Manuel Statik Analiz (LLM Okumali) — BlackMatter Ransomware | Tehdit: KRITIK
MalwareBazaar Conti etiketledi ancak cleartext ransom notu "BlackMatter Ransomware" yazmaktadir. Yanlis etiket tespiti.
文件 Kimligi
| SHA256 | b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a |
|---|---|
| 文件 Adi | run-as-admin.exe |
| 大小 | 515.584 byte |
| MB Etiketi | Conti (YANLIS) |
| Gercek 家族 | BlackMatter |
Cleartext C2 Adresleri
| Tip | Adres | Amac |
|---|---|---|
| HTTP/HTTPS | http://mojobiden.comhttps://mojobiden.com | Data exfiltrasyon / C2 |
| HTTP/HTTPS | http://paymenthacks.comhttps://paymenthacks.com | Fidye odeme portalı |
| TOR Onion | supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion | TOR uzerinden destek portali |
Cleartext Ransom Notu
BlackMatter Ransomware encrypted all your files! Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. [Note file]: oG5IasxF4.README.txt
Anti-AV ve Anti-Forensics
net stop wuauserv -- Windows Update durdurma sophos -- Sophos AV tespiti
Mutex
__MUTEX_NAME__ — Placeholder mutex; ayni makineye tekrar enfeksiyonu onler
BlackMatter Hakkinda
BlackMatter, DarkSide geliştiricilerince 2021 yilinda baslatilmistir (DarkSide, Colonial Pipeline saldirisindan sonra kapanmistir). Kurumsal aglarini hedefler, "double extortion" (sifreleme + veri sizintisi tehdidi) kullanir. Kurasal sanayi, gida ve enerji sektorunu etkilemistir. Kasim 2021'de yeniden kapanmistir.
IOC
| SHA256 | b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a |
|---|---|
| C2 | mojobiden.com, paymenthacks.com |
| TOR | supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion |
| Ransom Notu | oG5IasxF4.README.txt |
BlackMatter — 恶意软件档案
BlackMatter RaaS 2021. DarkSide devami. Cobalt Strike+run-as-admin. ABD kritik altyapi.
恶意软件类型
Ransomware
编程语言
C
C2协议
—
目标系统
Windows/Linux
能力与行为
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC列表 (1 个指标)
IOC — BlackMatter
# SHA256
b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
| 类型 | 值 | 备注 |
|---|---|---|
| sha256 | b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a |
C2服务器 (该家族共有 6 台已记录服务器)
| 地址 | 类型 | 端口 | 协议 | 状态 | 国家 |
|---|---|---|---|---|---|
| mojobiden.com | domain | — | — | active | — |
| mojobiden.com | domain | 443 | HTTPS | active | — |
| mojobiden.com | domain | 443 | HTTPS | active | — |
| paymenthacks.com | domain | 443 | HTTPS | inactive | — |
| supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion | domain | 80 | HTTPS | inactive | — |
| paymenthacks.com | domain | 443 | HTTPS | inactive | — |
C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。