Manuel Statik Analiz (LLM Okumali) — BlackMatter Ransomware | Tehdit: KRITIK
MalwareBazaar Conti etiketledi ancak cleartext ransom notu "BlackMatter Ransomware" yazmaktadir. Yanlis etiket tespiti.

Dosya Kimligi

SHA256b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
Dosya Adirun-as-admin.exe
Boyut515.584 byte
MB EtiketiConti (YANLIS)
Gercek AileBlackMatter

Cleartext C2 Adresleri

TipAdresAmac
HTTP/HTTPShttp://mojobiden.com
https://mojobiden.com
Data exfiltrasyon / C2
HTTP/HTTPShttp://paymenthacks.com
https://paymenthacks.com
Fidye odeme portalı
TOR Onionsupp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onionTOR uzerinden destek portali

Cleartext Ransom Notu

BlackMatter Ransomware encrypted all your files!
   Your network is encrypted, and currently not operational.
   We need only money, after payment we will give you a
   decryptor for the entire network and you will restore
   all the data.

[Note file]: oG5IasxF4.README.txt

Anti-AV ve Anti-Forensics

net stop wuauserv      -- Windows Update durdurma
sophos                 -- Sophos AV tespiti

Mutex

__MUTEX_NAME__ — Placeholder mutex; ayni makineye tekrar enfeksiyonu onler

BlackMatter Hakkinda

BlackMatter, DarkSide geliştiricilerince 2021 yilinda baslatilmistir (DarkSide, Colonial Pipeline saldirisindan sonra kapanmistir). Kurumsal aglarini hedefler, "double extortion" (sifreleme + veri sizintisi tehdidi) kullanir. Kurasal sanayi, gida ve enerji sektorunu etkilemistir. Kasim 2021'de yeniden kapanmistir.

IOC

SHA256b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
C2mojobiden.com, paymenthacks.com
TORsupp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion
Ransom NotuoG5IasxF4.README.txt

BlackMatter — Malware Profile

BlackMatter RaaS 2021. DarkSide devami. Cobalt Strike+run-as-admin. ABD kritik altyapi.

Malware Type
Ransomware
Programming Language
C
C2 Protocol
Target Systems
Windows/Linux

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (1 indicators)

IOC — BlackMatter
# SHA256 b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a
TypeValueNote
sha256 b70e78971fc44f8413447139afe777f19fd1b93cf3b4843ef6da7c534f1e9b0a

C2 Servers (6 recorded servers for this family)

Address Type Port Protocol Status Country
mojobiden.com domain — — active —
mojobiden.com domain 443 HTTPS active —
mojobiden.com domain 443 HTTPS active —
paymenthacks.com domain 443 HTTPS inactive —
supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion domain 80 HTTPS inactive —
paymenthacks.com domain 443 HTTPS inactive —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
blackmatterransomwaremojobidenpaymenthacksoniontoryanlis-etiketnet-stopsophos