Manuel Statik Analiz (LLM Okumali) — BlackMatter Ransomware | Tehdit: KRITIK
MalwareBazaar Conti etiketledi ancak cleartext ransom notu "BlackMatter Ransomware" yazmaktadir. Yanlis etiket tespiti.
Dosya Kimligi
| SHA256 | b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a |
|---|---|
| Dosya Adi | run-as-admin.exe |
| Boyut | 515.584 byte |
| MB Etiketi | Conti (YANLIS) |
| Gercek Aile | BlackMatter |
Cleartext C2 Adresleri
| Tip | Adres | Amac |
|---|---|---|
| HTTP/HTTPS | http://mojobiden.comhttps://mojobiden.com | Data exfiltrasyon / C2 |
| HTTP/HTTPS | http://paymenthacks.comhttps://paymenthacks.com | Fidye odeme portalı |
| TOR Onion | supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion | TOR uzerinden destek portali |
Cleartext Ransom Notu
BlackMatter Ransomware encrypted all your files! Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. [Note file]: oG5IasxF4.README.txt
Anti-AV ve Anti-Forensics
net stop wuauserv -- Windows Update durdurma sophos -- Sophos AV tespiti
Mutex
__MUTEX_NAME__ — Placeholder mutex; ayni makineye tekrar enfeksiyonu onler
BlackMatter Hakkinda
BlackMatter, DarkSide geliştiricilerince 2021 yilinda baslatilmistir (DarkSide, Colonial Pipeline saldirisindan sonra kapanmistir). Kurumsal aglarini hedefler, "double extortion" (sifreleme + veri sizintisi tehdidi) kullanir. Kurasal sanayi, gida ve enerji sektorunu etkilemistir. Kasim 2021'de yeniden kapanmistir.
IOC
| SHA256 | b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a |
|---|---|
| C2 | mojobiden.com, paymenthacks.com |
| TOR | supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion |
| Ransom Notu | oG5IasxF4.README.txt |
BlackMatter — Malware Profile
BlackMatter RaaS 2021. DarkSide devami. Cobalt Strike+run-as-admin. ABD kritik altyapi.
Malware Type
Ransomware
Programming Language
C
C2 Protocol
—
Target Systems
Windows/Linux
Capabilities & Behavior
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC List (1 indicators)
IOC — BlackMatter
# SHA256
b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
| Type | Value | Note |
|---|---|---|
| sha256 | b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a |
C2 Servers (6 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| mojobiden.com | domain | — | — | active | — |
| mojobiden.com | domain | 443 | HTTPS | active | — |
| mojobiden.com | domain | 443 | HTTPS | active | — |
| paymenthacks.com | domain | 443 | HTTPS | inactive | — |
| supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion | domain | 80 | HTTPS | inactive | — |
| paymenthacks.com | domain | 443 | HTTPS | inactive | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.