blackmatter | 3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

05/02/2025, 11:16

250205-ndjvsavrdm 10

16/07/2024, 08:54

240716-kt64gavakp 10

Sharing

Copy URL

Twitter E-mail

General

Target

533.7z
Size

2.7MB
Sample

250205-ndjvsavrdm
MD5

7aded2388d27c5dc782dca435f160857
SHA1

744f53fe1f4c7a43a82e1a942eb71f4175da8935
SHA256

3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d
SHA512

518957e9248e65c5231e10c3977d01f7d3b4aa43f08b00c668be8501a88e06d1eaa2a5aaf976ab9caa1d2eacbc7a2029731d5a7054df230aaf93a79294d9083b
SSDEEP

49152:BdRLSYLgm9h2iT/1Xd6STMtS07Cqjgfzj8flramouva2dd1ALRNyndSBSJQIQV:BdNtJPDJXd62MY50R+a5X1my8BSJQzV

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials

Username:
[email protected]
Password:
120Heisler

Username:
[email protected]
Password:
Tesla2019

Username:
[email protected]
Password:
iteam8**

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes

attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true

rsa_pubkey.base64

aes.base64

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846\+README-WARNING+.txt

Ransom Note

::: Hey ::: Small FAQ: .1. Q: What's going on? A: Your files have been encrypted. The file structure was not affected, we did our best to prevent this from happening. .2. Q: How to recover files? A: If you want to decrypt your files, you will need to pay us. .3. Q: What about guarantees? A: It's just business. We are absolutely not interested in you and your transactions, except for profit. If we do not fulfill our work and obligations, no one will cooperate with us. It's not in our interest. To check the possibility of returning files, you can send us any 2 files with SIMPLE extensions (jpg, xls, doc, etc... not databases!) and small sizes (max 1 mb), we will decrypt them and send them back to you. This is our guarantee. .4. Q: How to contact you? A: You can write to us at our mailboxes: [email protected] .5. Q: How will the decryption process take place after payment? A: After payment, we will send you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don't want to pay bad people like you? A: If you do not cooperate with our service - it does not matter to us. But you will lose your time and data because only we have the private key. In practice, time is much more valuable than money. :::BEWARE::: DO NOT try to modify encrypted files yourself! If you try to use third party software to recover your data or antivirus solutions - back up all encrypted files! Any changes to the encrypted files may result in damage to the private key and, as a result, the loss of all data. Note: ::::::IF WE HAVE NOT RESPONSE YOU BY MAIL WITHIN 24 HOURS:::::: Spare contact for communication: If we have not answered your email within 24 hours, you can contact us via the free messenger qTox Download from the link https://tox.chat/download.html Next go qTox 64-bit after downloading the program, install it and go through a short registration. Our Tox ID 37CDA60B5B593473E120366CCF68A8C08F503880D2AE7F0F4161C2C9C0502C6304DDA2B19D8E

Emails

[email protected]

URLs

https://tox.chat/download.html

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Targets

- Target
  
  533.7z
- Size
  
  2.7MB
- MD5
  
  7aded2388d27c5dc782dca435f160857
- SHA1
  
  744f53fe1f4c7a43a82e1a942eb71f4175da8935
- SHA256
  
  3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d
- SHA512
  
  518957e9248e65c5231e10c3977d01f7d3b4aa43f08b00c668be8501a88e06d1eaa2a5aaf976ab9caa1d2eacbc7a2029731d5a7054df230aaf93a79294d9083b
- SSDEEP
  
  49152:BdRLSYLgm9h2iT/1Xd6STMtS07Cqjgfzj8flramouva2dd1ALRNyndSBSJQIQV:BdNtJPDJXd62MY50R+a5X1my8BSJQzV
Score

1^/10
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8 behavioral9
- Target
  
  084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe
- Size
  
  49KB
- MD5
  
  50248697e19117027d4823c6a3be6db5
- SHA1
  
  fb81c35ffe11180c1d6269006db2fc775eec4741
- SHA256
  
  084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e
- SHA512
  
  abc04de0ee5dfc9ca1afccc6b46f9bb4b56d3d9e9ec11165dfc9d3630a597e865941c2c33f4284807f155f69d8255ac3279c418f3bdb2a7f6b4e8678ba7fd6ed
- SSDEEP
  
  768:acaQRffDB31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YAD8hMWsddOC86t:acai318HxZATvnsblYO8hMWsdoC86+r
Score

10^/10

defense_evasion discovery execution impact ransomware spyware stealer credential_access
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (8352) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral10 behavioral11 behavioral12 behavioral13 behavioral14 behavioral15 behavioral16 behavioral17 behavioral18
- Target
  
  14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3.exe
- Size
  
  87KB
- MD5
  
  d77f7e460e5036f65677b24ed24c2dff
- SHA1
  
  053afa00864c3c0c896e48be382436c417cabb34
- SHA256
  
  14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3
- SHA512
  
  f447b9b9a60f7a6fddd137a228efc7c056b989c698c85c30e6eda7c3b3990fb7a82fe2387b8fb8ee38d21704f9924a989a2a87f1d34badf20a3c89a2b9dfe3b9
- SSDEEP
  
  1536:1o2ECd3kfHr9PZAKodFF2QRa/oDc10QxsSmCDo/PjsXMbyxFmwYSDfgCso:1oWd3kfr9P5QRaADc17xAKRjFr4Lo
Score

10^/10

chaos defense_evasion evasion execution impact ransomware spyware stealer
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Chaos family
  chaos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral19 behavioral20 behavioral21 behavioral22 behavioral23 behavioral24 behavioral25 behavioral26 behavioral27
- Target
  
  2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe
- Size
  
  70KB
- MD5
  
  193e702195e8ed5c50cc482569559462
- SHA1
  
  47a5307b78fa2c60c20ce63c553aef4a6d5a3e1c
- SHA256
  
  2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e
- SHA512
  
  d5ae5a8bccfc08bc07834caaebaed7a6cde1911170eb8de99322bf15be3ad111b5042d6401dcb06e64a6a429eee19d964878089af205474b377b77627bb63a35
- SSDEEP
  
  768:lXStkFWTBhyugDC60CPJkEBx9w7mSDh3vkkjvshT3ED18nv04ZPqpb348Uq1krHO:liMWV3gDCk6EBwT/kJbvkbuq1krj0z
Score

10^/10

nefilim discovery ransomware
- Nefilim
  Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
  ransomware nefilim
- Nefilim family
  nefilim
- Renames multiple (191) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral28 behavioral29 behavioral30 behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Deletes shadow copies

Renames multiple (8352) files with added filename extension

Deletes backup catalog

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Sets desktop wallpaper using registry

Chaos

Chaos Ransomware

Chaos family

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Nefilim

Nefilim family

Renames multiple (191) files with added filename extension

Checks computer location settings

Deletes itself

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32