From BlackEnergy to ExPetr
Tags
| country: | Bangladesh Ukraine |
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 |
Common Information
| Type | Value |
|---|---|
| UUID | 85440ebf-ba2e-4402-b991-0a9a0d87231e |
| Fingerprint | bd308011ace1c6a9 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 30, 2017, 9:39 p.m. |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Oct. 16, 2024, 1:08 a.m. |
| Headline | From BlackEnergy to ExPetr |
| Title | From BlackEnergy to ExPetr |
| Detected Hints/Tags/Attributes | 45/2/11 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://securelist.com/from-blackenergy-to-expetr/78937/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | File | 30 | shutdown.exe |
|
| Details | File | 10 | 'ntdll.dll |
|
| Details | sha256 | 11 | 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 |
|
| Details | sha256 | 3 | 11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80 |
|
| Details | sha256 | 1 | 5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6 |
|
| Details | sha256 | 1 | f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95 |
|
| Details | sha256 | 1 | 368d5c536832b843c6de2513baf7b11bcafea1647c65df7b6f2648840fa50f75 |
|
| Details | sha256 | 1 | a6a167e214acd34b4084237ba7f6476d2e999849281aa5b1b3f92138c7d91c7a |
|
| Details | sha256 | 1 | edbc90c217eebabb7a9b618163716f430098202e904ddc16ce9db994c6509310 |
|
| Details | sha256 | 1 | f9f3374d89baf1878854f1700c8d5a2e5cf40de36071d97c6b9ff6b55d837fca |
|
| Details | Yara rule | 1 | rule blackenergy_and_petya_similarities {
strings:
$bytes00 = { 73 00 68 00 75 00 74 00 64 00 6F 00 77 00 6E 00 2E 00 65 00 78 00 65 00 }
$bytes01 = { 43 00 6F 00 6D 00 53 00 70 00 65 00 63 00 }
$bytes02 = { 49 6E 69 74 69 61 74 65 53 79 73 74 65 6D 53 68 75 74 64 6F 77 6E 45 78 57 }
$bytes03 = { 68 ?? ?? ?1 ?0 FF 15 ?? ?? ?? ?0 3B C7 74 ?? }
$bytes04 = { 2F 00 63 00 }
$hex_string = { B9 ?? ?? ?1 ?0 8D 44 24 ?C 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 ?? 0? 00 00 B9 ?? ?? ?1 ?0 8D 44 24 ?C 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 FF 85 C0 0F 84 ?? 0? 00 00 }
condition:
((uint16(0) == 0x5A4D)) and (filesize < 5000000) and (all of them)
} |