BlackShades (Malware Family)

BlackShades

VTCollection

There is no description at this point.

References

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats

2014-05-30 ⋅ Malwarebytes ⋅ Adam Kujawa
Taking off the Blackshades
BlackShades

2012-06-21 ⋅ Malwarebytes ⋅ Adam Kujawa
BlackShades in Syria
BlackShades

2012-06-21 ⋅ Contagio Dump ⋅ Mila Parkour
RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army
BlackShades DarkComet Terminator RAT

2012-06-15 ⋅ Malwarebytes ⋅ Adam Kujawa
You Dirty RAT! Part 2 – BlackShades NET
BlackShades

Yara Rules

[TLP:WHITE] win_blackshades_auto (20230808 | Detects win.blackshades.)

rule win_blackshades_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.blackshades."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff9e0460ff34 6c 60 ff0a }
            // n = 4, score = 100
            //   ff9e0460ff34         | lcall               [esi + 0x34ff6004]
            //   6c                   | insb                byte ptr es:[edi], dx
            //   60                   | pushal              
            //   ff0a                 | dec                 dword ptr [edx]

        $sequence_1 = { 08fe f5 0200 0000 6c 70ff 9e }
            // n = 7, score = 100
            //   08fe                 | or                  dh, bh
            //   f5                   | cmc                 
            //   0200                 | add                 al, byte ptr [eax]
            //   0000                 | add                 byte ptr [eax], al
            //   6c                   | insb                byte ptr es:[edi], dx
            //   70ff                 | jo                  1
            //   9e                   | sahf                

        $sequence_2 = { 70ff f30004eb f4 02eb fb cf }
            // n = 6, score = 100
            //   70ff                 | jo                  1
            //   f30004eb             | add                 byte ptr [ebx + ebp*8], al
            //   f4                   | hlt                 
            //   02eb                 | add                 ch, bl
            //   fb                   | sti                 
            //   cf                   | iretd               

        $sequence_3 = { 351cff1e55 2c00 0d6c04ff1b c700fb301cc9 }
            // n = 4, score = 100
            //   351cff1e55           | xor                 eax, 0x551eff1c
            //   2c00                 | sub                 al, 0
            //   0d6c04ff1b           | or                  eax, 0x1bff046c
            //   c700fb301cc9         | mov                 dword ptr [eax], 0xc91c30fb

        $sequence_4 = { 58 2f 60 ff6c74ff }
            // n = 4, score = 100
            //   58                   | pop                 eax
            //   2f                   | das                 
            //   60                   | pushal              
            //   ff6c74ff             | ljmp                [esp + esi*2 - 1]

        $sequence_5 = { 2a23 60 ff1b 0d002a460c fff5 0200 0000 }
            // n = 7, score = 100
            //   2a23                 | sub                 ah, byte ptr [ebx]
            //   60                   | pushal              
            //   ff1b                 | lcall               [ebx]
            //   0d002a460c           | or                  eax, 0xc462a00
            //   fff5                 | push                ebp
            //   0200                 | add                 al, byte ptr [eax]
            //   0000                 | add                 byte ptr [eax], al

        $sequence_6 = { 6c ff4a71 70ff 00746c78 ff1b }
            // n = 5, score = 100
            //   6c                   | insb                byte ptr es:[edi], dx
            //   ff4a71               | dec                 dword ptr [edx + 0x71]
            //   70ff                 | jo                  1
            //   00746c78             | add                 byte ptr [esp + ebp*2 + 0x78], dh
            //   ff1b                 | lcall               [ebx]

        $sequence_7 = { 6c ff4a71 70ff 00746c78 ff1b 4a }
            // n = 6, score = 100
            //   6c                   | insb                byte ptr es:[edi], dx
            //   ff4a71               | dec                 dword ptr [edx + 0x71]
            //   70ff                 | jo                  1
            //   00746c78             | add                 byte ptr [esp + ebp*2 + 0x78], dh
            //   ff1b                 | lcall               [ebx]
            //   4a                   | dec                 edx

        $sequence_8 = { ff6c48ff 6c 4c ff40fc }
            // n = 4, score = 100
            //   ff6c48ff             | ljmp                [eax + ecx*2 - 1]
            //   6c                   | insb                byte ptr es:[edi], dx
            //   4c                   | dec                 esp
            //   ff40fc               | inc                 dword ptr [eax - 4]

        $sequence_9 = { ff1b 0d002a460c fff5 0200 0000 6c }
            // n = 6, score = 100
            //   ff1b                 | lcall               [ebx]
            //   0d002a460c           | or                  eax, 0xc462a00
            //   fff5                 | push                ebp
            //   0200                 | add                 al, byte ptr [eax]
            //   0000                 | add                 byte ptr [eax], al
            //   6c                   | insb                byte ptr es:[edi], dx

    condition:
        7 of them and filesize < 999424
}

[TLP:WHITE] win_blackshades_w0 (20170517 | No description)

rule win_blackshades_w0 {
	meta:
		author = "Jean-Philippe Teissier / @Jipe_"
		date = "2013-01-12"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/BlackShades.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }
		$b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }
		$c = { 62 73 73 5F 73 65 72 76 65 72 }
		$d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
		$e = { 6D 6F 64 49 6E 6A 50 45 }
		$apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"

	condition:
		any of ($a, $b, $c, $d, $e) or $apikey		
}

Download all Yara Rules

BlackShades Propose Change

References

Yara Rules

BlackShades