The Darker Things
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 1fbb3769-050b-4795-bd09-faadb12ec037 |
| Fingerprint | b6917051b509bc51 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 11, 2021, midnight |
| Added to db | Aug. 31, 2024, 12:51 a.m. |
| Last updated | Nov. 17, 2024, 6:49 p.m. |
| Headline | UNKNOWN |
| Title | The Darker Things |
| Detected Hints/Tags/Attributes | 70/2/82 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://blog.group-ib.com/blackmatter2 |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 36 | ✔ | Blog Group-IB | https://blog.group-ib.com/rss.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1373 | twitter.com |
|
| Details | Domain | 10 | paymenthacks.com |
|
| Details | Domain | 11 | mojobiden.com |
|
| Details | Domain | 4 | nowautomation.com |
|
| Details | Domain | 3 | fluentzip.org |
|
| Details | Domain | 1 | ransomware.blackmatter.windows |
|
| Details | File | 367 | readme.txt |
|
| Details | sha256 | 2 | 072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486 |
|
| Details | sha256 | 7 | 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6 |
|
| Details | sha256 | 4 | 2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009 |
|
| Details | sha256 | 2 | 3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117 |
|
| Details | sha256 | 2 | 4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91 |
|
| Details | sha256 | 1 | 6155637f8b98426258f5d4321bce4104df56c7771967813d61362c2118632a7b |
|
| Details | sha256 | 2 | 668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6 |
|
| Details | sha256 | 1 | 72687c63258efe66b99c2287748d686b6cca2b0eb6f5398d17f31cb46294012c |
|
| Details | sha256 | 5 | 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984 |
|
| Details | sha256 | 4 | c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99 |
|
| Details | sha256 | 2 | c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe |
|
| Details | sha256 | 1 | f63c6d08ebfba65173763c61d3767667936851161efa51ff4146c96041a02b20 |
|
| Details | sha256 | 1 | 84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f |
|
| Details | sha256 | 1 | a6e14988d91f09db44273c79cba51c16b444afafa37ba5968851badb2a62ef27 |
|
| Details | sha256 | 1 | 7c642cdeaa55f56c563d82837f4dc630583b516a5d02d5a94b57b65489d74425 |
|
| Details | sha256 | 2 | cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7 |
|
| Details | sha256 | 2 | 6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db |
|
| Details | sha256 | 2 | 86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94 |
|
| Details | sha256 | 2 | b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f |
|
| Details | sha256 | 1 | e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda |
|
| Details | sha256 | 2 | 2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c |
|
| Details | sha256 | 2 | 0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4 |
|
| Details | sha256 | 2 | 1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849 |
|
| Details | sha256 | 2 | 1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2 |
|
| Details | sha256 | 2 | 20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41 |
|
| Details | sha256 | 2 | 2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd |
|
| Details | sha256 | 2 | 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2 |
|
| Details | sha256 | 2 | 3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40 |
|
| Details | sha256 | 2 | 4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b |
|
| Details | sha256 | 3 | 520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57 |
|
| Details | sha256 | 3 | 5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa |
|
| Details | sha256 | 2 | 66e6563ecef8f33b1b283a63404a2029550af9a6574b84e0fb3f2c6a8f42e89f |
|
| Details | sha256 | 3 | 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d |
|
| Details | sha256 | 2 | 8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac |
|
| Details | sha256 | 2 | 8f1b0affffb2f2f58b477515d1ce54f4daa40a761d828041603d5536c2d53539 |
|
| Details | sha256 | 2 | 9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a |
|
| Details | sha256 | 2 | b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a |
|
| Details | sha256 | 2 | b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7 |
|
| Details | sha256 | 1 | cb5a89a31a97f8d815776ff43f22f4fec00b32aae4f580080c7300875d991163 |
|
