MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackMatter


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
SHA3-384 hash: 04733702ec7f551396ca99f1422e5630181ec37144e79d16563ee14c612eaacf6966c5dce9c430a4ee2fdb91d29fb6ea
SHA1 hash: cafd8d20f2abaebbbfc367b4b4512107362f3758
MD5 hash: 1dd464cbb3fbd6881eef3f05b8b1fbd5
humanhash: colorado-georgia-blue-black
File name:b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
Download: download sample
Signature BlackMatter
Create hunting rule
File size:73'728 bytes
First seen:2021-08-11 06:54:32 UTC
Last seen:2021-08-11 07:57:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 96c0c982709316e2c58b11a3c2b057ce (3 x BlackMatter)
ssdeep 1536:yICS4AgxwhjEO3r825exqkHYnKeGsXqsMt:R2SN3mxYnKr
Threatray 6 similar samples on MalwareBazaar
TLSH T1C773491179A5D073E0765AB2BB0E79713BCD9D3D1C366483A4D80F48EBA04631F2AE97
Reporter JAMESWT_WT
Tags:BlackMatter exe Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
379
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
Verdict:
Malicious activity
Analysis date:
2021-08-11 06:56:17 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/96705f02-6557-4442-af56-cbcb412f4032

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178112/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.34227.20634.16931.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a service
Creating a file
Delayed writing of the file
Changing a file
Reading critical registry keys
Replacing files
Creating a file in the %AppData% subdirectories
Sending a UDP request
Stealing user critical data
Creating a file in the mass storage device
Forced shutdown of a browser
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BlackMatter Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9847c0fe-de21-4b89-a1ca-a9ad45a77d5f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/830666
Signature
Antivirus / Scanner detection for submitted sample
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found Tor onion address
Hides threads from debuggers
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Writes a notice file (html or txt) to demand a ransom
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f/
Threat name:
Win32.Ransomware.MintZard
Create hunting rule
Status:
Malicious
First seen:
2021-08-07 09:53:38 UTC
File Type:
PE (Exe)
AV detection:
32 of 47 (68.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xaslxrsf6fpcco2mwjri67jyh2pdokbalgyd637gb56ij2q75upq._file
Verdict:
malicious
Similar samples:
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
BlackMatter
7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984
BlackMatter
c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99
BlackMatter
daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720
BlackMatter
Result
Malware family:
blackmatter
Create hunting rule
Score:
  10/10
Tags:
family:blackmatter ransomware
Link:
https://tria.ge/reports/210811-ffapfh5x4n/
Behaviour
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Modifies extensions of user files
BlackMatter Ransomware
Unpacked files
SH256 hash:
b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
MD5 hash:
1dd464cbb3fbd6881eef3f05b8b1fbd5
SHA1 hash:
cafd8d20f2abaebbbfc367b4b4512107362f3758
Link:
https://www.unpac.me/results/7e37186e-e996-472b-a164-2fae7c90ed11/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b824bbc645f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackMatter
Create hunting rule
Author:ATR McAfee
Rule name:CRIME_WIN32_RANSOM_BLACKMATTER
Create hunting rule
Author:Rony (@r0ny_123)
Description:Detects Blackmatter ransomware
Rule name:Darkside
Create hunting rule
Author:@bartblaze
Description:Identifies Darkside ransomware.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178112/

Comments