SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pandora (Back to overview)

Pandora

VTCollection    

Pandora ransomware was obtained by vx-underground at 2022-03-14.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-05-12CloudsekAnandeshwar Unnikrishnan
Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
Pandora
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-04-19FortinetGergely Revay
Using Emulation Against Anti-Reverse Engineering Techniques
Pandora
2022-04-07FortinetGergely Revay, Shunichi Imano
Looking Inside Pandora’s Box
Pandora
2022-03-21VinCSSm4n0w4r, Tran Trung Kien
[QuickNote] Analysis of Pandora ransomware
Pandora
2022-03-16Dissecting MalwareMarius Genheimer
Quick revs: Pandora Ransomware - The Box has been open for a while...
Pandora
2022-03-15cybleCyble
Deep Dive Analysis - Pandora Ransomware
Pandora Rook
Yara Rules
[TLP:WHITE] win_pandora_auto (20260504 | Detects win.pandora.)
rule win_pandora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.pandora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bc8 4c8975d0 4c03e7 4889442458 e8???????? 85c0 0f840e040000 }
            // n = 7, score = 100
            //   488bc8               | dec                 eax
            //   4c8975d0             | mov                 dword ptr [esi + 0x18], 0x30
            //   4c03e7               | dec                 eax
            //   4889442458           | add                 esp, 0x40
            //   e8????????           |                     
            //   85c0                 | pop                 ebp
            //   0f840e040000         | ret                 

        $sequence_1 = { f30f7f0b 4883c310 4883c510 4883ef10 0f1136 4983ef10 0f8577ffffff }
            // n = 7, score = 100
            //   f30f7f0b             | inc                 esp
            //   4883c310             | xor                 esp, dword ptr [esi + ecx*4 + 0x709b0]
            //   4883c510             | movzx               ecx, byte ptr [ebp - 4]
            //   4883ef10             | inc                 esp
            //   0f1136               | xor                 esp, dword ptr [esi + ecx*4 + 0x70db0]
            //   4983ef10             | inc                 esp
            //   0f8577ffffff         | xor                 esp, dword ptr [eax + 0x1c]

        $sequence_2 = { b940000000 418bc0 83e03f 2bc8 48d3cf 488d0d6683fcff 4933f8 }
            // n = 7, score = 100
            //   b940000000           | inc                 ebx
            //   418bc0               | mov                 edi, dword ptr [ebp + eax*4 + 0x701b0]
            //   83e03f               | inc                 ecx
            //   2bc8                 | xor                 edi, dword ptr [ebp + edx*4 + 0x711b0]
            //   48d3cf               | movzx               edx, cl
            //   488d0d6683fcff       | movzx               ecx, byte ptr [ebp - 0x20]
            //   4933f8               | inc                 ecx

        $sequence_3 = { c3 bad8000000 b901000000 e8???????? 48894308 4885c0 748a }
            // n = 7, score = 100
            //   c3                   | and                 edx, edi
            //   bad8000000           | not                 ecx
            //   b901000000           | inc                 esp
            //   e8????????           |                     
            //   48894308             | or                  edx, eax
            //   4885c0               | inc                 ecx
            //   748a                 | and                 ecx, ecx

        $sequence_4 = { 4885c0 0f84fa000000 488b4910 4885c9 0f84ed000000 48897c2470 0fb6780d }
            // n = 7, score = 100
            //   4885c0               | or                  cl, dl
            //   0f84fa000000         | inc                 ecx
            //   488b4910             | sub                 eax, eax
            //   4885c9               | shr                 eax, 8
            //   0f84ed000000         | not                 al
            //   48897c2470           | inc                 ecx
            //   0fb6780d             | and                 al, dl

        $sequence_5 = { 418bd2 448b64242c 4533ec d1c0 89442424 418bc0 }
            // n = 6, score = 100
            //   418bd2               | mov                 dword ptr [ebp + 0x40], edi
            //   448b64242c           | dec                 eax
            //   4533ec               | add                 edi, 0x18
            //   d1c0                 | test                ebx, ebx
            //   89442424             | jne                 0x1c36
            //   418bc0               | dec                 esp

        $sequence_6 = { 498d4e30 e8???????? 8bd8 4c8ba424e0000000 4c8bbc24e8000000 488d4dd7 e8???????? }
            // n = 7, score = 100
            //   498d4e30             | sar                 edx, cl
            //   e8????????           |                     
            //   8bd8                 | jne                 0x1215
            //   4c8ba424e0000000     | dec                 eax
            //   4c8bbc24e8000000     | lea                 ecx, [edi + 0x68]
            //   488d4dd7             | dec                 eax
            //   e8????????           |                     

        $sequence_7 = { ffc1 894d60 83f80a 0f8f2a030000 8bf2 8bc6 ffc6 }
            // n = 7, score = 100
            //   ffc1                 | xor                 edx, edx
            //   894d60               | inc                 ebp
            //   83f80a               | add                 ecx, edx
            //   0f8f2a030000         | inc                 ebp
            //   8bf2                 | or                  eax, ecx
            //   8bc6                 | inc                 esp
            //   ffc6                 | mov                 dword ptr [esp + 0x80], ecx

        $sequence_8 = { 488d6c24e0 4881ec20010000 4533ff c744242801000000 44393d???????? 488d3d17340600 0f57c0 }
            // n = 7, score = 100
            //   488d6c24e0           | mov                 eax, edx
            //   4881ec20010000       | inc                 ecx
            //   4533ff               | not                 eax
            //   c744242801000000     | inc                 ecx
            //   44393d????????       |                     
            //   488d3d17340600       | add                 edi, esi
            //   0f57c0               | inc                 ebp

        $sequence_9 = { 0f8580000000 41be80b2ffff 4c8bbc2498000000 483bafe8000000 488bf3 4c8b6c2458 480f45f5 }
            // n = 7, score = 100
            //   0f8580000000         | inc                 ecx
            //   41be80b2ffff         | pop                 ebp
            //   4c8bbc2498000000     | dec                 eax
            //   483bafe8000000       | mov                 ebp, dword ptr [esp + 0x70]
            //   488bf3               | dec                 esp
            //   4c8b6c2458           | sub                 esi, esi
            //   480f45f5             | dec                 eax

    condition:
        7 of them and filesize < 1032192
}
Download all Yara Rules