Play interactive tour
Edit tourWindows Analysis Report GlLHM7paoZ.exe
Overview
General Information
| Sample Name: | GlLHM7paoZ.exe |
| Analysis ID: | 508200 |
| MD5: | 598c53bfef81e489375f09792e487f1a |
| SHA1: | 80a29bd2c349a8588edf42653ed739054f9a10f5 |
| SHA256: | 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6 |
| Infos: | |
Most interesting Screenshot:  | |
Detection
BLACKMatter
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Found ransom note / readme
Antivirus / Scanner detection for submitted sample
Yara detected BLACKMatter Ransomware
Multi AV Scanner detection for domain / URL
Hides threads from debuggers
Changes the wallpaper picture
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Contains functionality to read the PEB
Enables security privileges
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: BLACKMatter |
|---|
{"Version": "1.2", "RSA Key": "8719a830f4ba94949291582b6654f96c96d9a0f4419f52f367cf2e19b9c95a9b7091cbefafbe5ae39dae285894590a8db8b764e572fab5234646f8659ada2fbd8c37bfddd60797a5ad9dad2ded37969d179ea4ad4c1980d0e70b056241d325e18beb5cc4925fa56abf810f916e7932d016a86e3ad97749e75f9031114b060b56", "Company Victim ID": "512478c08dada2af19e49808fbda5b0b", "AES key": "a6f330b09cd47b4fb9214f7836aa46ad", "ODD_CRYPT_LARGE_FILES": false, "NEED_MAKE_LOGON": true, "MOUNT_UNITS_AND_CRYPT": true, "CRYPT_NETWORK_RESOURCES_AND_AD": true, "TERMINATE_PROCESSES": true, "STOP_SERVICES_AND_DELETE": true, "CREATE_MUTEX": true, "PREPARE_VICTIM_DATA_AND_SEND": true, "PROCESS_TO_KILL": ["encsvc", "thebat", "mydesktopqos", "xfssvccon", "firefox", "infopath", "winword", "steam", "synctime", "notepad", "ocomm", "onenote", "mspub", "thunderbird", "agntsvc", "sql", "excel", "powerpnt", "outlook", "wordpad", "dbeng50", "isqlplussvc", "sqbcoreservice", "oracle", "ocautoupds", "dbsnmp", "msaccess", "tbirdconfig", "ocssd", "mydesktopservice", "visio"], "SERVICES_TO_KILL": ["mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss"], "C2_URLS": ["https://paymenthacks.com", "http://paymenthacks.com", "https://mojobiden.com", "http://mojobiden.com"], "LOGON_USERS_INFORMATION": ["aheisler@hhcp.com:120Heisler", "dsmith@hhcp.com:Tesla2019", "administrator@hhcp.com:iteam8**"], "RANSOM_NOTE": " ~+ \r\n * +\r\n ' BLACK |\r\n () .-.,='``'=. - o - \r\n '=/_ \\ | \r\n * | '=._ | \r\n \\ `=./`, ' \r\n . '=.__.=' `=' *\r\n + Matter +\r\n O * ' .\r\n\r\n>>> What happens?\r\n Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver.\r\n We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.\r\n\r\n>>> What guarantees? \r\n We are not a politically motivated group and we do not need anything other than your money. \r\n If you pay, we will provide you the programs for decryption and we will delete your data. \r\n If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. \r\n We always keep our promises.\r\n\r\n>> Data leak includes\r\n1. Full emloyeers personal data\r\n2. Network information\r\n3. Schemes of buildings, active project information, architect details and contracts, \r\n4. Finance info\r\n\r\n\r\n>>> How to contact with us? \r\n 1. Download and install TOR Browser (https://www.torproject.org/).\r\n 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.\r\n \r\n>>> Warning! Recovery recommendations. \r\n We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them."}Yara Overview |
|---|
Initial Sample |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| RAN_BlackMatter_Aug_2021_1 | Detect BlackMatter ransomware | Arkbird_SOLG |
|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_blackmatter | Yara detected BLACKMatter Ransomware | Joe Security | ||
| JoeSecurity_blackmatter | Yara detected BLACKMatter Ransomware | Joe Security | ||
| JoeSecurity_blackmatter | Yara detected BLACKMatter Ransomware | Joe Security | ||
| JoeSecurity_blackmatter | Yara detected BLACKMatter Ransomware | Joe Security |
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| RAN_BlackMatter_Aug_2021_1 | Detect BlackMatter ransomware | Arkbird_SOLG |
| |
| RAN_BlackMatter_Aug_2021_1 | Detect BlackMatter ransomware | Arkbird_SOLG |
|
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||