"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.
rule win_blackbasta_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2024-10-31"
version = "1"
description = "Detects win.blackbasta."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
malpedia_rule_date = "20241030"
malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
malpedia_version = "20241030"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 8b3403 85f6 0f856f010000 eb02 33f6 80791400 7410 }
// n = 7, score = 100
// 8b3403 | mov esi, dword ptr [ebx + eax]
// 85f6 | test esi, esi
// 0f856f010000 | jne 0x175
// eb02 | jmp 4
// 33f6 | xor esi, esi
// 80791400 | cmp byte ptr [ecx + 0x14], 0
// 7410 | je 0x12
$sequence_1 = { e9???????? c7456001000000 83fe01 0f86ff000000 90 8d4548 50 }
// n = 7, score = 100
// e9???????? |
// c7456001000000 | mov dword ptr [ebp + 0x60], 1
// 83fe01 | cmp esi, 1
// 0f86ff000000 | jbe 0x105
// 90 | nop
// 8d4548 | lea eax, [ebp + 0x48]
// 50 | push eax
$sequence_2 = { 8b450c 83c01c 50 8d4920 e8???????? 8b450c 8b4df0 }
// n = 7, score = 100
// 8b450c | mov eax, dword ptr [ebp + 0xc]
// 83c01c | add eax, 0x1c
// 50 | push eax
// 8d4920 | lea ecx, [ecx + 0x20]
// e8???????? |
// 8b450c | mov eax, dword ptr [ebp + 0xc]
// 8b4df0 | mov ecx, dword ptr [ebp - 0x10]
$sequence_3 = { 56 8d581c 8d6804 7442 6a00 8bcb }
// n = 6, score = 100
// 56 | push esi
// 8d581c | lea ebx, [eax + 0x1c]
// 8d6804 | lea ebp, [eax + 4]
// 7442 | je 0x44
// 6a00 | push 0
// 8bcb | mov ecx, ebx
$sequence_4 = { 53 56 57 8bf9 8b37 85f6 747a }
// n = 7, score = 100
// 53 | push ebx
// 56 | push esi
// 57 | push edi
// 8bf9 | mov edi, ecx
// 8b37 | mov esi, dword ptr [edi]
// 85f6 | test esi, esi
// 747a | je 0x7c
$sequence_5 = { 56 51 6a01 8bcb ff5034 8b03 }
// n = 6, score = 100
// 56 | push esi
// 51 | push ecx
// 6a01 | push 1
// 8bcb | mov ecx, ebx
// ff5034 | call dword ptr [eax + 0x34]
// 8b03 | mov eax, dword ptr [ebx]
$sequence_6 = { c7471400000000 e8???????? c7461000000000 83c40c c746140f000000 c60600 be08000000 }
// n = 7, score = 100
// c7471400000000 | mov dword ptr [edi + 0x14], 0
// e8???????? |
// c7461000000000 | mov dword ptr [esi + 0x10], 0
// 83c40c | add esp, 0xc
// c746140f000000 | mov dword ptr [esi + 0x14], 0xf
// c60600 | mov byte ptr [esi], 0
// be08000000 | mov esi, 8
$sequence_7 = { 8d957cffffff 52 8d95d4feffff 52 ff5024 8b8dd0feffff 8d957cffffff }
// n = 7, score = 100
// 8d957cffffff | lea edx, [ebp - 0x84]
// 52 | push edx
// 8d95d4feffff | lea edx, [ebp - 0x12c]
// 52 | push edx
// ff5024 | call dword ptr [eax + 0x24]
// 8b8dd0feffff | mov ecx, dword ptr [ebp - 0x130]
// 8d957cffffff | lea edx, [ebp - 0x84]
$sequence_8 = { c7855cfeffff980a0a10 e8???????? 57 8d8d78feffff c745fc09000000 }
// n = 5, score = 100
// c7855cfeffff980a0a10 | mov dword ptr [ebp - 0x1a4], 0x100a0a98
// e8???????? |
// 57 | push edi
// 8d8d78feffff | lea ecx, [ebp - 0x188]
// c745fc09000000 | mov dword ptr [ebp - 4], 9
$sequence_9 = { 8975f0 c706???????? c74604???????? c74608???????? c7462060ed0910 c745fcffffffff e8???????? }
// n = 7, score = 100
// 8975f0 | mov dword ptr [ebp - 0x10], esi
// c706???????? |
// c74604???????? |
// c74608???????? |
// c7462060ed0910 | mov dword ptr [esi + 0x20], 0x1009ed60
// c745fcffffffff | mov dword ptr [ebp - 4], 0xffffffff
// e8???????? |
condition:
7 of them and filesize < 1758208
}
[TLP:WHITE] win_blackbasta_w0 (20220722 | Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.)
rule win_blackbasta_w0 {
meta:
description = "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates."
author = "rcoliveira@protonmail.com"
reference_1 = "https://securelist.com/luna-black-basta-ransomware/106950/"
reference_2 = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
hash_1 = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be"
hash_2 = "0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef"
date = "2022-07-21"
sharing = "TLP:WHITE"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
malpedia_version = "20220722"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$s1 = "aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion" fullword ascii
$s2 = "Your data are stolen and encrypted" fullword ascii
$s3 = "The data will be published on TOR website if you do not pay the ransom" fullword ascii
$s4 = "Input is not valid base64-encoded data." fullword ascii
$s5 = "(you should download and install TOR browser first https://torproject.org)" fullword ascii
$a1 = "_Z12EncryptBytesP8Chacha20PhS1_S1_i" fullword ascii
$a2 = "_Z21GetEncryptedNextBlockP8Chacha20PN3ghc10filesystem13basic_fstreamIcSt11char_traitsIcEEEPhS8_ixS8_" fullword ascii /* score: '17.00'*/
$a3 = "_ZNSt10_HashtableISsSt4pairIKSsPcESaIS3_ENSt8__detail10_Select1stESt8equal_toISsESt4hashISsENS5_18_Mod_range_hashingENS5_20_Default_ranged_hashENS5_20_Prime_rehash_policyENS5_17_Hashtable_traitsILb1ELb0ELb1EEEE21_M_insert_unique_nodeEmmPNS5_10_Hash_nodeIS3_Lb1EEE" fullword ascii
$a4 = "_ZNSt8__detail9_Map_baseISsSt4pairIKSsPcESaIS4_ENS_10_Select1stESt8equal_toISsESt4hashISsENS_18_Mod_range_hashingENS_20_Default_ranged_hashENS_20_Prime_rehash_policyENS_17_Hashtable_traitsILb1ELb0ELb1EEELb1EEixEOSs" fullword ascii
$a5 = "_ZN3ghc10filesystem4path28postprocess_path_with_formatENS1_6formatE" fullword ascii
$a6 = "C:/Users/dssd/Desktop/src" fullword ascii
$a7 = "totalBytesEncrypted" fullword ascii
condition:
filesize < 600KB and
(1 of ($s*) and 1 of ($a*) ) or (8 of them)
}
