ScreenShot
| Created | 2021.09.07 15:06 | Machine | s1_win7_x6401 |
| Filename | blackmatter.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 53 detected (AIDetect, malware1, malicious, high confidence, score, Filecoder, confidence, 100%, BlackMatter, Mint, Zard, IDEX, ccmw, Generic@ML, RDML, qyeJDApQr3Dfr2VT4pj7Hw, Malware@#2sxlbnmiataa1, AGEN, SMYXBHMT, ASMalwS, Ransomware, GenericRXPT, ai score=85, TScope, Unsafe, Gencirc, tlTvXNFaIrI, Static AI, Malicious PE, susgen) | ||
| md5 | 18c7c940bc6a4e778fbdf4a3e28151a8 | ||
| sha256 | 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2 | ||
| ssdeep | 1536:+nICS4ArFnRoHhcVyid9EZZoi+zQXFpVX42N:5ZnmqVyq9EN+Mb7 | ||
| imphash | 2e4ae81fc349a1616df79a6f5499743f | ||
| impfuzzy | 6:J9tz2RWvC1Mh5lXLMwPajLzFyBBzZeWt/MNlA7dKS79AHGDmE0OLGNFAW6:J9FHPPg3FyBaWt/mlAESamDz0OG96 | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Appends a new file extension or content to 3799 files indicative of a ransomware file encryption process |
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| danger | Performs 3799 file moves indicative of a ransomware file encryption process |
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Attempts to stop active services |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | BlackMatter_Ransomware_IN | BlackMatter Ransomware | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
gdi32.dll
0x412030 SetPixel
0x412034 SelectPalette
0x412038 TextOutW
0x41203c SelectObject
0x412040 BitBlt
0x412044 GetTextMetricsW
0x412048 GetTextColor
0x41204c CreateFontW
0x412050 CreateDIBitmap
USER32.dll
0x412018 GetMessageW
0x41201c EndDialog
0x412020 DefWindowProcW
0x412024 CreateWindowExW
0x412028 CreateMenu
KERNEL32.dll
0x412000 GetProcAddress
0x412004 GetModuleHandleA
0x412008 GetLocaleInfoW
0x41200c GetCommandLineW
0x412010 FormatMessageW
EAT(Export Address Table) is none
gdi32.dll
0x412030 SetPixel
0x412034 SelectPalette
0x412038 TextOutW
0x41203c SelectObject
0x412040 BitBlt
0x412044 GetTextMetricsW
0x412048 GetTextColor
0x41204c CreateFontW
0x412050 CreateDIBitmap
USER32.dll
0x412018 GetMessageW
0x41201c EndDialog
0x412020 DefWindowProcW
0x412024 CreateWindowExW
0x412028 CreateMenu
KERNEL32.dll
0x412000 GetProcAddress
0x412004 GetModuleHandleA
0x412008 GetLocaleInfoW
0x41200c GetCommandLineW
0x412010 FormatMessageW
EAT(Export Address Table) is none