SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nightsky (Back to overview)

NightSky

aka: Night Sky
VTCollection    

There is no description at this point.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-02-01Youtube (OALabs)OALabs
How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]
NightSky
2022-01-25CynetOrion Threat Research and Intelligence Team
Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky
2022-01-11Twitter (@cglyer)Christopher Glyer
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky
2022-01-11Twitter (@cglyer)Christopher Glyer
Tweet on CN based ransomware operator using log4shell to deploy NightSky
NightSky BRONZE STARLIGHT
2022-01-06BleepingComputer
Night Sky is the latest ransomware targeting corporate networks
NightSky
2021-12-11MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability
Khonsari NightSky BRONZE STARLIGHT
Yara Rules
[TLP:WHITE] win_nightsky_auto (20260504 | Detects win.nightsky.)
rule win_nightsky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.nightsky."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 72e3 488b542428 488bce ff15???????? 488d1596f00300 488bce ff15???????? }
            // n = 7, score = 100
            //   72e3                 | adc                 ch, 0x5d
            //   488b542428           | rol                 ebx, 0x4c
            //   488bce               | neg                 esi
            //   ff15????????         |                     
            //   488d1596f00300       | and                 si, 0x75c7
            //   488bce               | inc                 eax
            //   ff15????????         |                     

        $sequence_1 = { ff15???????? 488b7c2438 488b5c2430 488b6c2440 b801000000 4883c420 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488b7c2438           | mov                 edx, esi
            //   488b5c2430           | dec                 eax
            //   488b6c2440           | mov                 ecx, ebx
            //   b801000000           | int3                
            //   4883c420             | mov                 dl, 1

        $sequence_2 = { 66440fbec4 488bac2490000000 48ffcf 66418bf9 400f99c7 f7d5 4d0fbfce }
            // n = 7, score = 100
            //   66440fbec4           | not                 edi
            //   488bac2490000000     | dec                 ecx
            //   48ffcf               | cmovg               edi, ecx
            //   66418bf9             | dec                 ecx
            //   400f99c7             | mov                 esi, ecx
            //   f7d5                 | dec                 esp
            //   4d0fbfce             | lea                 ecx, [0x9794]

        $sequence_3 = { 488bd9 488d05e1b20000 488981a0000000 c7411c01000000 c781c800000001000000 c6817401000043 c681f701000043 }
            // n = 7, score = 100
            //   488bd9               | dec                 esp
            //   488d05e1b20000       | lea                 esi, [0xfffdb6bf]
            //   488981a0000000       | dec                 eax
            //   c7411c01000000       | mov                 dword ptr [esp + 8], ebx
            //   c781c800000001000000     | dec    eax
            //   c6817401000043       | mov                 dword ptr [esp + 0x10], ebp
            //   c681f701000043       | dec                 eax

        $sequence_4 = { 488905???????? 488b05???????? 488905???????? e8???????? e8???????? 488d542460 48c744245000000000 }
            // n = 7, score = 100
            //   488905????????       |                     
            //   488b05????????       |                     
            //   488905????????       |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   488d542460           | inc                 cx
            //   48c744245000000000     | sal    ebx, 0x10

        $sequence_5 = { 442bc0 488d058c3d0100 4489742440 4c8b742450 4c8d4c2448 488d942420070000 }
            // n = 6, score = 100
            //   442bc0               | ret                 
            //   488d058c3d0100       | cmc                 
            //   4489742440           | inc                 ecx
            //   4c8b742450           | push                ecx
            //   4c8d4c2448           | inc                 ecx
            //   488d942420070000     | bt                  ecx, eax

        $sequence_6 = { 498bcc ff15???????? e9???????? 488b0d???????? 4c89bc2420250000 8b9148010000 }
            // n = 6, score = 100
            //   498bcc               | mov                 eax, dword ptr [ebp + edi*8]
            //   ff15????????         |                     
            //   e9????????           |                     
            //   488b0d????????       |                     
            //   4c89bc2420250000     | dec                 eax
            //   8b9148010000         | lea                 ebp, [0x2605c]

        $sequence_7 = { e9???????? 33c9 ff15???????? cc 4c8bdc 53 56 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   33c9                 | arpl                word ptr [ecx + 0x3c], ax
            //   ff15????????         |                     
            //   cc                   | dec                 eax
            //   4c8bdc               | test                ebp, 0x4afa0706
            //   53                   | cmc                 
            //   56                   | cmp                 dword ptr [eax + ecx], 0x4550

        $sequence_8 = { 8bcb 48c1e908 0fb6d1 418bc9 48c1e918 478ba485106d0500 4c897df0 }
            // n = 7, score = 100
            //   8bcb                 | jmp                 0xebf
            //   48c1e908             | test                eax, eax
            //   0fb6d1               | jne                 0xf32
            //   418bc9               | dec                 eax
            //   48c1e918             | lea                 ecx, [0x541c6]
            //   478ba485106d0500     | dec                 eax
            //   4c897df0             | lea                 ecx, [0x541b2]

        $sequence_9 = { 488bee 4885db 0f8493000000 4533f6 0f1f4000 4885ed }
            // n = 6, score = 100
            //   488bee               | mov                 ecx, dword ptr [esi + 0xb8]
            //   4885db               | dec                 esp
            //   0f8493000000         | lea                 esp, [0x151a6]
            //   4533f6               | dec                 ecx
            //   0f1f4000             | cmp                 ecx, esp
            //   4885ed               | dec                 eax

    condition:
        7 of them and filesize < 19536896
}
Download all Yara Rules