Manuel Statik Analiz — BlackMatter Ransomware | Tehdit: KRITIK

ファイル Kimliği

SHA256b70e78971fc44f84515584b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2
ファイル名run-as-admin.exe (ayrıcalık yükseltme aracı)
サイズ515.584 byte
String Sayisi2.078

Cobalt Strike C2 Sunucuları

C2: BlackMatter Cobalt Strike post-exploitation için sahte domain'ler kullanıyor!
http://mojobiden.com    -- Cobalt Strike C2 (ABD Başkanı Biden taklidi!)
http://paymenthacks.com -- Cobalt Strike C2 (ödeme altyapısı taklidi)

Fidye Notu

"BlackMatter Ransomware encrypted all your files!"
"Your network is encrypted, and cu..."

Tor .onion Ödeme Paneli

supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion
-- BlackMatter kurban müzakere Tor sitesi

BlackMatter Hakkında

BlackMatter, Temmuz-Kasım 2021 arasında aktif olan RaaS grubudur. DarkSide'ın devamı olduğu değerlendirilmektedir. ABD kritik altyapı (petrol boru hattı, tarım) hedeflerinden sonra operasyonunu durdurmuştur. Cobalt Strike kullanarak kurumsal ağlarda lateral movement yapar.

IOC

SHA256b70e78971fc44f84515584b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2
CS C2mojobiden.com
CS C2paymenthacks.com
Onionsupp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion

BlackMatter — マルウェアプロファイル

BlackMatter RaaS 2021. DarkSide devami. Cobalt Strike+run-as-admin. ABD kritik altyapi.

マルウェアの種類
Ransomware
プログラミング言語
C
C2プロトコル
標的システム
Windows/Linux

機能と挙動

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOCリスト (3 件の指標)

IOC — BlackMatter
# DOMAIN mojobiden.com # DOMAIN paymenthacks.com # DOMAIN supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion
タイプメモ
domain mojobiden.com
domain paymenthacks.com
domain supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion

C2サーバー (このファミリーで6台のサーバーを記録)

アドレス タイプ ポート プロトコル ステータス
mojobiden.com domain — — active —
mojobiden.com domain 443 HTTPS active —
mojobiden.com domain 443 HTTPS active —
paymenthacks.com domain 443 HTTPS inactive —
supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion domain 80 HTTPS inactive —
paymenthacks.com domain 443 HTTPS inactive —

C2アドレスはKEYDALチームが手動で検証したマルウェア検体のみに基づいて提供されています。商用利用は禁止です。

タグ
blackmattercobalt-strikemojobidenpaymenthackstor-onionprivilege-escalationransomware