{
	"id": "377058f8-854c-4a2d-8ed0-6c23982e2400",
	"created_at": "2026-04-06T00:15:49.409359Z",
	"updated_at": "2026-04-10T03:24:29.085707Z",
	"deleted_at": null,
	"sha1_hash": "b6f4dc9705c9cbcf889e46a679db02ade42cdc2a",
	"title": "malware_analysis/blackmatter at master · sisoma2/malware_analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51545,
	"plain_text": "malware_analysis/blackmatter at master ·\r\nsisoma2/malware_analysis\r\nBy Marc\r\nArchived: 2026-04-05 19:14:51 UTC\r\nIn this repo you can find a small tool called BlackMatter_hash.py to recover the hashes hardcoded in different\r\nsamples of the BlackMatter ransomware.\r\nUsage\r\nIn order to work it needs a file with the hashes each one in a different line and the dictionary with the processes to\r\nbruteforce with the same format.\r\npython BlackMatter_hash.py -d HASHES_FILE -t DICTIONARY_FILE -o OUTPUT_FILE\r\npython BlackMatter_hash.py -m MODULE_NAME -a API_NAME\r\npython BlackMatter_hash.py -s STRING\r\nFile Format\r\nThe script will calculate the hash of every string in the dictionary file.\r\nHashes can be prepend with 0x or not and they have to be in hexadecimal.\r\nLines starting with '#' will be ignored.\r\n# Hashes file example\r\n0xE99018C0\r\n4c4b25d4\r\n# Dict file example\r\n$recycle.bin\r\nExample\r\npython BlackMatter_hash.py -d dict.txt -t hashes.txt -o cracked.json\r\n[*] Trying to crack 98 hashes...\r\n[+] Cracked hash 0xc5b01900 = adv\r\n[+] Cracked hash 0xd4aaebb2 = admin$\r\n[+] Cracked hash 0xdd801cc0 = msp\r\n[+] Cracked hash 0xdd181cc0 = msc\r\nhttps://github.com/sisoma2/malware_analysis/tree/master/blackmatter\r\nPage 1 of 4\n\n[+] Cracked hash 0xc9201b40 = cmd\r\n[+] Cracked hash 0xcbb01c80 = drv\r\n[+] Cracked hash 0x64e29771 = diagpkg\r\n[+] Cracked hash 0x3907099b = boot.ini\r\n[+] Cracked hash 0xd3081d00 = hta\r\n[+] Cracked hash 0xdd081c00 = mpa\r\n[+] Cracked hash 0xe1a63bc0 = boot\r\n[+] Cracked hash 0xe7801d00 = rtp\r\n[+] Cracked hash 0xcd281e00 = exe\r\n[+] Cracked hash 0x7f07935 = windows.old\r\n[+] Cracked hash 0xfe9e7c10 = runonce.exe\r\n[+] Cracked hash 0xdb301900 = ldf\r\n[+] Cracked hash 0xc6ce6958 = appdata\r\n[+] Cracked hash 0xa1fccbfe = deskthemepack\r\n[+] Cracked hash 0xdd301900 = mdf\r\n[+] Cracked hash 0xe9601c00 = spl\r\n[+] Cracked hash 0xe3426cd7 = windows\r\n[+] Cracked hash 0xd57818c0 = ico\r\n[+] Cracked hash 0xdb975937 = ntldr\r\n[+] Cracked hash 0x267078f5 = $windows.~bt\r\n[+] Cracked hash 0x85aa57e4 = ntuser.dat.log\r\n[+] Cracked hash 0xdd101900 = mdb\r\n[+] Cracked hash 0x86ccaa15 = autorun.inf\r\n[+] Cracked hash 0xfcc8ab56 = bootsect.bak\r\n[+] Cracked hash 0xd9c81940 = key\r\n[+] Cracked hash 0xc5481b80 = ani\r\n[+] Cracked hash 0x26687e35 = $windows.~ws\r\n[+] Cracked hash 0x4ae29631 = diagcfg\r\n[+] Cracked hash 0xc9601c00 = cpl\r\n[+] Cracked hash 0xdd481cc0 = msi\r\n[+] Cracked hash 0x5366e694 = perflogs\r\n[+] Cracked hash 0xf1c01c00 = wpx\r\n[+] Cracked hash 0x2e75e394 = programdata\r\n[+] Cracked hash 0xc7a01840 = bat\r\n[+] Cracked hash 0x4c4b25d4 = tor browser\r\n[+] Cracked hash 0xba22623b = all users\r\n[+] Cracked hash 0xe9981a00 = shs\r\n[+] Cracked hash 0xb7ea3892 = msocache\r\n[+] Cracked hash 0xc9901d40 = cur\r\n[+] Cracked hash 0xe1881cc0 = ps1\r\n[+] Cracked hash 0xa6f2d1a7 = application data\r\n[+] Cracked