BianLian Ransomware Encrypts Files in the Blink of an Eye
Tags
| country: | Australia China United Kingdom United States Of America |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Firmware - T1592.003 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 |
Common Information
| Type | Value |
|---|---|
| UUID | b61e496d-713e-4496-bfe3-80ade07dfd5a |
| Fingerprint | 2730197926339e99 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Oct. 13, 2022, 1:01 a.m. |
| Added to db | Dec. 15, 2022, 10:44 a.m. |
| Last updated | Nov. 17, 2024, 12:55 p.m. |
| Headline | BianLian Ransomware Encrypts Files in the Blink of an Eye |
| Title | BianLian Ransomware Encrypts Files in the Blink of an Eye |
| Detected Hints/Tags/Attributes | 82/3/26 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 56 | ✔ | Latest Articles - BlackBerry Blogs | https://blogs.blackberry.com/en/feed.rss | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 33 | www.apache.org |
|
| Details | Domain | 66 | redacted.com |
|
| Details | Domain | 65 | blog.cyble.com |
|
| Details | Domain | 10 | go.dev |
|
| Details | Domain | 2 | golangbot.com |
|
| Details | Domain | 8 | pkg.go.dev |
|
| Details | Domain | 207 | learn.microsoft.com |
|
| Details | Domain | 37 | www.blackberry.com |
|
| Details | File | 3 | anabolic.exe |
|
| Details | File | 13 | instruction.txt |
|
| Details | File | 1 | bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html |
|
| Details | sha256 | 4 | 46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b |
|
| Details | sha256 | 2 | 117a057829cd9abb5fba20d3ab479fc92ed64c647fdc1b7cd4e0f44609d770ea |
|
| Details | sha256 | 7 | 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43 |
|
| Details | sha256 | 5 | eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2 |
|
| Details | sha256 | 1 | cbab4614a2cdd65eb619a4dd0b5e726f0a94483212945f110694098194f77095 |
|
| Details | Url | 20 | https://www.apache.org/licenses/license-2.0 |
|
| Details | Url | 1 | https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go |
|
| Details | Url | 1 | https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise |
|
| Details | Url | 1 | https://go.dev/src/cmd/go/internal/work/buildid.go |
|
| Details | Url | 2 | https://golangbot.com/goroutines |
|
| Details | Url | 1 | https://pkg.go.dev/crypto |
|
| Details | Url | 1 | https://learn.microsoft.com/en-us |
|
| Details | Url | 1 | https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html |
|
| Details | Url | 17 | https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment |
|
| Details | Yara rule | 1 | rule BianLian_Go_Ransomware {
meta:
description = "Detects BianLian ransomware"
author = "BlackBerry Threat Research Team"
date = "2022-09-13"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to the BlackBerry Research & Intelligence Team"
strings:
$s1 = "trimpath=/home/jack/Projects/project1/"
$s2 = "common.BuildPath"
$s3 = "common.GetBlocksAmount"
$s4 = "common.GetDrives"
$s5 = "common.GetBlockSize"
$s6 = "common.FileRename"
$s7 = "common.GetFileExtension"
$s8 = "exec.(*Cmd).Start.func1"
$s9 = "exec.(*Cmd).Start.func2"
$s10 = "exec.(*Cmd).Start.func3"
$s11 = "CryptBlocks"
condition:
uint16(0) == 0x5a4d and all of them
} |