SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackshades (Back to overview)

BlackShades

There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:aluminum:af22ffd, author = {SecureWorks}, title = {{ALUMINUM SARATOGA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga}, language = {English}, urldate = {2020-05-23} } ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
2014-05-30MalwarebytesAdam Kujawa
@online{kujawa:20140530:taking:d9b729e, author = {Adam Kujawa}, title = {{Taking off the Blackshades}}, date = {2014-05-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/}, language = {English}, urldate = {2019-12-20} } Taking off the Blackshades
BlackShades
2012-06-21MalwarebytesAdam Kujawa
@online{kujawa:20120621:blackshades:3002f8a, author = {Adam Kujawa}, title = {{BlackShades in Syria}}, date = {2012-06-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/}, language = {English}, urldate = {2019-12-20} } BlackShades in Syria
BlackShades
2012-06-21Contagio DumpMila Parkour
@online{parkour:20120621:rat:2186087, author = {Mila Parkour}, title = {{RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army}}, date = {2012-06-21}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html}, language = {English}, urldate = {2019-12-20} } RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army
BlackShades DarkComet Terminator RAT
2012-06-15MalwarebytesAdam Kujawa
@online{kujawa:20120615:you:307c877, author = {Adam Kujawa}, title = {{You Dirty RAT! Part 2 – BlackShades NET}}, date = {2012-06-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/}, language = {English}, urldate = {2019-12-20} } You Dirty RAT! Part 2 – BlackShades NET
BlackShades
Yara Rules
[TLP:WHITE] win_blackshades_auto (20230125 | Detects win.blackshades.)
rule win_blackshades_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.blackshades."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { fb ef 20ff 60 }
            // n = 4, score = 100
            //   fb                   | sti                 
            //   ef                   | out                 dx, eax
            //   20ff                 | and                 bh, bh
            //   60                   | pushal              

        $sequence_1 = { 0e 6c 50 fff5 2e0000 00c7 1cf0 }
            // n = 7, score = 100
            //   0e                   | push                cs
            //   6c                   | insb                byte ptr es:[edi], dx
            //   50                   | push                eax
            //   fff5                 | push                ebp
            //   2e0000               | add                 byte ptr cs:[eax], al
            //   00c7                 | add                 bh, al
            //   1cf0                 | sbb                 al, 0xf0

        $sequence_2 = { 0014fe 0200 f4 fd 0200 d0fd 0200 }
            // n = 7, score = 100
            //   0014fe               | add                 byte ptr [esi + edi*8], dl
            //   0200                 | add                 al, byte ptr [eax]
            //   f4                   | hlt                 
            //   fd                   | std                 
            //   0200                 | add                 al, byte ptr [eax]
            //   d0fd                 | sar                 ch, 1
            //   0200                 | add                 al, byte ptr [eax]

        $sequence_3 = { 1b01 01fb 301ce2 2000 0b7f0c 00f4 }
            // n = 6, score = 100
            //   1b01                 | sbb                 eax, dword ptr [ecx]
            //   01fb                 | add                 ebx, edi
            //   301ce2               | xor                 byte ptr [edx], bl
            //   2000                 | and                 byte ptr [eax], al
            //   0b7f0c               | or                  edi, dword ptr [edi + 0xc]
            //   00f4                 | add                 ah, dh

        $sequence_4 = { 60 3178ff 3606 0050ff 40 ff20 ff1e }
            // n = 7, score = 100
            //   60                   | pushal              
            //   3178ff               | xor                 dword ptr [eax - 1], edi
            //   3606                 | push                es
            //   0050ff               | add                 byte ptr [eax - 1], dl
            //   40                   | inc                 eax
            //   ff20                 | jmp                 dword ptr [eax]
            //   ff1e                 | lcall               [esi]

        $sequence_5 = { 1b01 01fb 301ce2 2000 }
            // n = 4, score = 100
            //   1b01                 | sbb                 eax, dword ptr [ecx]
            //   01fb                 | add                 ebx, edi
            //   301ce2               | xor                 byte ptr [edx], bl
            //   2000                 | and                 byte ptr [eax], al

        $sequence_6 = { 0e 6c 50 fff5 40 0000 00c7 }
            // n = 7, score = 100
            //   0e                   | push                cs
            //   6c                   | insb                byte ptr es:[edi], dx
            //   50                   | push                eax
            //   fff5                 | push                ebp
            //   40                   | inc                 eax
            //   0000                 | add                 byte ptr [eax], al
            //   00c7                 | add                 bh, al

        $sequence_7 = { 0458 ff405e 8b01 0400 7104 }
            // n = 5, score = 100
            //   0458                 | add                 al, 0x58
            //   ff405e               | inc                 dword ptr [eax + 0x5e]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   0400                 | add                 al, 0
            //   7104                 | jno                 6

        $sequence_8 = { 0200 0000 6c 70ff 9e }
            // n = 5, score = 100
            //   0200                 | add                 al, byte ptr [eax]
            //   0000                 | add                 byte ptr [eax], al
            //   6c                   | insb                byte ptr es:[edi], dx
            //   70ff                 | jo                  1
            //   9e                   | sahf                

        $sequence_9 = { 0200 d0fd 0200 b0fd 0200 7cfd }
            // n = 6, score = 100
            //   0200                 | add                 al, byte ptr [eax]
            //   d0fd                 | sar                 ch, 1
            //   0200                 | add                 al, byte ptr [eax]
            //   b0fd                 | mov                 al, 0xfd
            //   0200                 | add                 al, byte ptr [eax]
            //   7cfd                 | jl                  0xffffffff

    condition:
        7 of them and filesize < 999424
}
[TLP:WHITE] win_blackshades_w0   (20170517 | No description)
rule win_blackshades_w0 {
	meta:
		author = "Jean-Philippe Teissier / @Jipe_"
		date = "2013-01-12"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/BlackShades.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }
		$b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }
		$c = { 62 73 73 5F 73 65 72 76 65 72 }
		$d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
		$e = { 6D 6F 64 49 6E 6A 50 45 }
		$apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"

	condition:
		any of ($a, $b, $c, $d, $e) or $apikey		
}
Download all Yara Rules