"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.
rule win_blackbasta_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.blackbasta."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { b8ffffff7f 8bd1 d1ea 2bc2 57 3bc8 7607 }
// n = 7, score = 100
// b8ffffff7f | mov eax, 0x7fffffff
// 8bd1 | mov edx, ecx
// d1ea | shr edx, 1
// 2bc2 | sub eax, edx
// 57 | push edi
// 3bc8 | cmp ecx, eax
// 7607 | jbe 9
$sequence_1 = { 6800000080 ff15???????? 85c0 754d 837d1c08 8d4d08 }
// n = 6, score = 100
// 6800000080 | push 0x80000000
// ff15???????? |
// 85c0 | test eax, eax
// 754d | jne 0x4f
// 837d1c08 | cmp dword ptr [ebp + 0x1c], 8
// 8d4d08 | lea ecx, [ebp + 8]
$sequence_2 = { c745bc0f000000 884da8 8b03 c745fc04000000 8b702c 8d8560ffffff }
// n = 6, score = 100
// c745bc0f000000 | mov dword ptr [ebp - 0x44], 0xf
// 884da8 | mov byte ptr [ebp - 0x58], cl
// 8b03 | mov eax, dword ptr [ebx]
// c745fc04000000 | mov dword ptr [ebp - 4], 4
// 8b702c | mov esi, dword ptr [eax + 0x2c]
// 8d8560ffffff | lea eax, [ebp - 0xa0]
$sequence_3 = { 8bec 83ec14 56 8b7508 ff34b5bc430a10 e8???????? 50 }
// n = 7, score = 100
// 8bec | mov ebp, esp
// 83ec14 | sub esp, 0x14
// 56 | push esi
// 8b7508 | mov esi, dword ptr [ebp + 8]
// ff34b5bc430a10 | push dword ptr [esi*4 + 0x100a43bc]
// e8???????? |
// 50 | push eax
$sequence_4 = { 83453040 41 8345340c 8b7d4c 8b5550 894d0c 85ff }
// n = 7, score = 100
// 83453040 | add dword ptr [ebp + 0x30], 0x40
// 41 | inc ecx
// 8345340c | add dword ptr [ebp + 0x34], 0xc
// 8b7d4c | mov edi, dword ptr [ebp + 0x4c]
// 8b5550 | mov edx, dword ptr [ebp + 0x50]
// 894d0c | mov dword ptr [ebp + 0xc], ecx
// 85ff | test edi, edi
$sequence_5 = { 8945ec 57 ff7508 ff7704 ff37 e8???????? 83c410 }
// n = 7, score = 100
// 8945ec | mov dword ptr [ebp - 0x14], eax
// 57 | push edi
// ff7508 | push dword ptr [ebp + 8]
// ff7704 | push dword ptr [edi + 4]
// ff37 | push dword ptr [edi]
// e8???????? |
// 83c410 | add esp, 0x10
$sequence_6 = { 0540420f00 8945ec 83d100 894de8 eb14 c745ecffffffff }
// n = 6, score = 100
// 0540420f00 | add eax, 0xf4240
// 8945ec | mov dword ptr [ebp - 0x14], eax
// 83d100 | adc ecx, 0
// 894de8 | mov dword ptr [ebp - 0x18], ecx
// eb14 | jmp 0x16
// c745ecffffffff | mov dword ptr [ebp - 0x14], 0xffffffff
$sequence_7 = { 64a100000000 50 64892500000000 83ec34 56 57 8d45c0 }
// n = 7, score = 100
// 64a100000000 | mov eax, dword ptr fs:[0]
// 50 | push eax
// 64892500000000 | mov dword ptr fs:[0], esp
// 83ec34 | sub esp, 0x34
// 56 | push esi
// 57 | push edi
// 8d45c0 | lea eax, [ebp - 0x40]
$sequence_8 = { 6a00 53 51 8bcf ff501c 5f 5e }
// n = 7, score = 100
// 6a00 | push 0
// 53 | push ebx
// 51 | push ecx
// 8bcf | mov ecx, edi
// ff501c | call dword ptr [eax + 0x1c]
// 5f | pop edi
// 5e | pop esi
$sequence_9 = { c645b400 3b35???????? 740f ff7620 e8???????? 83c404 8bd0 }
// n = 7, score = 100
// c645b400 | mov byte ptr [ebp - 0x4c], 0
// 3b35???????? |
// 740f | je 0x11
// ff7620 | push dword ptr [esi + 0x20]
// e8???????? |
// 83c404 | add esp, 4
// 8bd0 | mov edx, eax
condition:
7 of them and filesize < 1758208
}
[TLP:WHITE] win_blackbasta_w0 (20220722 | Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.)
rule win_blackbasta_w0 {
meta:
description = "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates."
author = "rcoliveira@protonmail.com"
reference_1 = "https://securelist.com/luna-black-basta-ransomware/106950/"
reference_2 = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
hash_1 = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be"
hash_2 = "0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef"
date = "2022-07-21"
sharing = "TLP:WHITE"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
malpedia_version = "20220722"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$s1 = "aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion" fullword ascii
$s2 = "Your data are stolen and encrypted" fullword ascii
$s3 = "The data will be published on TOR website if you do not pay the ransom" fullword ascii
$s4 = "Input is not valid base64-encoded data." fullword ascii
$s5 = "(you should download and install TOR browser first https://torproject.org)" fullword ascii
$a1 = "_Z12EncryptBytesP8Chacha20PhS1_S1_i" fullword ascii
$a2 = "_Z21GetEncryptedNextBlockP8Chacha20PN3ghc10filesystem13basic_fstreamIcSt11char_traitsIcEEEPhS8_ixS8_" fullword ascii /* score: '17.00'*/
$a3 = "_ZNSt10_HashtableISsSt4pairIKSsPcESaIS3_ENSt8__detail10_Select1stESt8equal_toISsESt4hashISsENS5_18_Mod_range_hashingENS5_20_Default_ranged_hashENS5_20_Prime_rehash_policyENS5_17_Hashtable_traitsILb1ELb0ELb1EEEE21_M_insert_unique_nodeEmmPNS5_10_Hash_nodeIS3_Lb1EEE" fullword ascii
$a4 = "_ZNSt8__detail9_Map_baseISsSt4pairIKSsPcESaIS4_ENS_10_Select1stESt8equal_toISsESt4hashISsENS_18_Mod_range_hashingENS_20_Default_ranged_hashENS_20_Prime_rehash_policyENS_17_Hashtable_traitsILb1ELb0ELb1EEELb1EEixEOSs" fullword ascii
$a5 = "_ZN3ghc10filesystem4path28postprocess_path_with_formatENS1_6formatE" fullword ascii
$a6 = "C:/Users/dssd/Desktop/src" fullword ascii
$a7 = "totalBytesEncrypted" fullword ascii
condition:
filesize < 600KB and
(1 of ($s*) and 1 of ($a*) ) or (8 of them)
}