MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlackMatter

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e
SHA3-384 hash:	678b1c28bd8049e637192e8359173e252ea8e7f9f05fdd0667268497ce1e4b4d986fe5afa5dd2eb65096d004c56e11a4
SHA1 hash:	371353e9564c58ae4722a03205ac84ab34383d8c
MD5 hash:	03b14473eef5b7e38d9a5041c1af0a76
humanhash:	bravo-wisconsin-blossom-papa
File name:	a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e
Download:	download sample
Signature	BlackMatter Create hunting rule
File size:	165'888 bytes
First seen:	2022-07-05 07:10:48 UTC
Last seen:	2022-07-05 20:30:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a50a0d82b9120fc73965c28fea79e1f9 (4 x LockBit, 3 x BlackMatter)
ssdeep	3072:o5uyulsHwDV1gFnTwn7zwJGJ+ut5kCI5Gzei3N2VzRmK:o5uZ1DPgFnk7EJwZI5gDN2VVm
Threatray	12'876 similar samples on MalwareBazaar
TLSH	T165F36C227112D177C4A239F1B32A76A1B39D8E2C16A8A453FAF8DF0538778237F15947
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.5% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	cyb3rops
Tags:	BlackMatter exe lockbit

Intelligence

File Origin

# of uploads :

# of downloads :

617

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.zip

Verdict:

Suspicious activity

Analysis date:

2022-07-06 05:44:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0af45954-83ab-4b13-819c-7ed1ccf63382

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.19271.17363.9162.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62c3e408c1b6cfcaa5ea15a3/reports/51cb9293-5a71-4648-b87c-930433e2f41d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BlackMatter Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ba20852c-4abf-4d2b-aa78-564fed65fcb0

Result

Threat name:

LockBit ransomware

Detection:

malicious

Classification:

rans.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1024603

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found ransom note / readme

Found Tor onion address

Hides threads from debuggers

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Writes a notice file (html or txt) to demand a ransom

Writes to foreign memory regions

Yara detected LockBit ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e/

Threat name:

Win32.Ransomware.Encoder

Status:

Malicious

First seen:

2022-07-04 18:38:17 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uvvudjqch6biztfk55dqq5cxdulj7w4pna5hl3ougd55ggrmh5xa._file

Verdict:

malicious

BlackMatter

598f6a197785846295000434721eede352fc5bea22fe3faef352f64770d06909

BlackMatter

63a8a847683b777e6d6143a1c886a2d38bd68ab632826115763db3b214d1e127

BlackMatter

899e3f377624c91677b2ddc324199eb854a630409145acf0941a32ed2d4cd005

BlackMatter

963043215c54f2a5b1ae6a53787ed78c838beb576e2744e304665f611c7fcb60

BlackMatter

9e3aeccf79c4c92f97410817a161701c59affa07403748695e61fef0d1d082e7

BlackMatter

ce7d3bdad0d089583e735635f3d475e11dde86d0ad1c76d8735085a9ec031d96

BlackMatter

d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee

BlackMatter

ded5b8b5d57f0e7d66f85cfd7067af3a22e6ce2877cb4d1fc5eb88963559316b

BlackMatter

+ 12'866 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220705-hzxqwaehfl/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e

MD5 hash:

03b14473eef5b7e38d9a5041c1af0a76

SHA1 hash:

371353e9564c58ae4722a03205ac84ab34383d8c

Detections:

win_blackmatter_auto

Link:

https://www.unpac.me/results/4029850a-8fa4-48dc-ac9a-ce6629eabc95/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CRIME_WIN32_RANSOM_BLACKMATTER Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects Blackmatter ransomware

Rule name:	Darkside Create hunting rule
Author:	@bartblaze
Description:	Identifies Darkside ransomware.

Rule name:	LockBit3Detect_via_SectionPatterns Create hunting rule
Author:	InterProbe Malware-Vulnerability Research Team
Description:	Detects new LockBit 3.0 variants

Rule name:	LockbitBlack_Loader Create hunting rule
Author:	Zander Work
Description:	Hunting rule for the Lockbit Black loader, based on https://twitter.com/vxunderground/status/1543661557883740161

Rule name:	win_blackmatter_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.blackmatter.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/cyb3rops/status/1544216630296825856

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample