SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbyte (Back to overview)

BlackByte

VTCollection    

Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

References
2024-08-28Talos IntelligenceCraig Jackson, James Nutland, Terryn Valikodath
BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks
BlackByte
2023-07-06MicrosoftMicrosoft Incident Response
The five-day job: A BlackByte ransomware intrusion case study
BlackByte ExByte
2023-05-22Cluster25Cluster25 Threat Intel Team
Back in Black: BlackByte Ransomware returns with its New Technology (NT) version
BlackByte
2023-03-21Twitter (@splinter_code)Antonio Cocomazzi
Tweet on BlackByte ransomware rewrite in C++
BlackByte
2022-10-04SophosAndreas Klopsch
Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
BlackByte
2022-08-25DarktraceEmma Foulger, Max Heinemeyer
Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace
BlackByte
2022-07-13NCC GroupRIFT: Research and Intelligence Fusion Team
Climbing Mount Everest: Black-Byte Bytes Back?
BlackByte
2022-07-05Trend MicroTrend Micro Research
Ransomware Spotlight: BlackByte
BlackByte
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-05-20AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-18Cisco TalosHolger Unterbrink
The BlackByte ransomware group is striking users all over the globe
BlackByte
2022-05-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti
2022-05-03ZscalerBrett Stone-Gross, Javier Vicente
Analysis of BlackByte Ransomware's Go-Based Variants
BlackByte
2022-04-20Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt
2022-02-28TrellixTaylor Mullins
Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware
BlackByte
2022-02-21PICUS SecurityHüseyin Can YÜCEEL
TTPs used by BlackByte Ransomware Targeting Critical Infrastructure
BlackByte
2022-02-14BleepingComputerSergiu Gatlan
FBI: BlackByte ransomware breached US critical infrastructure
BlackByte
2022-02-13The RecordCatalin Cimpanu
San Francisco 49ers confirm ransomware attack
BlackByte
2022-02-11Federal Bureau of Investigation, U.S. Secret Service (USSS)
JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware
BlackByte
2021-11-30Red CanaryHarrison van Riper
ProxyShell exploitation leads to BlackByte ransomware
BlackByte
2021-11-04Deep instinctShaul Vilkomir-Preisman
Understanding the Windows JavaScript Threat Landscape
STRRAT Griffon BlackByte Houdini Vjw0rm FIN7
Yara Rules
[TLP:WHITE] win_blackbyte_auto (20251219 | Detects win.blackbyte.)
rule win_blackbyte_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.blackbyte."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 498d7101 0f1f440000 4839c6 7ce0 4889c6 41b806000000 }
            // n = 6, score = 200
            //   498d7101             | dec                 eax
            //   0f1f440000           | mov                 ebx, ecx
            //   4839c6               | dec                 ebp
            //   7ce0                 | mov                 esi, eax
            //   4889c6               | dec                 ecx
            //   41b806000000         | mov                 ebx, eax

        $sequence_1 = { 3bc1 7505 e8???????? 4883c304 }
            // n = 4, score = 200
            //   3bc1                 | cmp                 eax, ecx
            //   7505                 | jne                 7
            //   e8????????           |                     
            //   4883c304             | dec                 eax

        $sequence_2 = { 3bc2 72f4 b8ffffffff 4883c420 }
            // n = 4, score = 200
            //   3bc2                 | inc                 bp
            //   72f4                 | test                eax, eax
            //   b8ffffffff           | je                  0x18
            //   4883c420             | nop                 

        $sequence_3 = { 3bc7 7ce0 eb03 488bda }
            // n = 4, score = 200
            //   3bc7                 | xor                 ecx, ecx
            //   7ce0                 | dec                 esp
            //   eb03                 | arpl                ax, cx
            //   488bda               | test                eax, eax

        $sequence_4 = { 3bc1 7f4d 33c9 4c63c8 }
            // n = 4, score = 200
            //   3bc1                 | lea                 ecx, [esp + 0x48]
            //   7f4d                 | inc                 bp
            //   33c9                 | test                eax, eax
            //   4c63c8               | cmp                 eax, ecx

