ScreenShot
| Created | 2021.09.07 08:18 | Machine | s1_win7_x6402 |
| Filename | blackmatter.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 53 detected (AIDetect, malware1, malicious, high confidence, score, Filecoder, confidence, 100%, BlackMatter, Mint, Zard, IDEX, ccmw, Generic@ML, RDML, qyeJDApQr3Dfr2VT4pj7Hw, Malware@#2sxlbnmiataa1, AGEN, SMYXBHMT, ASMalwS, Ransomware, GenericRXPT, ai score=85, TScope, Unsafe, Gencirc, tlTvXNFaIrI, Static AI, Malicious PE, susgen) | ||
| md5 | 18c7c940bc6a4e778fbdf4a3e28151a8 | ||
| sha256 | 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2 | ||
| ssdeep | 1536:+nICS4ArFnRoHhcVyid9EZZoi+zQXFpVX42N:5ZnmqVyq9EN+Mb7 | ||
| imphash | 2e4ae81fc349a1616df79a6f5499743f | ||
| impfuzzy | 6:J9tz2RWvC1Mh5lXLMwPajLzFyBBzZeWt/MNlA7dKS79AHGDmE0OLGNFAW6:J9FHPPg3FyBaWt/mlAESamDz0OG96 | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| danger | Appends a new file extension or content to 963 files indicative of a ransomware file encryption process |
| danger | Performs 963 file moves indicative of a ransomware file encryption process |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Attempts to stop active services |
| watch | Harvests credentials from local email clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
gdi32.dll
0x412030 SetPixel
0x412034 SelectPalette
0x412038 TextOutW
0x41203c SelectObject
0x412040 BitBlt
0x412044 GetTextMetricsW
0x412048 GetTextColor
0x41204c CreateFontW
0x412050 CreateDIBitmap
USER32.dll
0x412018 GetMessageW
0x41201c EndDialog
0x412020 DefWindowProcW
0x412024 CreateWindowExW
0x412028 CreateMenu
KERNEL32.dll
0x412000 GetProcAddress
0x412004 GetModuleHandleA
0x412008 GetLocaleInfoW
0x41200c GetCommandLineW
0x412010 FormatMessageW
EAT(Export Address Table) is none
gdi32.dll
0x412030 SetPixel
0x412034 SelectPalette
0x412038 TextOutW
0x41203c SelectObject
0x412040 BitBlt
0x412044 GetTextMetricsW
0x412048 GetTextColor
0x41204c CreateFontW
0x412050 CreateDIBitmap
USER32.dll
0x412018 GetMessageW
0x41201c EndDialog
0x412020 DefWindowProcW
0x412024 CreateWindowExW
0x412028 CreateMenu
KERNEL32.dll
0x412000 GetProcAddress
0x412004 GetModuleHandleA
0x412008 GetLocaleInfoW
0x41200c GetCommandLineW
0x412010 FormatMessageW
EAT(Export Address Table) is none