ransom/Build/LB3_pass.exe
- Size
  
  141KB
- MD5
  
  85fbdd693c11767ae0f2ae519b4df7a2
- SHA1
  
  1598ea54fec9894888262976f2fdd71420eb3130
- SHA256
  
  173f5533ad95e05c7a89a842f7923b23cc1b41c48221ff3262e82c847db1d409
- SHA512
  
  a3ad65b7bc2d2850906d02c0c9ea18580e21d5e0c8c0868b5865ce73acfd2c550dbc3c4d79fa63ede0d4607bbcb9380841ac0f893aeddf09c1a9ed75ff8b98f5
- SSDEEP
  
  3072:ifGQiJ+A2qUO9XFyKoP7C1aGTnKsXGQe7bHw7/d4f4fb3Du8vVmB4xPMG+4wHTZi:I/iQA2qUO9VZKCQUnKKGLbHt4Du8tH+s
Score

10^/10

lockbit discovery ransomware
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Lockbit family
  lockbit
- Rule to detect Lockbit 3.0 ransomware Windows payload
behavioral13 behavioral14
- Target
  
  ransom/builder.exe
- Size
  
  469KB
- MD5
  
  c2bc344f6dde0573ea9acdfb6698bf4c
- SHA1
  
  d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
- SHA256
  
  a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
- SHA512
  
  d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0
- SSDEEP
  
  12288:CzVXpdg/1MB94JD7RfaVT1hG98P67PNV3giFH6J1VjR3L6dpbQrQyEpInmwuRUfB:CzxjgdRpBq1hG98P67PNV3giFH6J1Vjn
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  ransom/keygen.exe
- Size
  
  31KB
- MD5
  
  71c3b2f765b04d0b7ea0328f6ce0c4e2
- SHA1
  
  bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4
- SHA256
  
  ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37
- SHA512
  
  1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035
- SSDEEP
  
  768:A6+T41GjHbdWCWDwDD01riWpJxKpAQJs/3JGIDLQ5:b+U+hHIBpJxixgQ
Score

3^/10

discovery
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Tasks

Sharing

General

Malware Config

Extracted

Targets

Renames multiple (370) files with added filename extension

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Reads user/profile data of web browsers

Renames multiple (278) files with added filename extension

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Indicator Removal: File Deletion

Suspicious use of NtSetInformationThreadHideFromDebugger

Lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18