MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlackMatter

Vendor detections: 18

Intelligence 18 IOCs YARA 6 File information Comments

SHA256 hash:	374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368
SHA3-384 hash:	aff585bbea99a517053ef85027abbb786064d7204099047bf51c6276c9f6247e1867f6597f36b1b03dde4705eae59480
SHA1 hash:	0b38329650b2a4afdd1dbb107404b31651f90983
MD5 hash:	9b309cd7a3c63cf9ed694f37207d8958
humanhash:	carbon-glucose-five-stairway
File name:	2025-08-12_9b309cd7a3c63cf9ed694f37207d8958_darkside_elex_lockbit
Download:	download sample
Signature	BlackMatter Create hunting rule
File size:	152'576 bytes
First seen:	2025-08-12 20:54:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	914685b69f2ac2ff61b6b0f1883a054d (34 x BlackMatter, 15 x LockBit, 1 x BlackMatte)
ssdeep	1536:VzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDUXvRM2TTgo6c+E72ymY8gT8JQW:2qJogYkcSNm9V7Dgv/eEaQMtT
Threatray	412 similar samples on MalwareBazaar
TLSH	T134E36B21B15ED0B3D47718F22736B17DB3EA4D2C0AA96807E6D50F88BCA49232F4595F
TrID	25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 19.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.1% (.EXE) Win32 Executable (generic) (4504/4/1) 7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.8% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	AntiSkidding
Tags:	BlackMatter exe lockbit Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

762

Origin country :

Vendor Threat Intelligence

Malware family:

lockbit

ID:

File name:

_374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368.exe

Verdict:

Malicious activity

Analysis date:

2025-08-12 21:37:43 UTC

Tags:

lockbit ransomware braincipher

Link:

https://app.any.run/tasks/6c126666-718f-4d7a-8ac6-83a2d6795557

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/20994/

Detection(s):

Win.Ransomware.LockBitBlack-10033143-1

Win.Ransomware.BlackMatter-9970818-0

Win.Ransomware.Lazy-10003135-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689baa5c9901157561b5aa85

Tags:

ransomware remo sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

Launching a service

Changing a file

Delayed writing of the file

Reading critical registry keys

Creating a file in the %AppData% directory

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Modifies multiple files

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Using the Windows Management Instrumentation requests

Creating a window

Searching for the window

Stealing user critical data

Creating a file in the mass storage device

Forced shutdown of a system process

Forced shutdown of a browser

Encrypting user's files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

blackmatter filecoder fingerprint genheur lockbit packed ransomware zeroaccess

Link:

https://www.filescan.io/uploads/689baa6e9ef4d2ff7cf92bf2/reports/b8fd40fb-cb1b-4dce-a86c-f45ae30b0117/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368

Malware family:

BlackMatter Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca1ab652-8661-43a6-8b01-4cc95624b5dd

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368

Gathering data

Detection:

lockbit

Link:

https://mwdb.cert.pl/sample/374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368/

Verdict:

Malicious

Threat:

Trojan-Ransom.Win32.Encoder

Link:

https://tip.neiki.dev/file/374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368

Threat name:

Win32.Ransomware.Lockbit

Status:

Malicious

First seen:

2025-08-11 19:36:00 UTC

File Type:

PE (Exe)

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g5hz3443slgmzluktn2h4ydk5pqn3lyrp6hwiuaff35vcygjsnua._file

Verdict:

malicious

Label(s):

lockbit

BlackMatter

392f4f64305a84b2c1451761f931fe21eae4a1329864c5a83c3fdc8356b07ef9

BlackMatter

771a06e3a1bdb42a7249d1c888e740c2bc46ba30b54490188c17f6c84ca96e26

BlackMatter

8d5961cc31eaeda929fedc07b9505ec9e3a6b474afb6b70cfaa1f88a3d3962f4

BlackMatter

a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c

BlackMatter

bf1c0e2ca07484fafc27ac89aabbcb7b8ddfbc271fd8e6f11da9886e1713615d

BlackMatter

error

BlackMatter

+ 402 additional samples on MalwareBazaar

Result

Malware family:

lockbit

Score:

10/10

Tags:

family:lockbit defense_evasion discovery ransomware spyware stealer

Link:

https://tria.ge/reports/250812-zq5hsscj8s/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Control Panel

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Checks computer location settings

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Renames multiple (665) files with added filename extension

Verdict:

Malicious

Tags:

ransomware lockbit Win.Ransomware.BlackMatter-9970818-0

YARA:

Windows_Ransomware_Lockbit_369e1e94 LockBit3 MAL_RANSOM_Lockbit_Indicators_Feb24 MAL_RANSOM_LockBit_Indicators_Feb24_RID3362

Link:

https://app.threat.zone/submission/de508562-18f1-4658-8be2-f26388f33d1e

Unpacked files

SH256 hash:

374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368

MD5 hash:

9b309cd7a3c63cf9ed694f37207d8958

SHA1 hash:

0b38329650b2a4afdd1dbb107404b31651f90983

Link:

https://www.unpac.me/results/87dee278-ad81-441e-af1b-d8b540c9336d/

Malware family:

LockBit

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/374f9df39b92/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.72

Link:

https://yomi.yoroi.company/submissions/374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CRIME_WIN32_RANSOM_BLACKMATTER Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects Blackmatter ransomware

Rule name:	Darkside Create hunting rule
Author:	@bartblaze
Description:	Identifies Darkside ransomware.

Rule name:	lb_apihashing_code_1 Create hunting rule
Author:	0x0d4y
Description:	This rule detects samples from the Lockbit3.0 (and BlackMatter) family unpacked in memory, identifying code reuse of key functions.

Rule name:	lb_stack_string_decrypt_1 Create hunting rule
Author:	CTI Purple Team
Description:	This rule detects the code pattern of the Stack Strings decryption algorithm.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Ransomware_Lockbit_369e1e94 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20994/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::GetFileAttributesW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample