blackmatter | 3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Target

533.7z
Size

2.7MB
Sample

250325-p58tnawwe1
MD5

7aded2388d27c5dc782dca435f160857
SHA1

744f53fe1f4c7a43a82e1a942eb71f4175da8935
SHA256

3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d
SHA512

518957e9248e65c5231e10c3977d01f7d3b4aa43f08b00c668be8501a88e06d1eaa2a5aaf976ab9caa1d2eacbc7a2029731d5a7054df230aaf93a79294d9083b
SSDEEP

49152:BdRLSYLgm9h2iT/1Xd6STMtS07Cqjgfzj8flramouva2dd1ALRNyndSBSJQIQV:BdNtJPDJXd62MY50R+a5X1my8BSJQzV

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials

Username:
[email protected]
Password:
120Heisler

Username:
[email protected]
Password:
Tesla2019

Username:
[email protected]
Password:
iteam8**

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes

attempt_auth
true
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true

rsa_pubkey.base64

aes.base64

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 6B5962FB In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\gT7W1tbWP.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Extracted

Family

blackmatter

Version

1.2

Extracted

Path

C:\Users\لفك تشفير ملفات اضغط هنا

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back? Contact me to decrypt your files : https://t.me/+aZZ3tv3FBVM5ODk8

URLs

https://t.me/+aZZ3tv3FBVM5ODk8

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 8985B07A In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 4A7B6ACA In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 34246335 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message A6AF50CB In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea.exe
- Size
  
  92KB
- MD5
  
  21c2b2d0bfc15b3d4bc72263f9db5547
- SHA1
  
  9f65f98ae2b418425a1d98b8d86bef88edab4d7c
- SHA256
  
  34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea
- SHA512
  
  aeeb64dc1130f6e5ccf6ab9abedf01e2a59e149f4897a44b02c32f816ddd1d1698a59447f7ce03dab966972f7714977b49f4b7e0fd258b0bedd936ac1926060a
- SSDEEP
  
  1536:lBwl+KXpsqN5vlwWYyhY9S4AE4SLlaSXrgKcQ48bcWHpOZ2yr+e72eIGZZyb1j:vw+asqN5aW/hL6dhamQoBU4yTi17j
Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (323) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5
- Target
  
  37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe
- Size
  
  1.3MB
- MD5
  
  af24c3030002d1487c6455fdb1a09eec
- SHA1
  
  72732ddefce71c13297df596267260a5d8e892f3
- SHA256
  
  37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c
- SHA512
  
  470a0cf695add143555eaa45f3fe5c462edb1cea2cd1589b19f55029b488fae58da2bd588bf79cdb16eeb4518bc7b7189eba764d611d008b1b27145ca0e8a2e3
- SSDEEP
  
  24576:Auh7HYGSWwFda6lBbXUqcTGKcr5YrcRBlBnNmkE9pneHiAvuQnL1mp/DVmu6KUi0:Dhkkw7LNNmTDqnRmJDx61i0
Score

10^/10

defense_evasion discovery persistence privilege_escalation mimic ransomware
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Mimic family
  mimic
- Renames multiple (283) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Modifies Windows Firewall
  defense_evasion
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral6 behavioral7 behavioral8 behavioral9
- Target
  
  3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
- Size
  
  80KB
- MD5
  
  e3269531cf93d040b08074bfb31b72a0
- SHA1
  
  45b6d89dcea02cc90ae054d72ec80a2eb1036a7e
- SHA256
  
  3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859
- SHA512
  
  e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0
- SSDEEP
  
  1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs
Score

10^/10

blackmatter discovery ransomware upx
- BlackMatter Ransomware
  BlackMatter ransomware group claims to be Darkside and REvil succesor.
  ransomware blackmatter
- Blackmatter family
  blackmatter
- Renames multiple (120) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral11 behavioral12 behavioral13 behavioral14 behavioral15
- Target
  
  49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe
- Size
  
  44KB
- MD5
  
  7977bc8781a00875b4d465bc2a90d5d4
- SHA1
  
  9f4b2858edcff694fee76636bf8cf33a366fc237
- SHA256
  
  49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24
- SHA512
  
  245d65b9301b759097cded2a2f078e4e41c7b68e303a71fccd465a6fa230b48e13e571c4e57e03710934a5e6b9536ed634e0edc502ba35433b02147760e5f05b
- SSDEEP
  
  768:0AxEin+Z8W9KCZLhaY4m9lUOmMayPpfHlynRUhMgAA9dEmCJ:7xESW9KC1hxJ9lJPQLH
Score

10^/10

chaos defense_evasion evasion execution impact persistence ransomware spyware stealer discovery
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Chaos family
  chaos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral16 behavioral17 behavioral18 behavioral19 behavioral20
- Target
  
  4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f.exe
- Size
  
  1.9MB
- MD5
  
  4f85eec9e23dc664c814cea272dcd5b8
- SHA1
  
  4eda594a01aee9622604924ffecfa9dbd6135bc0
- SHA256
  
  4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f
- SHA512
  
  97fdf815bb43f7fbfff03b6ca9e7a94d72a17faa0667091951b0be2a1ea3757f6f051e16c9a583f808b5df3fcbea525c570729b120499d1a47c530c7f179db18
- SSDEEP
  
  12288:6s2cBCtdB3+j+3EEQ5NX2l0Y/iaJDdI+VrzrzzczNzzE:6s2Jtn3aOEN5NX2l0Y/iaJDn
Score

3^/10

discovery
behavioral21 behavioral22 behavioral23 behavioral24 behavioral25
- Target
  
  5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c.exe
- Size
  
  54KB
- MD5
  
  1f6297e052951ae79aaec997dbb202d4
- SHA1
  
  ab27665f5b886bf553b2c9a91c65e2abca5c1d01
- SHA256
  
  5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c
- SHA512
  
  4cf533b824503cd1783f583c9f100e67f84578afac31b7b2b1c23192f4504d457ae7f522d53c40b62b59daafd5ad92580a9b67baad612f20f74d6712c8e94e00
- SSDEEP
  
  768:/z7z/zxACAm8YHxxSoxS1RKRQGdGGdnQN4L6hhho9h9qfP821824x:/zp8dGdGGde4L67q9h9qfETXx
Score

1^/10
behavioral26 behavioral27 behavioral28 behavioral29 behavioral30