YARA rules for BlackEnergy
8 rules · scoped to tool · back to BlackEnergy
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule BlackEnergy_BE_2 {
meta:
description = "Detects BlackEnergy 2 Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/DThzLz"
date = "2015/02/19"
hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
id = "c93991b9-77e8-5a73-80ef-e21df770c3a5"
strings:
$s0 = "<description> Windows system utility service </description>" fullword ascii
$s1 = "WindowsSysUtility - Unicode" fullword wide
$s2 = "msiexec.exe" fullword wide
$s3 = "WinHelpW" fullword ascii
$s4 = "ReadProcessMemory" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and all of ($s*)
}
rule BlackEnergy_VBS_Agent {
meta:
description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
hash = "b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f"
id = "0876f752-d476-5706-918e-edfda9bd7928"
strings:
$s0 = "WshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, false" fullword ascii
$s1 = "WshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"" fullword ascii
$s2 = "Set WshShell = CreateObject(\"WScript.Shell\")" fullword ascii /* Goodware String - occured 1 times */
condition:
filesize < 1KB and 2 of them
}
rule BlackEnergy_BackdoorPass_DropBear_SSH {
meta:
description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd"
id = "60db00dd-72b3-5a28-90de-2a397b1e007b"
strings:
$s1 = "passDs5Bu9Te7" fullword ascii
condition:
uint16(0) == 0x5a4d and $s1
}
rule BlackEnergy_KillDisk_1 {
meta:
description = "Detects KillDisk malware from BlackEnergy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
score = 80
super_rule = 1
hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d"
hash4 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
id = "304e7aa3-48d3-5015-aaf1-6b1df2441b75"
strings:
$s0 = "system32\\cmd.exe" fullword ascii
$s1 = "system32\\icacls.exe" fullword wide
$s2 = "/c del /F /S /Q %c:\\*.*" fullword ascii
$s3 = "shutdown /r /t %d" fullword ascii
$s4 = "/C /Q /grant " fullword wide
$s5 = "%08X.tmp" fullword ascii
$s6 = "/c format %c: /Y /X /FS:NTFS" fullword ascii
$s7 = "/c format %c: /Y /Q" fullword ascii
$s8 = "taskhost.exe" fullword wide /* Goodware String - occured 1 times */
$s9 = "shutdown.exe" fullword wide /* Goodware String - occured 1 times */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 8 of them
}
rule BlackEnergy_KillDisk_2 {
meta:
description = "Detects KillDisk malware from BlackEnergy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
modified = "2023-01-06"
score = 80
super_rule = 1
hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
hash3 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
id = "f0304e87-a278-5963-9af0-935c088c00ec"
strings:
$s0 = "%c:\\~tmp%08X.tmp" fullword ascii
$s1 = "%s%08X.tmp" fullword ascii
$s2 = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide
$s3 = "%ls_%ls_%ls_%d.~tmp" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 3 of them
}
rule BlackEnergy_Driver_USBMDM {
meta:
description = "Black Energy Driver"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
date = "2016-01-04"
super_rule = 1
hash1 = "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094"
hash2 = "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a"
hash3 = "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281"
hash4 = "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc"
hash5 = "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291"
hash6 = "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5"
hash7 = "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5"
hash8 = "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf"
id = "d5e8faf0-38cb-5193-b859-83ea09278011"
strings:
$s1 = "USB MDM Driver" fullword wide
$s2 = "KdDebuggerNotPresent" fullword ascii /* Goodware String - occured 50 times */
$s3 = "KdDebuggerEnabled" fullword ascii /* Goodware String - occured 69 times */
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
rule BlackEnergy_Driver_AMDIDE {
meta:
description = "Black Energy Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
date = "2016-01-04"
super_rule = 1
hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614"
hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2"
hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c"
hash4 = "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1"
hash5 = "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc"
hash6 = "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988"
hash7 = "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68"
id = "e5b57c33-87f7-5411-995c-384e0afa0348"
strings:
$s1 = " AMD IDE driver" fullword wide
$s2 = "SessionEnv" fullword wide
$s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide
$s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule blackenergy3_installer
{
meta:
author = "Mike Schladt"
date = "2015-05-29"
description = "Matches unique code block for import name construction "
md5 = "78387651DD9608FCDF6BFB9DF8B84DB4"
sha1 = "78636F7BBD52EA80D79B4E2A7882403092BBB02D"
reference = "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
id = "4afeb7ac-ce8d-506c-9c97-db7ec6102490"
strings:
$import_names = { C7 45 D0 75 73 65 72 C7 45 D4 33 32 2E 64 66 C7 45 D8 6C 6C 88 5D DA C7 45 84 61 64 76 61 C7 45 88 70 69 33 32 C7 45 8C 2E 64 6C 6C 88 5D 90 C7 45 B8 77 69 6E 69 C7 45 BC 6E 65 74 2E C7 45 C0 64 6C 6C 00 C7 45 C4 77 73 32 5F C7 45 C8 33 32 2E 64 66 C7 45 CC 6C 6C 88 5D CE C7 45 94 73 68 65 6C C7 45 98 6C 33 32 2E C7 45 9C 64 6C 6C 00 C7 45 E8 70 73 61 70 C7 45 EC 69 2E 64 6C 66 C7 45 F0 6C 00 C7 85 74 FF FF FF 6E 65 74 61 C7 85 78 FF FF FF 70 69 33 32 C7 85 7C FF FF FF 2E 64 6C 6C 88 5D 80 C7 85 64 FF FF FF 6F 6C 65 61 C7 85 68 FF FF FF 75 74 33 32 C7 85 6C FF FF FF 2E 64 6C 6C 88 9D 70 FF FF FF C7 45 DC 6F 6C 65 33 C7 45 E0 32 2E 64 6C 66 C7 45 E4 6C 00 C7 45 A0 76 65 72 73 C7 45 A4 69 6F 6E 2E C7 45 A8 64 6C 6C 00 C7 85 54 FF FF FF 69 6D 61 67 C7 85 58 FF FF FF 65 68 6C 70 C7 85 5C FF FF FF 2E 64 6C 6C 88 9D 60 FF FF FF C7 45 AC 61 70 70 68 C7 45 B0 65 6C 70 2E C7 45 B4 64 6C 6C 00 C7 45 F4 2E 64 6C 6C 88 5D F8 }
condition :
any of them
}