blackmatter | hxxps://github[.]com/Pyran1/MalwareDatabase/tree/master/Ransomware

General

Target

https://github.com/Pyran1/MalwareDatabase/tree/master/Ransomware
Sample

250226-fpzrda1kz7

Score

10^/10

Malware Config

Extracted

Family

blackmatter

Version

3.0

Botnet

4e591a315c54e8800dae714320555fa5

Credentials

Username:
[email protected]
Password:
yhU6VJ$&amp

Username:
[email protected]
Password:
RPo@ndf9

Username:
[email protected]
Password:
DH5U87@rA0ELa2

C2

https://fluentzip.org

http://fluentzip.org

Attributes

attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true

rsa_pubkey.base64

aes.base64

Extracted

Path

F:\KeOBVFSB4.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen large amount of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/U6H6RKDF6W3B8XOWL >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/U6H6RKDF6W3B8XOWL

Targets

- Target
  
  https://github.com/Pyran1/MalwareDatabase/tree/master/Ransomware
Score

10^/10

blackmatter koxic xmrig 4e591a315c54e8800dae714320555fa5 defense_evasion discovery evasion miner persistence ransomware trojan
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- Blackmatter family
  blackmatter
- Koxic
  A C++ written ransomware first seen in late 2021.
  ransomware koxic
- Koxic family
  koxic
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies firewall policy service
  defense_evasion
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Renames multiple (615) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- XMRig Miner payload
  miner
- Disables taskbar notifications via registry modification
  defense_evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Modifies file permissions
  discovery
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1