Manuel Statik Analiz (LLM Okumali) — BlackMatter Ransomware | Tehdit: KRITIK
MalwareBazaar Conti etiketledi ancak cleartext ransom notu "BlackMatter Ransomware" yazmaktadir. Yanlis etiket tespiti.

ファイル Kimligi

SHA256b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
ファイル Adirun-as-admin.exe
サイズ515.584 byte
MB EtiketiConti (YANLIS)
Gercek ファミリーBlackMatter

Cleartext C2 Adresleri

TipAdresAmac
HTTP/HTTPShttp://mojobiden.com
https://mojobiden.com
Data exfiltrasyon / C2
HTTP/HTTPShttp://paymenthacks.com
https://paymenthacks.com
Fidye odeme portalı
TOR Onionsupp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onionTOR uzerinden destek portali

Cleartext Ransom Notu

BlackMatter Ransomware encrypted all your files!
   Your network is encrypted, and currently not operational.
   We need only money, after payment we will give you a
   decryptor for the entire network and you will restore
   all the data.

[Note file]: oG5IasxF4.README.txt

Anti-AV ve Anti-Forensics

net stop wuauserv      -- Windows Update durdurma
sophos                 -- Sophos AV tespiti

Mutex

__MUTEX_NAME__ — Placeholder mutex; ayni makineye tekrar enfeksiyonu onler

BlackMatter Hakkinda

BlackMatter, DarkSide geliştiricilerince 2021 yilinda baslatilmistir (DarkSide, Colonial Pipeline saldirisindan sonra kapanmistir). Kurumsal aglarini hedefler, "double extortion" (sifreleme + veri sizintisi tehdidi) kullanir. Kurasal sanayi, gida ve enerji sektorunu etkilemistir. Kasim 2021'de yeniden kapanmistir.

IOC

SHA256b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
C2mojobiden.com, paymenthacks.com
TORsupp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion
Ransom NotuoG5IasxF4.README.txt

BlackMatter — マルウェアプロファイル

BlackMatter RaaS 2021. DarkSide devami. Cobalt Strike+run-as-admin. ABD kritik altyapi.

マルウェアの種類
Ransomware
プログラミング言語
C
C2プロトコル
標的システム
Windows/Linux

機能と挙動

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOCリスト (1 件の指標)

IOC — BlackMatter
# SHA256 b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
タイプメモ
sha256 b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a

C2サーバー (このファミリーで6台のサーバーを記録)

アドレス タイプ ポート プロトコル ステータス
mojobiden.com domain — — active —
mojobiden.com domain 443 HTTPS active —
mojobiden.com domain 443 HTTPS active —
paymenthacks.com domain 443 HTTPS inactive —
supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion domain 80 HTTPS inactive —
paymenthacks.com domain 443 HTTPS inactive —

C2アドレスはKEYDALチームが手動で検証したマルウェア検体のみに基づいて提供されています。商用利用は禁止です。

タグ
blackmatterransomwaremojobidenpaymenthacksoniontoryanlis-etiketnet-stopsophos