Manuel Statik Analiz (LLM Okumali) — BlackMatter Ransomware | Tehdit: KRITIK
MalwareBazaar Conti etiketledi ancak cleartext ransom notu "BlackMatter Ransomware" yazmaktadir. Yanlis etiket tespiti.

Fichier Kimligi

SHA256b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
Fichier Adirun-as-admin.exe
Taille515.584 byte
MB EtiketiConti (YANLIS)
Gercek FamilleBlackMatter

Cleartext C2 Adresleri

TipAdresAmac
HTTP/HTTPShttp://mojobiden.com
https://mojobiden.com
Data exfiltrasyon / C2
HTTP/HTTPShttp://paymenthacks.com
https://paymenthacks.com
Fidye odeme portalı
TOR Onionsupp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onionTOR uzerinden destek portali

Cleartext Ransom Notu

BlackMatter Ransomware encrypted all your files!
   Your network is encrypted, and currently not operational.
   We need only money, after payment we will give you a
   decryptor for the entire network and you will restore
   all the data.

[Note file]: oG5IasxF4.README.txt

Anti-AV ve Anti-Forensics

net stop wuauserv      -- Windows Update durdurma
sophos                 -- Sophos AV tespiti

Mutex

__MUTEX_NAME__ — Placeholder mutex; ayni makineye tekrar enfeksiyonu onler

BlackMatter Hakkinda

BlackMatter, DarkSide geliştiricilerince 2021 yilinda baslatilmistir (DarkSide, Colonial Pipeline saldirisindan sonra kapanmistir). Kurumsal aglarini hedefler, "double extortion" (sifreleme + veri sizintisi tehdidi) kullanir. Kurasal sanayi, gida ve enerji sektorunu etkilemistir. Kasim 2021'de yeniden kapanmistir.

IOC

SHA256b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
C2mojobiden.com, paymenthacks.com
TORsupp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion
Ransom NotuoG5IasxF4.README.txt

BlackMatter — Profil du malware

BlackMatter RaaS 2021. DarkSide devami. Cobalt Strike+run-as-admin. ABD kritik altyapi.

Type de malware
Ransomware
Langage de programmation
C
Protocole C2
Systèmes ciblés
Windows/Linux

Capacités et comportement

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

Liste IOC (1 indicateurs)

IOC — BlackMatter
# SHA256 b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
TypeValeurNote
sha256 b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a

Serveurs C2 (6 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
mojobiden.com domain — — active —
mojobiden.com domain 443 HTTPS active —
mojobiden.com domain 443 HTTPS active —
paymenthacks.com domain 443 HTTPS inactive —
supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion domain 80 HTTPS inactive —
paymenthacks.com domain 443 HTTPS inactive —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
blackmatterransomwaremojobidenpaymenthacksoniontoryanlis-etiketnet-stopsophos