| Details | sha256 | 3 | e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d |
|
| Details | sha256 | 2 | e9b24041847844a5d57b033bf0b41dc637eba7664acfb43da5db635ae920a1b4 |
|
| Details | sha256 | 2 | eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b |
|
| Details | sha256 | 2 | eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1 |
|
| Details | sha256 | 2 | f7b3da61cb6a37569270554776dbbd1406d7203718c0419c922aa393c07e9884 |
|
| Details | sha256 | 1 | 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d |
|
| Details | sha256 | 2 | 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c |
|
| Details | sha256 | 1 | 4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9 |
|
| Details | sha256 | 1 | 5236a8753ab103634867289db0ba1f075f0140355925c7bd014de829454a14a0 |
|
| Details | sha256 | 1 | 69e5f8287029bcc65354abefabb6854b4f7183735bd50b2da0624eb3ae252ea8 |
|
| Details | sha256 | 2 | 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4 |
|
| Details | sha256 | 2 | 8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952 |
|
| Details | sha256 | 1 | ccee26ea662c87a6c3171b091044282849cc8d46d4b9b9da6cf429b8114c4239 |
|
| Details | sha256 | 2 | ed47e6ecca056bba20f2b299b9df1022caf2f3e7af1f526c1fe3b8bf2d6e7404 |
|
| Details | sha256 | 2 | fe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2 |
|
| Details | sha256 | 1 | 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345 |
|
| Details | sha256 | 1 | 7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296 |
|
| Details | sha256 | 2 | 9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58 |
|
| Details | sha256 | 1 | 2f20732aaa3d5ce8d2efeb37fe6fed7e73a29104d8227a1160e8538a3ee27dad |
|
| Details | sha256 | 1 | 9a8cd3a30e54a2ebb6d73fd7792ba60a6278a7301232321f226bb29fb8d0b3d6 |
|
| Details | sha256 | 1 | 1247a68b960aa81b7517c614c12c8b5d1921d1d2fdf17be636079ad94caf970f |
|
| Details | sha256 | 2 | 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502 |
|
| Details | sha256 | 2 | d4645d2c29505cf10d1b201826c777b62cbf9d752cb1008bef1192e0dd545a82 |
|
| Details | Url | 1 | https://twitter.com/ddd1ms/status/1441044423798820889 |
|
| Details | Url | 2 | https://paymenthacks.com |
|
| Details | Url | 3 | http://paymenthacks.com |
|
| Details | Url | 3 | https://mojobiden.com |
|
| Details | Url | 4 | http://mojobiden.com |
|
| Details | Url | 1 | https://nowautomation.com |
|
| Details | Url | 2 | http://nowautomation.com |
|
| Details | Url | 1 | https://fluentzip.org |
|
| Details | Url | 1 | http://fluentzip.org |
|
| Details | Windows Registry Key | 7 | HKLM\SOFTWARE\Microsoft\Cryptography |
|
| Details | Yara rule | 1 | import "elf"
rule DarkSide_BM {
meta:
author = "Andrey Zhdanov"
company = "Group-IB"
family = "ransomware.darkside_blackmatter"
description = "DarkSide/BlackMatter ransomware Windows payload"
severity = 10
score = 100
strings:
$h1 = { 64 A1 30 00 00 00 8B B0 A4 00 00 00 8B B8 A8 00 00 00 83 FE 05 75 05 83 FF 01 }
condition:
((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and ((1 of ($h*)))
} |
|
| Details | Yara rule | 1 | rule BlackMatter {
meta:
author = "Andrey Zhdanov"
company = "Group-IB"
family = "ransomware.blackmatter.windows"
description = "BlackMatter ransomware Windows payload"
severity = 10
score = 100
strings:
$h0 = { 80 C6 61 80 EE 61 C1 CA 0D 03 D0 }
$h1 = { 02 F1 2A F1 B9 0D 00 00 00 D3 CA 03 D0 }
$h2 = { 3C 2B 75 04 B0 78 EB 0E 3C 2F 75 04 B0 69 EB 06 3C 3D 75 02 B0 7A }
$h3 = { 33 C0 40 40 8D 0C C5 01 00 00 00 83 7D 0? 00 75 04 F7 D8 EB 0? }
condition:
((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and ((1 of ($h*)))
} |
|
| Details | Yara rule | 1 | import "elf"
rule BlackMatter_Linux {
meta:
author = "Andrey Zhdanov"
company = "Group-IB"
family = "ransomware.blackmatter.linux"
description = "BlackMatter ransomware Linux payload"
severity = 10
score = 100
strings:
$h0 = { 0F B6 10 84 D2 74 19 0F B6 34 0F 40 38 F2 74 10 48 83 C1 01 31 F2 48 83 F9 20 88 10 49 0F 44 C9 48 83 C0 01 4C 39 C0 75 D7 }
$h1 = { 44 42 46 44 C7 4? [1-2] 30 35 35 43 C7 4? [1-2] 2D 39 43 46 C7 4? [1-2] 32 2D 34 42 C7 4? [1-2] 42 38 2D 39 C7 4? [1-2] 30 38 45 2D C7 4? [1-2] 36 44 41 32 C7 4? [1-2] 32 33 32 31 C7 4? [1-2] 42 46 31 37 }
condition:
(uint32(0) == 0x464C457F) and ((1 of ($h*)) or for any i in (0 .. elf.number_of_sections - 2) : ( (elf.sections[i].name == ".app.version") and (elf.sections[i + 1].name == ".cfgETD") ))
} |