Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.
rule win_blackbyte_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.blackbyte." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488d15bc010000 4889542478 4889842480000000 488d542478 4889942490000000 c644242701 } // n = 6, score = 200 // 488d15bc010000 | movzx eax, byte ptr [edx + 0x14] // 4889542478 | movzx eax, byte ptr [edx + 0x12] // 4889842480000000 | mov byte ptr [esp + 0xa], al // 488d542478 | movzx eax, byte ptr [edx + 0x13] // 4889942490000000 | mov byte ptr [esp + 0xb], al // c644242701 | movzx eax, byte ptr [edx + 0x12] $sequence_1 = { 488d0db4020000 488908 833d????????00 7520 488b4c2428 48894808 } // n = 6, score = 200 // 488d0db4020000 | mov byte ptr [esp + 0xb], al // 488908 | movzx eax, byte ptr [edx + 0x14] // 833d????????00 | // 7520 | mov byte ptr [esp + 0xc], al // 488b4c2428 | movzx eax, byte ptr [edx + 0x12] // 48894808 | mov byte ptr [esp + 0xa], al $sequence_2 = { 0fb64210 88442408 0fb64211 88442409 } // n = 4, score = 200 // 0fb64210 | mov dword ptr [ecx + 8], eax // 88442408 | movzx eax, byte ptr [edx + 0x10] // 0fb64211 | movzx eax, byte ptr [edx + 0xf] // 88442409 | mov byte ptr [esp + 0xf], al $sequence_3 = { 0fb6420b 8844240b 0fb6420c 8844240c 0fb6420d 8844240d 0fb6420e } // n = 7, score = 200 // 0fb6420b | mov ecx, esi // 8844240b | call edi // 0fb6420c | inc esp // 8844240c | mov eax, dword ptr [ebp + 0x4e8] // 0fb6420d | inc ebp // 8844240d | test eax, eax // 0fb6420e | jne 0xffffff2d $sequence_4 = { 488d4a01 488b442428 488b5c2430 4883f903 } // n = 4, score = 200 // 488d4a01 | mov byte ptr [esp + 0xb], al // 488b442428 | movzx eax, byte ptr [edx + 0x14] // 488b5c2430 | mov byte ptr [esp + 0xc], al // 4883f903 | nop dword ptr [eax] $sequence_5 = { 0101 ffc5 3b6b68 0f82e6feffff } // n = 4, score = 200 // 0101 | add dword ptr [ecx], eax // ffc5 | inc ebp // 3b6b68 | cmp ebp, dword ptr [ebx + 0x68] // 0f82e6feffff | jb 0xfffffeec $sequence_6 = { 488d542478 4889942490000000 c644242701 488b9c24a8000000 488b8c24b0000000 e8???????? } // n = 6, score = 200 // 488d542478 | mov dword ptr [esp + 0x88], edx // 4889942490000000 | mov byte ptr [esp + 0x1f], 1 // c644242701 | dec eax // 488b9c24a8000000 | mov ebx, dword ptr [esp + 0xa0] // 488b8c24b0000000 | dec eax // e8???????? | $sequence_7 = { 488d4250 488b542430 488d5a50 b918000000 } // n = 4, score = 200 // 488d4250 | dec eax // 488b542430 | cmp ecx, 3 // 488d5a50 | dec eax // b918000000 | lea edx, [esp + 0x70] $sequence_8 = { 0fb6420d 8844240d 0fb6420e 8844240e 0fb6420f 8844240f } // n = 6, score = 200 // 0fb6420d | movzx eax, byte ptr [edx + 0xe] // 8844240d | mov byte ptr [esp + 0xe], al // 0fb6420e | movzx eax, byte ptr [edx + 0xc] // 8844240e | mov byte ptr [esp + 0xc], al // 0fb6420f | movzx eax, byte ptr [edx + 0xd] // 8844240f | mov byte ptr [esp + 0xd], al $sequence_9 = { 488d542470 4889942488000000 c644241f01 488b9c24a0000000 } // n = 4, score = 200 // 488d542470 | dec eax // 4889942488000000 | mov ebx, dword ptr [edi] // c644241f01 | dec esp // 488b9c24a0000000 | mov eax, ebx $sequence_10 = { 488d4a01 488b442430 488b5c2438 90 4883f90f } // n = 5, score = 200 // 488d4a01 | mov dword ptr [eax + 8], ecx // 488b442430 | dec eax // 488b5c2438 | lea ecx, [0x2b4] // 90 | dec eax // 4883f90f | mov dword ptr [eax], ecx $sequence_11 = { 0fb64212 8844240a 0fb64213 8844240b } // n = 4, score = 200 // 0fb64212 | mov byte ptr [esp + 9], al // 8844240a | movzx eax, byte ptr [edx + 0x12] // 0fb64213 | mov byte ptr [esp + 0xa], al // 8844240b | movzx eax, byte ptr [edx + 0x10] $sequence_12 = { 0fb6420f 8844240f 488b442408 48894108 } // n = 4, score = 200 // 0fb6420f | mov byte ptr [esp + 0xf], al // 8844240f | movzx eax, byte ptr [edx + 0xe] // 488b442408 | mov byte ptr [esp + 0xe], al // 48894108 | movzx eax, byte ptr [edx + 0xf] $sequence_13 = { 488d5c244b b902000000 0f1f440000 e8???????? } // n = 4, score = 200 // 488d5c244b | dec eax // b902000000 | mov dword ptr [esp + 0x88], edx // 0f1f440000 | mov byte ptr [esp + 0x1f], 1 // e8???????? | $sequence_14 = { 014608 498bce ffd7 448b85e8040000 } // n = 4, score = 200 // 014608 | dec eax // 498bce | mov edi, dword ptr [esp + 0x50] // ffd7 | dec eax // 448b85e8040000 | mov esi, dword ptr [esp + 0x48] $sequence_15 = { 0fb64211 88442409 0fb64212 8844240a } // n = 4, score = 200 // 0fb64211 | mov byte ptr [esp + 8], al // 88442409 | movzx eax, byte ptr [edx + 0xf] // 0fb64212 | mov byte ptr [esp + 0xf], al // 8844240a | dec eax condition: 7 of them and filesize < 9435136 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY