According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.
rule win_blacksuit_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.blacksuit." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksuit" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff742414 e8???????? 8b6c241c 83c404 } // n = 4, score = 200 // ff742414 | push dword ptr [esp + 0x14] // e8???????? | // 8b6c241c | mov ebp, dword ptr [esp + 0x1c] // 83c404 | add esp, 4 $sequence_1 = { 8d4abd e8???????? 83c408 8d4c2477 68080000f0 6a18 } // n = 6, score = 100 // 8d4abd | lea ecx, [edx - 0x43] // e8???????? | // 83c408 | add esp, 8 // 8d4c2477 | lea ecx, [esp + 0x77] // 68080000f0 | push 0xf0000008 // 6a18 | push 0x18 $sequence_2 = { 8d4abd e8???????? 83c408 8d4c2420 68000000f0 6a01 6a00 } // n = 7, score = 100 // 8d4abd | lea ecx, [edx - 0x43] // e8???????? | // 83c408 | add esp, 8 // 8d4c2420 | lea ecx, [esp + 0x20] // 68000000f0 | push 0xf0000000 // 6a01 | push 1 // 6a00 | push 0 $sequence_3 = { e8???????? 8be8 83c404 896c2424 83fd02 0f8ca9020000 } // n = 6, score = 100 // e8???????? | // 8be8 | mov ebp, eax // 83c404 | add esp, 4 // 896c2424 | mov dword ptr [esp + 0x24], ebp // 83fd02 | cmp ebp, 2 // 0f8ca9020000 | jl 0x2af $sequence_4 = { e8???????? 8be8 83c404 896c241c 85ed 0f849d010000 } // n = 6, score = 100 // e8???????? | // 8be8 | mov ebp, eax // 83c404 | add esp, 4 // 896c241c | mov dword ptr [esp + 0x1c], ebp // 85ed | test ebp, ebp // 0f849d010000 | je 0x1a3 $sequence_5 = { e8???????? 8be8 83c404 85ed 0f8414010000 8d84249c000000 } // n = 6, score = 100 // e8???????? | // 8be8 | mov ebp, eax // 83c404 | add esp, 4 // 85ed | test ebp, ebp // 0f8414010000 | je 0x11a // 8d84249c000000 | lea eax, [esp + 0x9c] $sequence_6 = { 8d4aca e8???????? 83c408 57 } // n = 4, score = 100 // 8d4aca | lea ecx, [edx - 0x36] // e8???????? | // 83c408 | add esp, 8 // 57 | push edi $sequence_7 = { e8???????? 8be8 83c404 83fd01 7510 56 } // n = 6, score = 100 // e8???????? | // 8be8 | mov ebp, eax // 83c404 | add esp, 4 // 83fd01 | cmp ebp, 1 // 7510 | jne 0x12 // 56 | push esi $sequence_8 = { e8???????? 8be8 56 896c2434 e8???????? 83c418 } // n = 6, score = 100 // e8???????? | // 8be8 | mov ebp, eax // 56 | push esi // 896c2434 | mov dword ptr [esp + 0x34], ebp // e8???????? | // 83c418 | add esp, 0x18 $sequence_9 = { e8???????? 8be8 83c404 81fdaa020000 750a c7442414204f5b00 } // n = 6, score = 100 // e8???????? | // 8be8 | mov ebp, eax // 83c404 | add esp, 4 // 81fdaa020000 | cmp ebp, 0x2aa // 750a | jne 0xc // c7442414204f5b00 | mov dword ptr [esp + 0x14], 0x5b4f20 $sequence_10 = { e8???????? 8be8 83c404 33ff 85ed 741b } // n = 6, score = 100 // e8???????? | // 8be8 | mov ebp, eax // 83c404 | add esp, 4 // 33ff | xor edi, edi // 85ed | test ebp, ebp // 741b | je 0x1d $sequence_11 = { 8d4abd e8???????? 83c408 8d8c2450040000 51 68ff010000 } // n = 6, score = 100 // 8d4abd | lea ecx, [edx - 0x43] // e8???????? | // 83c408 | add esp, 8 // 8d8c2450040000 | lea ecx, [esp + 0x450] // 51 | push ecx // 68ff010000 | push 0x1ff $sequence_12 = { 8d4abf e8???????? 83c408 6a00 } // n = 4, score = 100 // 8d4abf | lea ecx, [edx - 0x41] // e8???????? | // 83c408 | add esp, 8 // 6a00 | push 0 $sequence_13 = { 8d4ac7 e8???????? 83c408 8d9424dc000000 } // n = 4, score = 100 // 8d4ac7 | lea ecx, [edx - 0x39] // e8???????? | // 83c408 | add esp, 8 // 8d9424dc000000 | lea edx, [esp + 0xdc] $sequence_14 = { 8d4ac8 e8???????? 8d4c2419 51 } // n = 4, score = 100 // 8d4ac8 | lea ecx, [edx - 0x38] // e8???????? | // 8d4c2419 | lea ecx, [esp + 0x19] // 51 | push ecx condition: 7 of them and filesize < 4764672 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY