{"group":"blackbyte","count":1,"rules":[{"rule_name":"BlackByte.yar","rule_text":"/*\nBlackByte ransomware\n*/\n\n\nrule BlackByte\n{\n    meta:\n        author = \"rivitna\"\n        family = \"ransomware.hive\"\n        description = \"BlackByte ransomware Windows payload\"\n        severity = 10\n        score = 100\n\n    strings:\n        // String decryption\n        $h0 = { 83 E? 05 48 83 C? 01 88 4? FF 4? 39 ?? (74 | 75) ?? }\n\n        $s0 = \"\\x00main.RSA\\x00\" ascii\n        $s1 = \"\\x00main._Cfunc_Begin\\x00\" ascii\n        $s2 = \"\\x00main._Cfunc_Inj\\x00\" ascii\n        $s3 = \"\\x00main.Inja\" ascii\n        $s4 = \"\\x00main.SetWinVer\\x00\" ascii\n        $s5 = \"\\x00main.DelShadows\" ascii\n        $s6 = \"\\x00main.StartNetworkS\" ascii\n        $s7 = \"\\x00main.EnableLink\" ascii\n        $s8 = \"\\x00main.EnableLongPaths\" ascii\n        $s9 = \"\\x00main.GrantAll\" ascii\n        $s10 = \"\\x00main.LanScan\" ascii\n        $s11 = \"\\x00main.SetupKey\\x00\" ascii\n        $s12 = \"\\x00main.PbKey\\x00\" ascii\n        $s13 = \"\\x00main.Pognali\" ascii\n        $s14 = \"\\x00main.ShowNote\" ascii\n        $s15 = \"\\x00main.MountDrives\" ascii\n        $s16 = \"\\x00main.StopAllsvc\" ascii\n        $s17 = \"\\x00main.GenDrives\" ascii\n        $s18 = \"\\x00main.ParsePC\" ascii\n        $s19 = \"\\x00main.GetAccess\" ascii\n        $s20 = \"\\x00main.KillHypers\" ascii\n        $s21 = \"\\x00main.ParseHypers\" ascii\n        $s22 = \"\\x00main.Aes256Encr\\x00\" ascii\n        $s23 = \"\\x00main.Aes256Decr\\x00\" ascii\n\n    condition:\n        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and\n        (\n            (1 of ($h*)) or (4 of ($s*))\n        )\n}","sha256":"00f14d694f71526593c72be0c7ddce0518037dd53e4088bf9720840b0f916bed","byte_size":1520,"updated_at":"2026-06-24 05:15:59"}]}