SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bqtlock (Back to overview)

BQTlock

VTCollection    

There is no description at this point.

References
2025-09-12SOCRadarAaron Jornet, SOCRadar
BQTLock Ransomware
BQTlock
2025-08-22K7 SecurityHarihara Sudhan
Examining the tactics of BQTLOCK Ransomware & its variants
BQTlock
2025-07-31Twitter (@JAMESWT_WT)JamesWT
Tweet about BQTlock
BQTlock
Yara Rules
[TLP:WHITE] win_bqtlock_auto (20260504 | Detects win.bqtlock.)
rule win_bqtlock_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.bqtlock."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bqtlock"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 837c2460ff 742b 410fb64720 31db 41bcffffffff e9???????? 31d2 }
            // n = 7, score = 100
            //   837c2460ff           | cmp                 dl, 0x73
            //   742b                 | je                  0x3d8
            //   410fb64720           | cmp                 byte ptr [eax], 0x45
            //   31db                 | je                  0xc3
            //   41bcffffffff         | dec                 eax
            //   e9????????           |                     
            //   31d2                 | mov                 ecx, ebx

        $sequence_1 = { 4c894c2450 48897c2448 f6411801 0f85e6000000 4889842480000000 488d8424d4000000 4c8d842490000000 }
            // n = 7, score = 100
            //   4c894c2450           | or                  esi, 0xffffffff
            //   48897c2448           | xor                 ebx, ebx
            //   f6411801             | inc                 ecx
            //   0f85e6000000         | movzx               edx, byte ptr [edi + 0x20]
            //   4889842480000000     | dec                 esp
            //   488d8424d4000000     | mov                 dword ptr [esp + 0x50], eax
            //   4c8d842490000000     | dec                 eax

        $sequence_2 = { 4d8b5908 4c8b8424b8000000 4c8b8c24c0000000 488b06 4889442468 488b02 4889cb }
            // n = 7, score = 100
            //   4d8b5908             | dec                 ebp
            //   4c8b8424b8000000     | mov                 eax, dword ptr [ebp + 0x20]
            //   4c8b8c24c0000000     | dec                 eax
            //   488b06               | test                ecx, ecx
            //   4889442468           | je                  0x661
            //   488b02               | dec                 eax
            //   4889cb               | mov                 eax, ecx

        $sequence_3 = { 4c0f44d8 e9???????? 498b4510 493b4518 0f83d0030000 0fb700 6683f8ff }
            // n = 7, score = 100
            //   4c0f44d8             | sar                 ebp, 1
            //   e9????????           |                     
            //   498b4510             | dec                 eax
            //   493b4518             | sar                 eax, 1
            //   0f83d0030000         | dec                 esp
            //   0fb700               | mov                 dword ptr [esp + 0x20], ebp
            //   6683f8ff             | dec                 eax

        $sequence_4 = { e8???????? 488b8424f0000000 498d5520 488d8c2480010000 4889842468010000 e8???????? 4c89fa }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b8424f0000000     | mov                 eax, dword ptr [ebx + 0x18]
            //   498d5520             | dec                 eax
            //   488d8c2480010000     | add                 esi, 1
            //   4889842468010000     | dec                 eax
            //   e8????????           |                     
            //   4c89fa               | cmp                 esi, dword ptr [ebx + 0x10]

        $sequence_5 = { 4c8b48e8 4901d9 4d89c8 4183ff20 0f85ccfeffff 418b5120 85d2 }
            // n = 7, score = 100
            //   4c8b48e8             | lea                 ecx, [esp + 0x40]
            //   4901d9               | dec                 esp
            //   4d89c8               | lea                 eax, [esp + 0x30]
            //   4183ff20             | dec                 esp
            //   0f85ccfeffff         | mov                 edx, dword ptr [edi]
            //   418b5120             | inc                 ebp
            //   85d2                 | xor                 ebx, ebx

        $sequence_6 = { e8???????? 488945f8 488b45f8 483b4518 7320 0fbe4d20 488b4518 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488945f8             | mov                 eax, ebx
            //   488b45f8             | dec                 eax
            //   483b4518             | add                 esp, 0x230
            //   7320                 | pop                 ebx
            //   0fbe4d20             | pop                 esi
            //   488b4518             | cmp                 al, 1

        $sequence_7 = { 83e0df 83f845 0f8505e6ffff c744245800000000 4189dd 4531f6 c744244401000000 }
            // n = 7, score = 100
            //   83e0df               | je                  0x45f
            //   83f845               | dec                 eax
            //   0f8505e6ffff         | mov                 eax, dword ptr [ebx]
            //   c744245800000000     | dec                 esp
            //   4189dd               | mov                 ecx, dword ptr [eax - 0x18]
            //   4531f6               | dec                 ecx
            //   c744244401000000     | add                 ecx, ebx

        $sequence_8 = { 498b4510 493b4518 0f8332010000 66662e0f1f840000000000 0f1f4000 440fb708 664183f9ff }
            // n = 7, score = 100
            //   498b4510             | dec                 esp
            //   493b4518             | mov                 edx, esi
            //   0f8332010000         | dec                 esp
            //   66662e0f1f840000000000     | mov    ecx, edi
            //   0f1f4000             | dec                 ecx
            //   440fb708             | lea                 edx, [esi + 0x38]
            //   664183f9ff           | dec                 eax

        $sequence_9 = { 488d442460 4889442428 e8???????? 8b542460 85d2 7521 488b3d???????? }
            // n = 7, score = 100
            //   488d442460           | dec                 eax
            //   4889442428           | mov                 eax, dword ptr [esp + 0x50]
            //   e8????????           |                     
            //   8b542460             | dec                 eax
            //   85d2                 | mov                 dword ptr [esp + 0x48], ebp
            //   7521                 | mov                 esi, edx
            //   488b3d????????       |                     

    condition:
        7 of them and filesize < 4444160
}
Download all Yara Rules