SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackremote (Back to overview)

BlackRemote

aka: BlackRAT

There is no description at this point.

References
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2019-10-19Palo Alto Networks Unit 42Unit42
@online{unit42:20191019:rat:4a5f30b, author = {Unit42}, title = {{商用RATのエコシステム: Unit 42、高機能商用RAT Blackremote RATの作者を公開後数日で特定}}, date = {2019-10-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/}, language = {Japanese}, urldate = {2020-03-25} } 商用RATのエコシステム: Unit 42、高機能商用RAT Blackremote RATの作者を公開後数日で特定
BlackRemote
2019-10-15Palo Alto Networks Unit 42Unit42
@online{unit42:20191015:blackremote:a39e171, author = {Unit42}, title = {{Blackremote: Money Money Money – A Swedish Actor Peddles an Expensive New RAT}}, date = {2019-10-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/}, language = {English}, urldate = {2020-01-08} } Blackremote: Money Money Money – A Swedish Actor Peddles an Expensive New RAT
BlackRemote
Yara Rules
[TLP:WHITE] win_blackremote_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_blackremote_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c8204500 0800 cc 20c5 050800e420 }
            // n = 5, score = 100
            //   c8204500             | enter               0x4520, 0
            //   0800                 | or                  byte ptr [eax], al
            //   cc                   | int3                
            //   20c5                 | and                 ch, al
            //   050800e420           | add                 eax, 0x20e40008

        $sequence_1 = { 0e 0800 60 2137 }
            // n = 4, score = 100
            //   0e                   | push                cs
            //   0800                 | or                  byte ptr [eax], al
            //   60                   | pushal              
            //   2137                 | and                 dword ptr [edi], esi

        $sequence_2 = { f5 3b00 1f f9 }
            // n = 4, score = 100
            //   f5                   | cmc                 
            //   3b00                 | cmp                 eax, dword ptr [eax]
            //   1f                   | pop                 ds
            //   f9                   | stc                 

        $sequence_3 = { 49 5e 0800 1c20 4e 5e }
            // n = 6, score = 100
            //   49                   | dec                 ecx
            //   5e                   | pop                 esi
            //   0800                 | or                  byte ptr [eax], al
            //   1c20                 | sbb                 al, 0x20
            //   4e                   | dec                 esi
            //   5e                   | pop                 esi

        $sequence_4 = { cc 20c5 050800e420 5f 0a08 00e8 }
            // n = 6, score = 100
            //   cc                   | int3                
            //   20c5                 | and                 ch, al
            //   050800e420           | add                 eax, 0x20e40008
            //   5f                   | pop                 edi
            //   0a08                 | or                  cl, byte ptr [eax]
            //   00e8                 | add                 al, ch

        $sequence_5 = { 98 23d1 3808 009c23d6380800 a0???????? 00a423e0380800 a823 }
            // n = 7, score = 100
            //   98                   | cwde                
            //   23d1                 | and                 edx, ecx
            //   3808                 | cmp                 byte ptr [eax], cl
            //   009c23d6380800       | add                 byte ptr [ebx + 0x838d6], bl
            //   a0????????           |                     
            //   00a423e0380800       | add                 byte ptr [ebx + 0x838e0], ah
            //   a823                 | test                al, 0x23

        $sequence_6 = { 3808 00b423e5380800 b823b96408 00bc23be640800 }
            // n = 4, score = 100
            //   3808                 | cmp                 byte ptr [eax], cl
            //   00b423e5380800       | add                 byte ptr [ebx + 0x838e5], dh
            //   b823b96408           | mov                 eax, 0x864b923
            //   00bc23be640800       | add                 byte ptr [ebx + 0x864be], bh

        $sequence_7 = { c505???????? ac 0a08 008023b10a08 008423b60a0800 8823 bb0a080090 }
            // n = 7, score = 100
            //   c505????????         |                     
            //   ac                   | lodsb               al, byte ptr [esi]
            //   0a08                 | or                  cl, byte ptr [eax]
            //   008023b10a08         | add                 byte ptr [eax + 0x80ab123], al
            //   008423b60a0800       | add                 byte ptr [ebx + 0x80ab6], al
            //   8823                 | mov                 byte ptr [ebx], ah
            //   bb0a080090           | mov                 ebx, 0x9000080a

        $sequence_8 = { 22b10a08003c 22b60a080040 22bb0a080064 235f0a }
            // n = 4, score = 100
            //   22b10a08003c         | and                 dh, byte ptr [ecx + 0x3c00080a]
            //   22b60a080040         | and                 dh, byte ptr [esi + 0x4000080a]
            //   22bb0a080064         | and                 bh, byte ptr [ebx + 0x6400080a]
            //   235f0a               | and                 ebx, dword ptr [edi + 0xa]

        $sequence_9 = { 2002 5f 0800 b020 07 5f 0800 }
            // n = 7, score = 100
            //   2002                 | and                 byte ptr [edx], al
            //   5f                   | pop                 edi
            //   0800                 | or                  byte ptr [eax], al
            //   b020                 | mov                 al, 0x20
            //   07                   | pop                 es
            //   5f                   | pop                 edi
            //   0800                 | or                  byte ptr [eax], al

    condition:
        7 of them and filesize < 1934336
}
[TLP:WHITE] win_blackremote_w0   (20200323 | No description)
rule win_blackremote_w0 {
    meta:
        author = "jeFF0Falltrades"
        ref = "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/"
        source = "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/blackremote_blackrat.md"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote"
        malpedia_version = "20200323"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $str_vers_1 = "16.0.0.0" wide ascii
        $str_vers_2 = "16.2.0.0" wide ascii
        $re_c2_1 = /%\*%\|[A-Z0-9]+?\|%\*%\|[A-Z0-9]+?\|%\*%\|[A-Z0-9]+?\|%\*%\|[A-Z0-9]+?/ wide ascii
        $re_c2_2 = /\|!\*!\|\|!\*!\|/ wide ascii
        $hex_rsrc = { 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A }

    condition:
        2 of them and (1 of ($re*) or $hex_rsrc)
}
[TLP:WHITE] win_blackremote_w1   (20200323 | No description)
rule win_blackremote_w1 {
    meta:
        author = "jeFF0Falltrades"
        ref = "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/"
        source = "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/blackremote_blackrat.md"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote"
        malpedia_version = "20200323"
        malpedia_sharing = "TLP:WHITE"

    strings:
	$str_0 = "K:\\5.0\\Black Server 5.0\\BlackServer\\bin\\Release\\BlackRATServerM.pdb" wide ascii nocase
	$str_1 = "BlackRATServerM.pdb" wide ascii nocase
	$str_2 = "RATTypeBinder" wide ascii nocase
	$str_3 = "ProClient.dll" wide ascii nocase
	$str_4 = "Clientx.dll" wide ascii nocase
	$str_5 = "FileMelting" wide ascii nocase
	$str_6 = "Foxmail.url.mailto\\Shell\\open\\command" wide ascii nocase
	$str_7 = "SetRemoteDesktopQuality" wide ascii nocase
	$str_8 = "RecoverChrome" wide ascii nocase
	$str_9 = "RecoverFileZilla" wide ascii nocase
	$str_10 = "RemoteAudioGetInfo" wide ascii nocase

    condition:
    	3 of them
}
Download all Yara Rules