hash 0xc23aa6f5 = ntuser.dat\r\n[+] Cracked hash 0xd59818c0 = ics\r\n[+] Cracked hash 0xe9981e40 = sys\r\n[+] Cracked hash 0xc9101840 = cab\r\n[+] Cracked hash 0xc8cef7d1 = thumbs.db\r\n[+] Cracked hash 0xcd101900 = edb\r\nhttps://github.com/sisoma2/malware_analysis/tree/master/blackmatter\r\nPage 2 of 4\n\n[+] Cracked hash 0x4aba94f1 = diagcab\r\n[+] Cracked hash 0x5cde3a7b = public\r\n[+] Cracked hash 0xdf981b00 = nls\r\n[+] Cracked hash 0xdda81cc0 = msu\r\n[+] Cracked hash 0xd5c01900 = idx\r\n[+] Cracked hash 0xdf301900 = ndf\r\n[+] Cracked hash 0xef3a37b3 = default\r\n[+] Cracked hash 0x4cca7837 = nomedia\r\n[+] Cracked hash 0x12018c0 = c$\r\n[+] Cracked hash 0xe99018c0 = scr\r\n[+] Cracked hash 0xc7701a40 = bin\r\n[+] Cracked hash 0xe7681bc0 = rom\r\n[+] Cracked hash 0x45678b17 = -wall\r\n[+] Cracked hash 0xe1c018c0 = ocx\r\n[+] Cracked hash 0xaf16c593 = themepack\r\n[+] Cracked hash 0x49164931 = accdb\r\n[+] Cracked hash 0xd56018c0 = icl\r\n[+] Cracked hash 0x45471d17 = -path\r\n[+] Cracked hash 0x8cf281cd = config.msi\r\n[+] Cracked hash 0xc99eab80 = icns\r\n[+] Cracked hash 0xd3801b00 = hlp\r\n[+] Cracked hash 0xcbe2aa35 = ntuser.ini\r\n[+] Cracked hash 0xcb601b00 = dll\r\n[+] Cracked hash 0xeb9f5c34 = https\r\n[+] Cracked hash 0x846bec00 = iconcache.db\r\n[+] Cracked hash 0xdb581b80 = lnk\r\n[+] Cracked hash 0xe3101900 = pdb\r\n[+] Cracked hash 0x30a212d = $recycle.bin\r\n[+] Cracked hash 0x452f4997 = -safe\r\n[+] Cracked hash 0x36004e4e = program files\r\n[+] Cracked hash 0x67b00e00 = 386\r\n[+] Cracked hash 0x52cb0b38 = google\r\n[+] Cracked hash 0xe3301c80 = prf\r\n[+] Cracked hash 0xab086595 = program files (x86)\r\n[+] Cracked hash 0xdd201bc0 = mod\r\n[+] Cracked hash 0xeb869d00 = http\r\n[+] Cracked hash 0xdccab8dd = mozilla\r\n[+] Cracked hash 0x3eb272e6 = explorer.exe\r\n[+] Cracked hash 0xf00cae96 = bootfont.bin\r\n[+] Cracked hash 0xc9681bc0 = com\r\n[+] Cracked hash 0x4a6bb7db = msstyles\r\n[+] Cracked hash 0xe15ed8c0 = lock\r\n[+] Cracked hash 0xae018eae = system volume information\r\n[+] Cracked hash 0x82d2a252 = desktop.ini\r\n[+] Cracked hash 0x6b66f975 = intel\r\n[+] Cracked hash 0xb7e02438 = svchost.exe\r\nhttps://github.com/sisoma2/malware_analysis/tree/master/blackmatter\r\nPage 3 of 4\n\n[+] Cracked hash 0xcd2e9b7a = theme\r\n[+] Total hashes cracked: 98\r\nIOCs\r\nSamples\r\n2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009\r\n7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984\r\n22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6\r\nc6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99\r\ndaed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720\r\nC\u0026C\r\nmojobiden[.]com\r\npaymenthacks[.]com\r\nSource: https://github.com/sisoma2/malware_analysis/tree/master/blackmatter\r\nhttps://github.com/sisoma2/malware_analysis/tree/master/blackmatter\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/sisoma2/malware_analysis/tree/master/blackmatter"
	],
	"report_names": [
		"blackmatter"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434549,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6f4dc9705c9cbcf889e46a679db02ade42cdc2a.pdf",
		"text": "https://archive.orkl.eu/b6f4dc9705c9cbcf889e46a679db02ade42cdc2a.txt",
		"img": "https://archive.orkl.eu/b6f4dc9705c9cbcf889e46a679db02ade42cdc2a.jpg"
	}
}