"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.
rule win_blackbasta_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-01-25"
version = "1"
description = "Detects win.blackbasta."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
malpedia_rule_date = "20230124"
malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
malpedia_version = "20230125"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 8b00 8b7020 8bce ff15???????? 8b4dc8 ffd6 8b75b0 }
// n = 7, score = 100
// 8b00 | mov eax, dword ptr [eax]
// 8b7020 | mov esi, dword ptr [eax + 0x20]
// 8bce | mov ecx, esi
// ff15???????? |
// 8b4dc8 | mov ecx, dword ptr [ebp - 0x38]
// ffd6 | call esi
// 8b75b0 | mov esi, dword ptr [ebp - 0x50]
$sequence_1 = { 8d5e20 85c0 7439 394508 720d 50 51 }
// n = 7, score = 100
// 8d5e20 | lea ebx, [esi + 0x20]
// 85c0 | test eax, eax
// 7439 | je 0x3b
// 394508 | cmp dword ptr [ebp + 8], eax
// 720d | jb 0xf
// 50 | push eax
// 51 | push ecx
$sequence_2 = { 8bfe f3ab 56 e8???????? 83c404 5f 8b4df4 }
// n = 7, score = 100
// 8bfe | mov edi, esi
// f3ab | rep stosd dword ptr es:[edi], eax
// 56 | push esi
// e8???????? |
// 83c404 | add esp, 4
// 5f | pop edi
// 8b4df4 | mov ecx, dword ptr [ebp - 0xc]
$sequence_3 = { 83c408 5f 5e 8b4df4 64890d00000000 8d6564 5d }
// n = 7, score = 100
// 83c408 | add esp, 8
// 5f | pop edi
// 5e | pop esi
// 8b4df4 | mov ecx, dword ptr [ebp - 0xc]
// 64890d00000000 | mov dword ptr fs:[0], ecx
// 8d6564 | lea esp, [ebp + 0x64]
// 5d | pop ebp
$sequence_4 = { 89b578ffffff c74528ffffffff 89752c 897530 89751c 897520 c6451800 }
// n = 7, score = 100
// 89b578ffffff | mov dword ptr [ebp - 0x88], esi
// c74528ffffffff | mov dword ptr [ebp + 0x28], 0xffffffff
// 89752c | mov dword ptr [ebp + 0x2c], esi
// 897530 | mov dword ptr [ebp + 0x30], esi
// 89751c | mov dword ptr [ebp + 0x1c], esi
// 897520 | mov dword ptr [ebp + 0x20], esi
// c6451800 | mov byte ptr [ebp + 0x18], 0
$sequence_5 = { ff7508 8bd9 8d8558ffffff 68???????? 899d70ffffff 50 c745f000000000 }
// n = 7, score = 100
// ff7508 | push dword ptr [ebp + 8]
// 8bd9 | mov ebx, ecx
// 8d8558ffffff | lea eax, [ebp - 0xa8]
// 68???????? |
// 899d70ffffff | mov dword ptr [ebp - 0x90], ebx
// 50 | push eax
// c745f000000000 | mov dword ptr [ebp - 0x10], 0
$sequence_6 = { 8b74241c 85f6 744d 53 8a5c241c 85c0 7439 }
// n = 7, score = 100
// 8b74241c | mov esi, dword ptr [esp + 0x1c]
// 85f6 | test esi, esi
// 744d | je 0x4f
// 53 | push ebx
// 8a5c241c | mov bl, byte ptr [esp + 0x1c]
// 85c0 | test eax, eax
// 7439 | je 0x3b
$sequence_7 = { 8a80405d0a10 8b4d88 888560ffffff ffb560ffffff e8???????? 837dec10 8d4dd8 }
// n = 7, score = 100
// 8a80405d0a10 | mov al, byte ptr [eax + 0x100a5d40]
// 8b4d88 | mov ecx, dword ptr [ebp - 0x78]
// 888560ffffff | mov byte ptr [ebp - 0xa0], al
// ffb560ffffff | push dword ptr [ebp - 0xa0]
// e8???????? |
// 837dec10 | cmp dword ptr [ebp - 0x14], 0x10
// 8d4dd8 | lea ecx, [ebp - 0x28]
$sequence_8 = { 8b4508 6a01 57 ff7004 ff30 e8???????? 83c9ff }
// n = 7, score = 100
// 8b4508 | mov eax, dword ptr [ebp + 8]
// 6a01 | push 1
// 57 | push edi
// ff7004 | push dword ptr [eax + 4]
// ff30 | push dword ptr [eax]
// e8???????? |
// 83c9ff | or ecx, 0xffffffff
$sequence_9 = { 83c11c c745f000000000 56 57 8d55a8 8b01 }
// n = 6, score = 100
// 83c11c | add ecx, 0x1c
// c745f000000000 | mov dword ptr [ebp - 0x10], 0
// 56 | push esi
// 57 | push edi
// 8d55a8 | lea edx, [ebp - 0x58]
// 8b01 | mov eax, dword ptr [ecx]
condition:
7 of them and filesize < 1758208
}
[TLP:WHITE] win_blackbasta_w0 (20220722 | Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.)
rule win_blackbasta_w0 {
meta:
description = "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates."
author = "rcoliveira@protonmail.com"
reference_1 = "https://securelist.com/luna-black-basta-ransomware/106950/"
reference_2 = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
hash_1 = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be"
hash_2 = "0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef"
date = "2022-07-21"
sharing = "TLP:WHITE"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
malpedia_version = "20220722"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$s1 = "aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion" fullword ascii
$s2 = "Your data are stolen and encrypted" fullword ascii
$s3 = "The data will be published on TOR website if you do not pay the ransom" fullword ascii
$s4 = "Input is not valid base64-encoded data." fullword ascii
$s5 = "(you should download and install TOR browser first https://torproject.org)" fullword ascii
$a1 = "_Z12EncryptBytesP8Chacha20PhS1_S1_i" fullword ascii
$a2 = "_Z21GetEncryptedNextBlockP8Chacha20PN3ghc10filesystem13basic_fstreamIcSt11char_traitsIcEEEPhS8_ixS8_" fullword ascii /* score: '17.00'*/
$a3 = "_ZNSt10_HashtableISsSt4pairIKSsPcESaIS3_ENSt8__detail10_Select1stESt8equal_toISsESt4hashISsENS5_18_Mod_range_hashingENS5_20_Default_ranged_hashENS5_20_Prime_rehash_policyENS5_17_Hashtable_traitsILb1ELb0ELb1EEEE21_M_insert_unique_nodeEmmPNS5_10_Hash_nodeIS3_Lb1EEE" fullword ascii
$a4 = "_ZNSt8__detail9_Map_baseISsSt4pairIKSsPcESaIS4_ENS_10_Select1stESt8equal_toISsESt4hashISsENS_18_Mod_range_hashingENS_20_Default_ranged_hashENS_20_Prime_rehash_policyENS_17_Hashtable_traitsILb1ELb0ELb1EEELb1EEixEOSs" fullword ascii
$a5 = "_ZN3ghc10filesystem4path28postprocess_path_with_formatENS1_6formatE" fullword ascii
$a6 = "C:/Users/dssd/Desktop/src" fullword ascii
$a7 = "totalBytesEncrypted" fullword ascii
condition:
filesize < 600KB and
(1 of ($s*) and 1 of ($a*) ) or (8 of them)
}