        $sequence_5 = { 4983f851 7553 4c8d4002 4c39c1 }
            // n = 4, score = 200
            //   4983f851             | je                  0x94
            //   7553                 | dec                 eax
            //   4c8d4002             | lea                 eax, [esp + 0x5c]
            //   4c39c1               | cmp                 eax, edi

        $sequence_6 = { 4989c3 4889cf 488b4c2428 48897c2450 4c895c2468 4b8d0413 90 }
            // n = 7, score = 200
            //   4989c3               | jg                  0x31
            //   4889cf               | dec                 esp
            //   488b4c2428           | arpl                ax, bx
            //   48897c2450           | test                eax, eax
            //   4c895c2468           | jle                 0x24
            //   4b8d0413             | mov                 edx, edi
            //   90                   | dec                 ebp

        $sequence_7 = { 4983f803 0f8f66010000 90 4983f801 0f8fb6000000 }
            // n = 5, score = 200
            //   4983f803             | dec                 esp
            //   0f8f66010000         | mov                 dword ptr [esp + 0x68], ebx
            //   90                   | dec                 ebx
            //   4983f801             | lea                 eax, [ebx + edx]
            //   0f8fb6000000         | nop                 

        $sequence_8 = { 3bc2 7f2f 4c63d8 85c0 }
            // n = 4, score = 200
            //   3bc2                 | dec                 eax
            //   7f2f                 | add                 ecx, 2
            //   4c63d8               | cmp                 eax, ecx
            //   85c0                 | jg                  0x4f

        $sequence_9 = { 0f1005???????? 4c8960e0 4533e4 4c8968d8 }
            // n = 4, score = 200
            //   0f1005????????       |                     
            //   4c8960e0             | add                 ebx, 4
            //   4533e4               | dec                 esp
            //   4c8968d8             | mov                 dword ptr [eax - 0x20], esp

        $sequence_10 = { 4983f805 0f8511020000 4c8d4304 4c39c6 }
            // n = 4, score = 200
            //   4983f805             | dec                 eax
            //   0f8511020000         | mov                 eax, dword ptr [esp + 0xb0]
            //   4c8d4304             | dec                 eax
            //   4c39c6               | mov                 ecx, dword ptr [esp + 0x68]

        $sequence_11 = { 493b6610 0f8626010000 4883ec70 48896c2468 488d6c2468 }
            // n = 5, score = 200
            //   493b6610             | push                edi
            //   0f8626010000         | dec                 eax
            //   4883ec70             | lea                 ebp, [esp - 0x37]
            //   48896c2468           | dec                 eax
            //   488d6c2468           | sub                 esp, 0xe0

        $sequence_12 = { 3bc1 7573 488d4c2448 664585c0 }
            // n = 4, score = 200
            //   3bc1                 | test                dx, dx
            //   7573                 | je                  0x12
            //   488d4c2448           | cmp                 eax, ecx
            //   664585c0             | jne                 0x5c

        $sequence_13 = { 3bc1 7558 498bcb 6685d2 }
            // n = 4, score = 200
            //   3bc1                 | mov                 dword ptr [eax - 0x28], ebp
            //   7558                 | inc                 ecx
            //   498bcb               | mov                 ebx, esp
            //   6685d2               | dec                 esp

        $sequence_14 = { 4989c3 488b8424b0000000 e8???????? 488b4c2468 }
            // n = 4, score = 200
            //   4989c3               | sub                 ecx, edx
            //   488b8424b0000000     | cmp                 eax, edi
            //   e8????????           |                     
            //   488b4c2468           | jl                  0xffffffe2

        $sequence_15 = { 493b6610 767b 4883ec38 48896c2430 488d6c2430 4889442440 49c7c500000000 }
            // n = 7, score = 200
            //   493b6610             | je                  0x94
            //   767b                 | cmp                 eax, edi
            //   4883ec38             | jl                  0xffffffe2
            //   48896c2430           | jmp                 7
            //   488d6c2430           | dec                 eax
            //   4889442440           | mov                 ebx, edx
            //   49c7c500000000       | cmp                 word ptr [ebx], 0

    condition:
        7 of them and filesize < 9435136
}
Download all Yara Rules