MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlackMatter

Vendor detections: 18

Intelligence 18 IOCs YARA 5 File information Comments

SHA256 hash:	e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36
SHA3-384 hash:	83a0954a05c8ef5eab0e9059f3ee3cab4b18268006fabbcc0e88e775ca1e9115911d8a1bf9f095e9647b4bd61b85ceb4
SHA1 hash:	ffaa98f9fa4c159636943ddb6c6c6978ee03b2da
MD5 hash:	2d6fc7281e8fa096f87e7c5b60ed9034
humanhash:	minnesota-steak-one-london
File name:	rr.exe
Download:	download sample
Signature	BlackMatter Create hunting rule
File size:	152'576 bytes
First seen:	2025-12-19 11:59:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	914685b69f2ac2ff61b6b0f1883a054d (36 x BlackMatter, 16 x LockBit, 1 x BlackMatte)
ssdeep	1536:kzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDT8Oxa6sHOIsRF/7h9Hbi19YdVT:rqJogYkcSNm9V7DTn8sDzO19wVT
TLSH	T1D1E37C21F11ED0B3D87718F21B26B17DB3EA4D2C1A656807E6E50F48BCA58232F4695F
TrID	25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 19.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.1% (.EXE) Win32 Executable (generic) (4504/4/1) 7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.8% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	NDA0E
Tags:	BlackMatter exe lockbit

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

LockBit

Details

LockBit

a PCG-lockbit seed, a RSA public key modulus, flags, hashes for excluded folders, files, and extensions, hashes for computer names, killed processes and services, a list of credentials, a ransom note, and information parsed from the ransom note

Link:

https://research.acce.ciphertechsolutions.com/results/5e08213f-4986-4c1d-b7c8-aadc217eef2d/

Malware family:

lockbit

ID:

File name:

_e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36.exe

Verdict:

Malicious activity

Analysis date:

2025-12-19 12:00:38 UTC

Tags:

braincipher ransomware lockbit darkside

Link:

https://app.any.run/tasks/b7d7c5bc-8ded-4633-99b9-6101874311bf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45502/

Detection(s):

Win.Ransomware.LockBitBlack-10033143-1

Win.Ransomware.BlackMatter-9970818-0

Win.Ransomware.Lazy-10003135-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69453e6029df60c6e007bc39

Tags:

ransomware shellcode virus

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint packed

Link:

https://www.filescan.io/uploads/69453e5d3f8fdbf8e94c0a3a/reports/d466d586-6aaa-4389-a257-f048ac7e10a7/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-19T09:06:00Z UTC

Last seen:

2025-12-20T02:26:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan-Ransom.Win32.Lockbit.tre Trojan-Ransom.Win32.Encoder.sb Trojan-Ransom.Win32.Agent.sb Trojan.Win32.Udochka.sb Trojan.Win32.Agent.sb HEUR:Trojan-Ransom.Win32.Generic Trojan-Ransom.Win32.BlackMatter.d

Link:

https://opentip.kaspersky.com/e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36/results?tab=lookup

Malware family:

BlackMatter Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a43e5be5-fe23-4c8b-a6b5-1df27156396f

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/2d6fc7281e8fa096f87e7c5b60ed9034

Detection:

lockbit

Link:

https://mwdb.cert.pl/sample/e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36/

Verdict:

Malicious

Threat:

Family.DARKSIDE

Link:

https://tip.neiki.dev/file/e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36

Threat name:

Win32.Ransomware.Lockbit

Status:

Malicious

First seen:

2025-12-19 11:40:25 UTC

File Type:

PE (Exe)

AV detection:

33 of 36 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ef5j76at43cwsap3c3vd7afkr3lwjiogmrwemgvawf4opae5y3a._file

Verdict:

malicious

Label(s):

lockbit

Similar samples:

error

BlackMatter

Result

Malware family:

lockbit

Score:

10/10

Tags:

family:lockbit credential_access defense_evasion discovery ransomware spyware stealer

Link:

https://tria.ge/reports/251223-p8s8dazld1/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops desktop.ini file(s)

Enumerates connected drives

Indicator Removal: File Deletion

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Verdict:

Malicious

Tags:

ransomware lockbit Win.Ransomware.LockBitBlack-10033143-1

YARA:

Windows_Ransomware_Lockbit_369e1e94 LockBit3 MAL_RANSOM_Lockbit_Indicators_Feb24 MAL_RANSOM_LockBit_Indicators_Feb24_RID3362

Link:

https://app.threat.zone/submission/73d8d044-87dc-4316-a235-43fee3c00e21

Unpacked files

SH256 hash:

e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36

MD5 hash:

2d6fc7281e8fa096f87e7c5b60ed9034

SHA1 hash:

ffaa98f9fa4c159636943ddb6c6c6978ee03b2da

Link:

https://www.unpac.me/results/dfa0b418-ceb8-4d68-81c7-27254d2e110e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e90bd4ffc09f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.72

Link:

https://yomi.yoroi.company/submissions/e90bd4ffc09f362b480fd8b751fc055476bb250e33236230d5058bc73c04ee36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CRIME_WIN32_RANSOM_BLACKMATTER Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects Blackmatter ransomware

Rule name:	Darkside Create hunting rule
Author:	@bartblaze
Description:	Identifies Darkside ransomware.

Rule name:	lb_apihashing_code_1 Create hunting rule
Author:	0x0d4y
Description:	This rule detects samples from the Lockbit3.0 (and BlackMatter) family unpacked in memory, identifying code reuse of key functions.

Rule name:	lb_stack_string_decrypt_1 Create hunting rule
Author:	CTI Purple Team
Description:	This rule detects the code pattern of the Stack Strings decryption algorithm.