SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbyte (Back to overview)

BlackByte

VTCollection    

Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

References
2023-07-06MicrosoftMicrosoft Incident Response
The five-day job: A BlackByte ransomware intrusion case study
BlackByte ExByte
2023-05-22Cluster25Cluster25 Threat Intel Team
Back in Black: BlackByte Ransomware returns with its New Technology (NT) version
BlackByte
2023-03-21Twitter (@splinter_code)Antonio Cocomazzi
Tweet on BlackByte ransomware rewrite in C++
BlackByte
2022-10-04SophosAndreas Klopsch
Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
BlackByte
2022-08-25DarktraceEmma Foulger, Max Heinemeyer
Detecting the Unknown: Revealing Uncategorized Ransomware Using Darktrace
BlackByte
2022-07-13NCC GroupRIFT: Research and Intelligence Fusion Team
Climbing Mount Everest: Black-Byte Bytes Back?
BlackByte
2022-07-05Trend MicroTrend Micro Research
Ransomware Spotlight: BlackByte
BlackByte
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-05-20AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-18Cisco TalosHolger Unterbrink
The BlackByte ransomware group is striking users all over the globe
BlackByte
2022-05-17Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
BlackByte Conti
2022-05-03ZscalerBrett Stone-Gross, Javier Vicente
Analysis of BlackByte Ransomware's Go-Based Variants
BlackByte
2022-04-20Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt
2022-02-28TrellixTaylor Mullins
Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware
BlackByte
2022-02-21PICUS SecurityHüseyin Can YÜCEEL
TTPs used by BlackByte Ransomware Targeting Critical Infrastructure
BlackByte
2022-02-14BleepingComputerSergiu Gatlan
FBI: BlackByte ransomware breached US critical infrastructure
BlackByte
2022-02-13The RecordCatalin Cimpanu
San Francisco 49ers confirm ransomware attack
BlackByte
2022-02-11Federal Bureau of Investigation, U.S. Secret Service (USSS)
JOINT CYBERSECURITY ADVISORY: Indicators of Compromise Associated with BlackByte Ransomware
BlackByte
2021-11-30Red CanaryHarrison van Riper
ProxyShell exploitation leads to BlackByte ransomware
BlackByte
2021-11-04Deep instinctShaul Vilkomir-Preisman
Understanding the Windows JavaScript Threat Landscape
STRRAT Griffon BlackByte Houdini Vjw0rm FIN7
Yara Rules
[TLP:WHITE] win_blackbyte_auto (20230808 | Detects win.blackbyte.)
rule win_blackbyte_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.blackbyte."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d15bc010000 4889542478 4889842480000000 488d542478 4889942490000000 c644242701 }
            // n = 6, score = 200
            //   488d15bc010000       | movzx               eax, byte ptr [edx + 0x14]
            //   4889542478           | movzx               eax, byte ptr [edx + 0x12]
            //   4889842480000000     | mov                 byte ptr [esp + 0xa], al
            //   488d542478           | movzx               eax, byte ptr [edx + 0x13]
            //   4889942490000000     | mov                 byte ptr [esp + 0xb], al
            //   c644242701           | movzx               eax, byte ptr [edx + 0x12]

        $sequence_1 = { 488d0db4020000 488908 833d????????00 7520 488b4c2428 48894808 }
            // n = 6, score = 200
            //   488d0db4020000       | mov                 byte ptr [esp + 0xb], al
            //   488908               | movzx               eax, byte ptr [edx + 0x14]
            //   833d????????00       |                     
            //   7520                 | mov                 byte ptr [esp + 0xc], al
            //   488b4c2428           | movzx               eax, byte ptr [edx + 0x12]
            //   48894808             | mov                 byte ptr [esp + 0xa], al

        $sequence_2 = { 0fb64210 88442408 0fb64211 88442409 }
            // n = 4, score = 200
            //   0fb64210             | mov                 dword ptr [ecx + 8], eax
            //   88442408             | movzx               eax, byte ptr [edx + 0x10]
            //   0fb64211             | movzx               eax, byte ptr [edx + 0xf]
            //   88442409             | mov                 byte ptr [esp + 0xf], al

        $sequence_3 = { 0fb6420b 8844240b 0fb6420c 8844240c 0fb6420d 8844240d 0fb6420e }
            // n = 7, score = 200
            //   0fb6420b             | mov                 ecx, esi
            //   8844240b             | call                edi
            //   0fb6420c             | inc                 esp
            //   8844240c             | mov                 eax, dword ptr [ebp + 0x4e8]
            //   0fb6420d             | inc                 ebp
            //   8844240d             | test                eax, eax
            //   0fb6420e             | jne                 0xffffff2d

