SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whiteblackcrypt (Back to overview)

WhiteBlackCrypt

aka: WARYLOOK
VTCollection    

There is no description at this point.

References
2022-01-31Medium SebdravenSébastien Larinier
WhisperKill vs WhiteBlackCrypt: un petit soucis de fichiers…
WhiteBlackCrypt
2021-07-26CheckMalCheckMal
WhiteBlackGroup Ransomware (.encrpt3d)
WhiteBlackCrypt
Yara Rules
[TLP:WHITE] win_whiteblackcrypt_auto (20251219 | Detects win.whiteblackcrypt.)
rule win_whiteblackcrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.whiteblackcrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 40326c243e 31ef 4131fa 4531d6 4531f5 }
            // n = 5, score = 100
            //   40326c243e           | mov                 eax, esp
            //   31ef                 | dec                 eax
            //   4131fa               | mov                 edx, edi
            //   4531d6               | cmp                 dword ptr [ecx], 6
            //   4531f5               | ja                  0x9e7

        $sequence_1 = { 7477 83feff 7c60 752e 488b8b38020000 }
            // n = 5, score = 100
            //   7477                 | mov                 al, byte ptr [ebx + 1]
            //   83feff               | inc                 ecx
            //   7c60                 | mov                 byte ptr [ebx + 1], dl
            //   752e                 | inc                 ecx
            //   488b8b38020000       | mov                 dl, byte ptr [ebx + 9]

        $sequence_2 = { 410f94c2 4409d0 4109cb 753a }
            // n = 4, score = 100
            //   410f94c2             | dec                 eax
            //   4409d0               | mov                 edi, ecx
            //   4109cb               | dec                 eax
            //   753a                 | mov                 ecx, eax

        $sequence_3 = { ff15???????? 83f812 0f84d4000000 488b8b38020000 e8???????? 48c7c0ffffffff }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   83f812               | mov                 dl, byte ptr [ebx + eax]
            //   0f84d4000000         | inc                 ebx
            //   488b8b38020000       | mov                 al, byte ptr [ebx + ecx]
            //   e8????????           |                     
            //   48c7c0ffffffff       | inc                 ebp

        $sequence_4 = { 0f840c010000 488d7c2420 4889da 41b804010000 4889f9 }
            // n = 5, score = 100
            //   0f840c010000         | pop                 esi
            //   488d7c2420           | ret                 
            //   4889da               | dec                 esp
            //   41b804010000         | lea                 ecx, [edx + 0x10]
            //   4889f9               | pop                 ebx

        $sequence_5 = { 4889c1 e8???????? 4889e9 4889c2 4883c428 5b }
            // n = 6, score = 100
            //   4889c1               | and                 ax, 0xf000
            //   e8????????           |                     
            //   4889e9               | cmp                 ax, 0x4000
            //   4889c2               | sete                dl
            //   4883c428             | nop                 
            //   5b                   | mulsd               xmm0, xmm0

        $sequence_6 = { 0f84d4000000 488b8b38020000 e8???????? 48c7c0ffffffff 48898338020000 }
            // n = 5, score = 100
            //   0f84d4000000         | cmp                 ax, 0x4000
            //   488b8b38020000       | sete                dl
            //   e8????????           |                     
            //   48c7c0ffffffff       | mov                 eax, edx
            //   48898338020000       | dec                 eax

        $sequence_7 = { 4c89e1 41c6442cff00 e8???????? 4c39e6 }
            // n = 4, score = 100
            //   4c89e1               | mov                 ecx, 0x80000001
            //   41c6442cff00         | dec                 eax
            //   e8????????           |                     
            //   4c39e6               | mov                 dword ptr [esp + 0x20], eax

        $sequence_8 = { 4889f1 e8???????? 4889f1 85c0 7407 }
            // n = 5, score = 100
            //   4889f1               | je                  0x21b
            //   e8????????           |                     
            //   4889f1               | cmp                 byte ptr [ebx], 0
            //   85c0                 | je                  0x1dc
            //   7407                 | dec                 eax

        $sequence_9 = { 4401e6 4d63c4 4889f9 4989d9 ba01000000 }
            // n = 5, score = 100
            //   4401e6               | mov                 dword ptr [esp + 0x38], 0x190
            //   4d63c4               | mov                 dword ptr [esp + 0x30], 0x190
            //   4889f9               | cdq                 
            //   4989d9               | mov                 edx, dword ptr [esp + 0x3c]
            //   ba01000000           | pxor                xmm3, xmm3

    condition:
        7 of them and filesize < 99328
}
[TLP:WHITE] win_whiteblackcrypt_w0   (20220318 | Matches strings seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w0 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches strings seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = ".encrpt3d"
        $ = "C:\\ProgramData\\CheckServiceD.exe"
        $ = "HOMEDRIVE"
        $ = "ye64T0p"
        $ = "USERPROFILE"
        $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
    condition:
        5 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w1   (20220318 | Matches file extensions seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w1 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches file extensions seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {2E 56 4D 44 4B 00 2E 56 4D 58 00 2E 47 50 47 00 2E 41 45 53 00 
             2E 41 52 43 00 2E 50 41 51 00 2E 42 5A 32 00 2E 54 42 4B 00 2E 
             42 41 4B 00 2E 54 41 52 00 2E 54 47 5A 00}
        $ = {2E 50 50 41 4D 00 2E 50 4F 54 58 00 2E 50 4F 54 4D 00 2E 45 44
             42 00 2E 48 57 50 00 2E 36 30 32 00 2E 53 58 49 00 2E 53 54 49 
             00 2E 53 4C 44 58 00 2E 53 4C 44 4D 00}
        $ = {2E 49 42 44 00 2E 4D 59 49 00 2E 4D 59 44 00 2E 46 52 4D 00 2E
        	 4F 44 42 00 2E 44 42 46 00 2E 44 42 00 2E 4D 44 42 00 2E 41 43 
        	 43 44 42 00 2E 53 51 4C 00 2E 53 51 4C 49 54 45 44 42 00}
    condition:
        3 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w2   (20220318 | Matches ransom note seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w2 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches ransom note seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
		$ = "Your files has been ENCRYPTED! Now, you cant access them, but they are not deleted. We need to get 10 BTC at the specified address:"
		$ = "19B5Bt11oUqYnwSXfBgRpwwDGg5Ajirbjn"
		$ = "we will send text document to you mail with a PRIVATE RSA key, and a link to a program, that can decrypt"
		$ = "all files on every computer, encrypted with this program"
		$ = "If we recieve moneys, "
		$ = "for acquiring decryption key, please send us"
		$ = "address of your bitcoin wallet."
    condition:
        3 of them    
}
Download all Yara Rules