Manuel Statik Analiz (LLM Okumali) — BlackMatter Ransomware | Tehdit: KRITIK
MalwareBazaar Conti etiketledi ancak cleartext ransom notu "BlackMatter Ransomware" yazmaktadir. Yanlis etiket tespiti.

Arquivo Kimligi

SHA256b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
Arquivo Adirun-as-admin.exe
Tamanho515.584 byte
MB EtiketiConti (YANLIS)
Gercek FamíliaBlackMatter

Cleartext C2 Adresleri

TipAdresAmac
HTTP/HTTPShttp://mojobiden.com
https://mojobiden.com
Data exfiltrasyon / C2
HTTP/HTTPShttp://paymenthacks.com
https://paymenthacks.com
Fidye odeme portalı
TOR Onionsupp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onionTOR uzerinden destek portali

Cleartext Ransom Notu

BlackMatter Ransomware encrypted all your files!
   Your network is encrypted, and currently not operational.
   We need only money, after payment we will give you a
   decryptor for the entire network and you will restore
   all the data.

[Note file]: oG5IasxF4.README.txt

Anti-AV ve Anti-Forensics

net stop wuauserv      -- Windows Update durdurma
sophos                 -- Sophos AV tespiti

Mutex

__MUTEX_NAME__ — Placeholder mutex; ayni makineye tekrar enfeksiyonu onler

BlackMatter Hakkinda

BlackMatter, DarkSide geliştiricilerince 2021 yilinda baslatilmistir (DarkSide, Colonial Pipeline saldirisindan sonra kapanmistir). Kurumsal aglarini hedefler, "double extortion" (sifreleme + veri sizintisi tehdidi) kullanir. Kurasal sanayi, gida ve enerji sektorunu etkilemistir. Kasim 2021'de yeniden kapanmistir.

IOC

SHA256b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
C2mojobiden.com, paymenthacks.com
TORsupp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion
Ransom NotuoG5IasxF4.README.txt

BlackMatter — Perfil do malware

BlackMatter RaaS 2021. DarkSide devami. Cobalt Strike+run-as-admin. ABD kritik altyapi.

Tipo de malware
Ransomware
Linguagem de programação
C
Protocolo C2
Sistemas-alvo
Windows/Linux

Capacidades e comportamento

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

Lista IOC (1 indicadores)

IOC — BlackMatter
# SHA256 b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
TipoValorNota
sha256 b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a

Servidores C2 (6 servidores registrados para esta família)

Endereço Tipo Porta Protocolo Status País
mojobiden.com domain — — active —
mojobiden.com domain 443 HTTPS active —
mojobiden.com domain 443 HTTPS active —
paymenthacks.com domain 443 HTTPS inactive —
supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion domain 80 HTTPS inactive —
paymenthacks.com domain 443 HTTPS inactive —

Os endereços C2 são fornecidos apenas a partir de amostras de malware verificadas manualmente pela equipe KEYDAL. O uso comercial é proibido.

Tags
blackmatterransomwaremojobidenpaymenthacksoniontoryanlis-etiketnet-stopsophos