        $sequence_4 = { 488d4a01 488b442428 488b5c2430 4883f903 }
            // n = 4, score = 200
            //   488d4a01             | mov                 byte ptr [esp + 0xb], al
            //   488b442428           | movzx               eax, byte ptr [edx + 0x14]
            //   488b5c2430           | mov                 byte ptr [esp + 0xc], al
            //   4883f903             | nop                 dword ptr [eax]

        $sequence_5 = { 0101 ffc5 3b6b68 0f82e6feffff }
            // n = 4, score = 200
            //   0101                 | add                 dword ptr [ecx], eax
            //   ffc5                 | inc                 ebp
            //   3b6b68               | cmp                 ebp, dword ptr [ebx + 0x68]
            //   0f82e6feffff         | jb                  0xfffffeec

        $sequence_6 = { 488d542478 4889942490000000 c644242701 488b9c24a8000000 488b8c24b0000000 e8???????? }
            // n = 6, score = 200
            //   488d542478           | mov                 dword ptr [esp + 0x88], edx
            //   4889942490000000     | mov                 byte ptr [esp + 0x1f], 1
            //   c644242701           | dec                 eax
            //   488b9c24a8000000     | mov                 ebx, dword ptr [esp + 0xa0]
            //   488b8c24b0000000     | dec                 eax
            //   e8????????           |                     

        $sequence_7 = { 488d4250 488b542430 488d5a50 b918000000 }
            // n = 4, score = 200
            //   488d4250             | dec                 eax
            //   488b542430           | cmp                 ecx, 3
            //   488d5a50             | dec                 eax
            //   b918000000           | lea                 edx, [esp + 0x70]

        $sequence_8 = { 0fb6420d 8844240d 0fb6420e 8844240e 0fb6420f 8844240f }
            // n = 6, score = 200
            //   0fb6420d             | movzx               eax, byte ptr [edx + 0xe]
            //   8844240d             | mov                 byte ptr [esp + 0xe], al
            //   0fb6420e             | movzx               eax, byte ptr [edx + 0xc]
            //   8844240e             | mov                 byte ptr [esp + 0xc], al
            //   0fb6420f             | movzx               eax, byte ptr [edx + 0xd]
            //   8844240f             | mov                 byte ptr [esp + 0xd], al

        $sequence_9 = { 488d542470 4889942488000000 c644241f01 488b9c24a0000000 }
            // n = 4, score = 200
            //   488d542470           | dec                 eax
            //   4889942488000000     | mov                 ebx, dword ptr [edi]
            //   c644241f01           | dec                 esp
            //   488b9c24a0000000     | mov                 eax, ebx

        $sequence_10 = { 488d4a01 488b442430 488b5c2438 90 4883f90f }
            // n = 5, score = 200
            //   488d4a01             | mov                 dword ptr [eax + 8], ecx
            //   488b442430           | dec                 eax
            //   488b5c2438           | lea                 ecx, [0x2b4]
            //   90                   | dec                 eax
            //   4883f90f             | mov                 dword ptr [eax], ecx

        $sequence_11 = { 0fb64212 8844240a 0fb64213 8844240b }
            // n = 4, score = 200
            //   0fb64212             | mov                 byte ptr [esp + 9], al
            //   8844240a             | movzx               eax, byte ptr [edx + 0x12]
            //   0fb64213             | mov                 byte ptr [esp + 0xa], al
            //   8844240b             | movzx               eax, byte ptr [edx + 0x10]

        $sequence_12 = { 0fb6420f 8844240f 488b442408 48894108 }
            // n = 4, score = 200
            //   0fb6420f             | mov                 byte ptr [esp + 0xf], al
            //   8844240f             | movzx               eax, byte ptr [edx + 0xe]
            //   488b442408           | mov                 byte ptr [esp + 0xe], al
            //   48894108             | movzx               eax, byte ptr [edx + 0xf]

        $sequence_13 = { 488d5c244b b902000000 0f1f440000 e8???????? }
            // n = 4, score = 200
            //   488d5c244b           | dec                 eax
            //   b902000000           | mov                 dword ptr [esp + 0x88], edx
            //   0f1f440000           | mov                 byte ptr [esp + 0x1f], 1
            //   e8????????           |                     

        $sequence_14 = { 014608 498bce ffd7 448b85e8040000 }
            // n = 4, score = 200
            //   014608               | dec                 eax
            //   498bce               | mov                 edi, dword ptr [esp + 0x50]
            //   ffd7                 | dec                 eax
            //   448b85e8040000       | mov                 esi, dword ptr [esp + 0x48]

        $sequence_15 = { 0fb64211 88442409 0fb64212 8844240a }
            // n = 4, score = 200
            //   0fb64211             | mov                 byte ptr [esp + 8], al
            //   88442409             | movzx               eax, byte ptr [edx + 0xf]
            //   0fb64212             | mov                 byte ptr [esp + 0xf], al
            //   8844240a             | dec                 eax

    condition:
        7 of them and filesize < 9435136
}
Download all Yara Rules